background image

168

Chapter 11

Sending initial request to enable xp_cmdshell if disabled....
Sending first portion of payload....
Sending second portion of payload....
Sending next portion of payload...
Sending the last portion of the payload...
Running cleanup...
Running the payload on the server...
listening on [any] 9090 ...
10.211.55.128: inverse host lookup failed: Unknown server error : Connection 

timed out

connect to [10.211.55.130] from (UNKNOWN) [10.211.55.128] 1045
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>

First choose the manual option at  . Then, as in the query string param-

eter attack, point Fast-Track to the parameter vulnerable to SQL injection   
and input your listening IP address at   along with the port you want your 
target to connect to at  . Fast-Track takes care of the rest.

MSSQL Bruter

Perhaps one of the best aspects of Fast-Track is the 

MSSQL Bruter 

(available 

from the Microsoft SQL Attack Tools menu). When MS SQL is installed, 
MSSQL Bruter can use integrated Windows authentication, SQL authentica-
tion, or mixed-mode authentication. 

Mixed-mode authentication allows users to be verified from Windows 

authentication as well as directly from the MS SQL Server. If mixed-mode or 
SQL authentication is used during the installation of MS SQL, the adminis-
trator installing the software needs to specify an 

sa

, or system administrator, 

account for MS SQL. Often, administrators choose a weak, blank, or easily 
guessable password that can be used to an attacker’s advantage. If the 

sa

 

account can be brute forced, it will lead to a compromise of the entire sys-
tem through the extended stored procedure 

xp_cmdshell

.

Fast-Track uses a few methods for discovery when looking for MS SQL 

servers, including using 

nmap

 to perform port scans of the default MS SQL 

TCP port 1433. If the target machine is using MS SQL Server 2005 or later, 
dynamic port ranges can be used, which makes it more difficult to enumer-
ate, but Fast-Track directly interfaces with Metasploit and can look for port 
1434 User Datagram Protocol (UDP) to reveal which port MS SQL server’s 
dynamic port is running.

Once Fast-Track has identified a server and successfully brute forced the 

sa

 account, it will use advanced binary-to-hex conversion methods to deliver 

a payload. This attack is usually highly successful, especially in large environ-
ments where MS SQL is widely used.