Install Honeyd On Windows
InstallHoneydOnWindowsBlog Archive Pen test and hack microsoft sql server mssqlAll the information Im about to go over is nothing new, Im just trying to organize all my notes on pen testing mssql. Hopefully my notes will help others. All the commands and instructions are Linux based so keep that in mind. The first thing youll need to do is discover IP addresses that have mssql running. So youll accomplish this by running some type of scan. The scanner of choice is always nmap but there are some things youll need to consider when scanning for mssql. The default port for mssql is 1. So for starters its definitely a good idea to scan an IP range looking for port 1. Step 1 scan for port 1. This will only scan for port 1. IP range will vary. My output is below. Optimizepress Theme'>Optimizepress Theme. Starting Nmap 5. 5. BETA1 http nmap. Ethereal Oliendo el pegamento que mantiene a Internet unida. Ethereal es un analizador de protocolos de red para Unix y Windows, y es libre free. Qradar LEEF Format Support. KFSensor can be configured to forward events to IBM Qradar in LEEF format. This streamlines and simplifies the integration of KFSensor. When performing security testing on a Windows environment, or any environment for that matter, one of the things youll need to check is if you can escalate your. Ethereal Cheirando a cola que aguenta a Internet O Ethereal uma ferramenta pblica de anlise de protocolos para sistemas Unix e Windows. EST. Nmap scan report for 1. Host is up 0. 0. PORT STATE SERVICE. Nmap scan report for 1. Host is up 0. 0. Here is a list of security tools that have been collected from the internet. These tools are specifically aimed toward security professionals and enthusiasts. Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their TCP personality can be adapted so. PORT STATE SERVICE1. MAC Address 0. 0 0. C 2. 9 4. C 3. E VMwareNmap done 1. IP addresses 2 hosts up scanned in 0. In this case the 1. So great success weve found a box running mssql. Hold your horses because this is simply the beginning. If youre scanning is focused then this type of scan is fine, meaning Im not scanning thousands of hosts Im only focused on a handful of hosts. If Im only concerned about scanning a handful of hosts then my next step would be to determine two things. Version of the database. Are there any other additional listening ports for this database. To determine the version of the database we can once again turn to nmap. A 1. 92. 1. 68. 1. The A option will try and determine as much information as it can about the service on port 1. The A option will also try and determine the underlying OS running as well. Below is the output from this scan. Starting Nmap 5. 5. BETA1 http nmap. EST. Nmap scan report for 1. Host is up 0. 0. PORT STATE SERVICE VERSION. Microsoft SQL Server 2. RTM. MAC Address 0. C 2. 9 4. C 3. E VMware. Warning OSScan results may be unreliable because we could not find at least 1 open and 1 closed port. Device type general purpose. Running Microsoft Windows 2. OS details Microsoft Windows Server 2. SP1 or SP2. Network Distance 1 hop. Host script results ms sql info Windows server name WIN2. MSSQLSERVER Instance name MSSQLSERVER Version Microsoft SQL Server 2. D0%BE%D0%B8%D0%B1/_images/ubuntu_server_2st.png' alt='Install Honeyd On Windows' title='Install Honeyd On Windows' />RTM Version number 9. Product Microsoft SQL Server 2. Service pack level RTM Post SP patches applied No TCP port 1. Named pipe 1. 92. Clustered No. So youll notice in the output nmap is reporting the version of mssql to be SQL Server 2. Knowing the version is very important because different versions of SQL Server provide different security features and also have different vulnerabilities. There are other ways of determining the version of sql server without authenticating but to me nmap is the best solution. Next lets talk about looking for other ports that mssql may be listening on. For multiple reasons, like load balancing, mssql can listen on multiple ports. When pen testing mssql we want to know what those ports are so we can bang against them. Depending on the configuration you can authenticate to every listening mssql port. One thing to keep in mind is that you can authenticate to mssql using your normal windows network active directory credentials or you can authenticate using an account that was setup on the mssql server. This is basically known as windows authentication or sql authentication. When setting up the sql server and ports the database administrator will have to configure on how this authentication takes place. The easier target is using sql credentials as those are typically configured with a weaker password policy. Now that Ive discussed some of the issues lets get cracking. So to determine additional ports that a database may be running on well once again turn to nmap. This time I told mssql to also listen on port 1. So now go ahead and run the same nmap command as before. A p 1. 43. 3 1. Starting Nmap 5. BETA1 http nmap. ESTNmap scan report for 1. Host is up 0. 0. PORT STATE SERVICE VERSION1. Microsoft SQL Server 2. RTMMAC Address 0. C 2. 9 4. C 3. E VMwareWarning OSScan results may be unreliable because we could not find at least 1 open and 1 closed port. Device type general purpose. Running Microsoft Windows 2. OS details Microsoft Windows Server 2. SP1 or SP2. Network Distance 1 hop. Service Info OS Windows. Host script results ms sql info Windows server name WIN2. MSSQLSERVER Instance name MSSQLSERVER Version Microsoft SQL Server 2. RTM Version number 9. Product Microsoft SQL Server 2. Service pack level RTM Post SP patches applied No TCP port 1. Named pipe 1. 92. Clustered No 1. Version Microsoft SQL Server 2. RTM Version number 9. Product Microsoft SQL Server 2. Service pack level RTM Post SP patches applied No TCP port 1. So we see that nmap reports back ports 1. You may be wondering how nmap knew that port 1. MSSQL runs a service called the browser service which runs on port 1. UDP instead of TCP. If this browser service wasnt running nmap wouldnt be able to pull this information. Basically nmap queries port 1. It does this using the mssql nmap script. There are a couple of other tools here and here that do the same thing but I stick with nmap since its already baked in. So the browser service and additional ports is a very important to keep in mind when pen testing mssql. Now we have more information about our target which hopefully means well find a weak spot that we can exploit. Once you know the version its always recommended to search CVE common vulnerabilities and weaknesses and it may also not be a bad idea to search inside the metasploit tool as well. There arent a whole lot of remote code execution vulnerabilities for anything SQL Server 2. So if they arent running an old unpatched version of mssql then that means youll need credentials to authenticate to the sql server. This means well need to try and brute force the credentials. The main tool I like to use to perform brute force attacks is medusa, another good alternative is hydra. I have had different degrees of luck with both tools so it may be useful to run both tools although my default is medusa. I will only cover how to use medusa, below is the typical command line options that you feed into medusa. U dictionary. txt P dictionary. O medusa. Output. M mssql. The h is the host, the U is the username list, P is the password list, O is the output file, M is the module you want to run against in this case its mssql. Helvetica Font Adobe Indesign. Below is the output of this command. Medusa v. 2. 0 http www. C Jo. Mo Kun Foofus Networks. ACCOUNT CHECK mssql Host 1. User admin 1 of 3, 0 complete Password admin 1 of 3 completeACCOUNT CHECK mssql Host 1. User admin 1 of 3, 0 complete Password password 2 of 3 completeACCOUNT CHECK mssql Host 1. User admin 1 of 3, 0 complete Password sa 3 of 3 completeACCOUNT CHECK mssql Host 1. User password 2 of 3, 1 complete Password admin 1 of 3 completeACCOUNT CHECK mssql Host 1. User password 2 of 3, 1 complete Password password 2 of 3 completeACCOUNT CHECK mssql Host 1. User password 2 of 3, 1 complete Password sa 3 of 3 completeACCOUNT CHECK mssql Host 1. User sa 3 of 3, 2 complete Password admin 1 of 3 completeACCOUNT CHECK mssql Host 1.