Land #18961, Adds session documentation
This commit is contained in:
commit
9b4114eda0
|
@ -3,11 +3,23 @@
|
|||
Microsoft SQL Server (MSSQL) is a relational database management system. Commonly used in conjunction with web applications
|
||||
and other software that need to persist data. MSSQL is a useful target for data extraction and code execution.
|
||||
|
||||
MySQL is frequently found on port on the following ports:
|
||||
MSSQL is frequently found on port on the following ports:
|
||||
|
||||
- 1433/TCP
|
||||
- 1434/UDP
|
||||
|
||||
For a full list of MSSQL modules run the `search` command within msfconsole:
|
||||
|
||||
```msf
|
||||
msf6 > search mssql
|
||||
```
|
||||
|
||||
Or to search for modules that work with a specific session type:
|
||||
|
||||
```msf
|
||||
msf6 > search session_type:mssql
|
||||
```
|
||||
|
||||
### Lab Environment
|
||||
|
||||
Environment setup:
|
||||
|
@ -26,6 +38,176 @@ use auxiliary/admin/mssql/mssql_sql
|
|||
run rhost=192.168.123.13 username=administrator password=p4$$w0rd sql='select auth_scheme from sys.dm_exec_connections where session_id=@@spid'
|
||||
```
|
||||
|
||||
### Logging in and obtaining a session
|
||||
To log in or obtain an interactive session on an MSSQL instance running on the target, use mssql_login
|
||||
|
||||
```msf
|
||||
use auxiliary/scanner/mssql_login
|
||||
run CreateSession=true RPORT=1433 RHOSTS=192.168.2.242 USERNAME=user PASSWORD=password
|
||||
```
|
||||
|
||||
The CreateSession option, when set to true, will result in returning an interactive MSSQL session with the target machine
|
||||
on a successful login:
|
||||
|
||||
```msf
|
||||
[*] 192.168.2.242:1433 - 192.168.2.242:1433 - MSSQL - Starting authentication scanner.
|
||||
[!] 192.168.2.242:1433 - No active DB -- Credential data will not be saved!
|
||||
[+] 192.168.2.242:1433 - 192.168.2.242:1433 - Login Successful: WORKSTATION\user:password
|
||||
[*] MSSQL session 1 opened (192.168.2.1:60963 -> 192.168.2.242:1433) at 2024-03-15 13:41:31 -0500
|
||||
[*] 192.168.2.242:1433 - Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
|
||||
Which you can interact with using `sessions -i <session id>` or `sessions -i -1` to interact with the most recently opened session.
|
||||
|
||||
```msf
|
||||
msf6 auxiliary(scanner/mssql/mssql_login) > sessions
|
||||
|
||||
Active sessions
|
||||
===============
|
||||
|
||||
Id Name Type Information Connection
|
||||
-- ---- ---- ----------- ----------
|
||||
1 mssql MSSQL test @ 192.168.2.242:1433 192.168.2.1:60963 -> 192.168.23.242:1433 (192.168.2.242)
|
||||
|
||||
msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i 1
|
||||
[*] Starting interaction with 1...
|
||||
|
||||
mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
|
||||
Response
|
||||
========
|
||||
|
||||
# NULL
|
||||
- ----
|
||||
0 Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
|
||||
Oct 8 2022 05:58:25
|
||||
Copyright (C) 2022 Microsoft Corporation
|
||||
Developer Edition (64-bit) on Windows Server 2022 Stand
|
||||
ard 10.0 <X64> (Build 20348: ) (Hypervisor)
|
||||
```
|
||||
|
||||
When interacting with a session, the help command can be useful:
|
||||
|
||||
```msf
|
||||
mssql @ 192.168.2.242:1433 (master) > help
|
||||
|
||||
Core Commands
|
||||
=============
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
? Help menu
|
||||
background Backgrounds the current session
|
||||
bg Alias for background
|
||||
exit Terminate the PostgreSQL session
|
||||
help Help menu
|
||||
irb Open an interactive Ruby shell on the current session
|
||||
pry Open the Pry debugger on the current session
|
||||
sessions Quickly switch to another session
|
||||
|
||||
|
||||
MSSQL Client Commands
|
||||
=====================
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
query Run a single SQL query
|
||||
query_interactive Enter an interactive prompt for running multiple SQL queries
|
||||
|
||||
|
||||
Local File System Commands
|
||||
==========================
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
getlwd Print local working directory (alias for lpwd)
|
||||
lcat Read the contents of a local file to the screen
|
||||
lcd Change local working directory
|
||||
ldir List local files (alias for lls)
|
||||
lls List local files
|
||||
lmkdir Create new directory on local machine
|
||||
lpwd Print local working directory
|
||||
|
||||
This session also works with the following modules:
|
||||
|
||||
auxiliary/admin/mssql/mssql_enum
|
||||
auxiliary/admin/mssql/mssql_escalate_dbowner
|
||||
auxiliary/admin/mssql/mssql_escalate_execute_as
|
||||
auxiliary/admin/mssql/mssql_exec
|
||||
auxiliary/admin/mssql/mssql_findandsampledata
|
||||
auxiliary/admin/mssql/mssql_idf
|
||||
auxiliary/admin/mssql/mssql_sql
|
||||
auxiliary/admin/mssql/mssql_sql_file
|
||||
auxiliary/scanner/mssql/mssql_hashdump
|
||||
auxiliary/scanner/mssql/mssql_schemadump
|
||||
exploit/windows/mssql/mssql_payload
|
||||
```
|
||||
|
||||
To interact directly with the session as if in a SQL prompt, you can use the `query` command.
|
||||
|
||||
```msf
|
||||
msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i -1
|
||||
[*] Starting interaction with 2...
|
||||
|
||||
mssql @ 192.168.2.242:1433 (master) > query -h
|
||||
Usage: query
|
||||
|
||||
Run a single SQL query on the target.
|
||||
|
||||
OPTIONS:
|
||||
|
||||
-h, --help Help menu.
|
||||
-i, --interact Enter an interactive prompt for running multiple SQL queries
|
||||
|
||||
Examples:
|
||||
|
||||
query select @@version;
|
||||
query select user_name();
|
||||
query select name from master.dbo.sysdatabases;
|
||||
|
||||
mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
|
||||
Response
|
||||
========
|
||||
|
||||
# NULL
|
||||
- ----
|
||||
0 Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
|
||||
Oct 8 2022 05:58:25
|
||||
Copyright (C) 2022 Microsoft Corporation
|
||||
Developer Edition (64-bit) on Windows Server 2022 Standard 10.0 <X64> (B
|
||||
uild 20348: ) (Hypervisor)
|
||||
```
|
||||
|
||||
Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands:
|
||||
|
||||
```msf
|
||||
mssql @ 192.168.2.242:1433 (master) > query_interactive -h
|
||||
Usage: query_interactive
|
||||
|
||||
Go into an interactive SQL shell where SQL queries can be executed.
|
||||
To exit, type 'exit', 'quit', 'end' or 'stop'.
|
||||
|
||||
mssql @ 192.168.2.242:1433 (master) > query_interactive
|
||||
[*] Starting interactive SQL shell for mssql @ 192.168.2.242:1433 (master)
|
||||
[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
|
||||
|
||||
SQL >> select *
|
||||
SQL *> from information_schema.tables
|
||||
SQL *> where table_type = 'BASE TABLE';
|
||||
[*] Executing query: select * from information_schema.tables where table_type = 'BASE TABLE';
|
||||
Response
|
||||
========
|
||||
# TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
|
||||
- ------------- ------------ ---------- ----------
|
||||
0 master dbo spt_fallback_db BASE TABLE
|
||||
1 master dbo spt_fallback_dev BASE TABLE
|
||||
2 master dbo spt_fallback_usg BASE TABLE
|
||||
4 master dbo Users BASE TABLE
|
||||
5 master dbo spt_monitor BASE TABLE
|
||||
6 master dbo MSreplication_options BASE TABLE
|
||||
SQL >>
|
||||
```
|
||||
|
||||
### Link crawling
|
||||
|
||||
Identify if the SQL server has been configured with trusted links, which allows running queries on other MSSQL instances:
|
||||
|
|
|
@ -17,6 +17,12 @@ There are more modules than listed here, for the full list of modules run the `s
|
|||
msf6 > search mysql
|
||||
```
|
||||
|
||||
Or to search for modules that work with a specific session type:
|
||||
|
||||
```msf
|
||||
msf6 > search session_type:mysql
|
||||
```
|
||||
|
||||
### Lab Environment
|
||||
|
||||
When testing in a lab environment MySQL can either be installed on the host machine or within Docker:
|
||||
|
@ -79,6 +85,158 @@ run cidr:/24:mysql://user:pass@192.168.222.0 threads=50
|
|||
run cidr:/24:mysql://user@192.168.222.0 threads=50 pass_file=./wordlist.txt
|
||||
```
|
||||
|
||||
### Obtaining an Interactive Session on the Target
|
||||
|
||||
The CreateSession option in `auxiliary/scanner/mysql/msql_login` allows you to obtain an interactive session
|
||||
for the MySQL client you're connecting to. The run command with CreateSession
|
||||
set to true should give you an interactive session:
|
||||
|
||||
```msf
|
||||
msf6 > use scanner/mysql/mysql_login
|
||||
msf6 auxiliary(scanner/mysql/mysql_login) > run rhost=127.0.0.1 rport=4306 username=root password=password createsession=true
|
||||
|
||||
[+] 127.0.0.1:4306 - 127.0.0.1:4306 - Found remote MySQL version 11.2.2
|
||||
[+] 127.0.0.1:4306 - 127.0.0.1:4306 - Success: 'root:password'
|
||||
[*] MySQL session 1 opened (127.0.0.1:53241 -> 127.0.0.1:4306) at 2024-03-12 12:40:46 -0500
|
||||
[*] 127.0.0.1:4306 - Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i -1
|
||||
[*] Starting interaction with 1...
|
||||
|
||||
mysql @ 127.0.0.1:4306 >
|
||||
```
|
||||
|
||||
You can interact with your new session using `sessions -i -1` or `sessions <session id>`.
|
||||
You can also use `help` to get more information about how to use your session.
|
||||
|
||||
```msf
|
||||
msf6 auxiliary(scanner/mysql/mysql_login) > sessions
|
||||
|
||||
Active sessions
|
||||
===============
|
||||
|
||||
Id Name Type Information Connection
|
||||
-- ---- ---- ----------- ----------
|
||||
2 mssql MSSQL test @ 192.168.2.242:1433 192.168.2.1:61428 -> 192.168.2.242:1433 (192.168.2.242)
|
||||
3 mysql MySQL root @ 127.0.0.1:4306 127.0.0.1:61450 -> 127.0.0.1:4306 (127.0.0.1)
|
||||
|
||||
msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i 3
|
||||
[*] Starting interaction with 3...
|
||||
```
|
||||
|
||||
When interacting with a session, the help command can be useful:
|
||||
|
||||
```msf
|
||||
mysql @ 127.0.0.1:4306 > help
|
||||
|
||||
Core Commands
|
||||
=============
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
? Help menu
|
||||
background Backgrounds the current session
|
||||
bg Alias for background
|
||||
exit Terminate the PostgreSQL session
|
||||
help Help menu
|
||||
irb Open an interactive Ruby shell on the current session
|
||||
pry Open the Pry debugger on the current session
|
||||
sessions Quickly switch to another session
|
||||
|
||||
|
||||
MySQL Client Commands
|
||||
=====================
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
query Run a single SQL query
|
||||
query_interactive Enter an interactive prompt for running multiple SQL queries
|
||||
|
||||
|
||||
Local File System Commands
|
||||
==========================
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
getlwd Print local working directory (alias for lpwd)
|
||||
lcat Read the contents of a local file to the screen
|
||||
lcd Change local working directory
|
||||
ldir List local files (alias for lls)
|
||||
lls List local files
|
||||
lmkdir Create new directory on local machine
|
||||
lpwd Print local working directory
|
||||
|
||||
This session also works with the following modules:
|
||||
|
||||
auxiliary/admin/mysql/mysql_enum
|
||||
auxiliary/admin/mysql/mysql_sql
|
||||
auxiliary/scanner/mysql/mysql_file_enum
|
||||
auxiliary/scanner/mysql/mysql_hashdump
|
||||
auxiliary/scanner/mysql/mysql_schemadump
|
||||
auxiliary/scanner/mysql/mysql_version
|
||||
auxiliary/scanner/mysql/mysql_writable_dirs
|
||||
exploit/multi/mysql/mysql_udf_payload
|
||||
exploit/windows/mysql/mysql_mof
|
||||
exploit/windows/mysql/mysql_start_up
|
||||
```
|
||||
|
||||
Once you've done that, you can run any MySQL query against the target using the `query` command:
|
||||
|
||||
```msf
|
||||
mysql @ 127.0.0.1:4306 > query -h
|
||||
Usage: query
|
||||
|
||||
Run a single SQL query on the target.
|
||||
|
||||
OPTIONS:
|
||||
|
||||
-h, --help Help menu.
|
||||
-i, --interact Enter an interactive prompt for running multiple SQL queries
|
||||
|
||||
Examples:
|
||||
|
||||
query SHOW DATABASES;
|
||||
query USE information_schema;
|
||||
query SELECT * FROM SQL_FUNCTIONS;
|
||||
query SELECT version();
|
||||
|
||||
mysql @ 127.0.0.1:4306 > query 'SELECT version();'
|
||||
Response
|
||||
========
|
||||
|
||||
# version()
|
||||
- ---------
|
||||
0 11.2.2-MariaDB-1:11.2.2+maria~ubu2204
|
||||
```
|
||||
|
||||
Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands:
|
||||
|
||||
```msf
|
||||
mysql @ 127.0.0.1:4306 () > query_interactive -h
|
||||
Usage: query_interactive
|
||||
|
||||
Go into an interactive SQL shell where SQL queries can be executed.
|
||||
To exit, type 'exit', 'quit', 'end' or 'stop'.
|
||||
|
||||
mysql @ 127.0.0.1:4306 () > query_interactive
|
||||
[*] Starting interactive SQL shell for mysql @ 127.0.0.1:4306 ()
|
||||
[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
|
||||
|
||||
SQL >> SELECT table_name
|
||||
SQL *> FROM information_schema.tables
|
||||
SQL *> LIMIT 2;
|
||||
[*] Executing query: SELECT table_name FROM information_schema.tables LIMIT 2;
|
||||
Response
|
||||
========
|
||||
|
||||
# table_name
|
||||
- ----------
|
||||
0 ALL_PLUGINS
|
||||
1 APPLICABLE_ROLES
|
||||
|
||||
SQL >>
|
||||
```
|
||||
|
||||
### MySQL Dumping
|
||||
|
||||
User and hash dump:
|
||||
|
|
|
@ -17,6 +17,13 @@ There are more modules than listed here, for the full list of modules run the `s
|
|||
msf6 > search postgres
|
||||
```
|
||||
|
||||
Or to search for modules that work with a specific session type:
|
||||
|
||||
```msf
|
||||
msf6 > search session_type:postgres
|
||||
```
|
||||
|
||||
|
||||
### Lab Environment
|
||||
|
||||
When testing in a lab environment PostgreSQL can either be installed on the host machine or within Docker:
|
||||
|
@ -80,6 +87,158 @@ run cidr:/24:postgres://user:pass@192.168.222.0 threads=50
|
|||
run cidr:/24:postgres://user@192.168.222.0 threads=50 pass_file=./wordlist.txt
|
||||
```
|
||||
|
||||
### Obtaining an Interactive Session
|
||||
The CreateSession option for `auxiliary/scanner/postgres/postgres_login` allows you to obtain an
|
||||
interactive session for the Postgres client you're connecting to. The run command with CreateSession
|
||||
set to true should give you an interactive session.
|
||||
|
||||
For example:
|
||||
|
||||
```msf
|
||||
msf6 auxiliary(scanner/postgres/postgres_login) > run rhost=127.0.0.1 rport=5432 username=postgres password=password database=template1 createsession=true
|
||||
```
|
||||
|
||||
Should yield:
|
||||
|
||||
```msf
|
||||
[+] 127.0.0.1:5432 - Login Successful: postgres:password@template1
|
||||
[*] PostgreSQL session 1 opened (127.0.0.1:61324 -> 127.0.0.1:5432) at 2024-03-15 14:00:12 -0500
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
|
||||
You can interact with your session using `sessions -i -1` or `sessions <session id>`.
|
||||
Use the help command for more info.
|
||||
|
||||
```msf
|
||||
msf6 auxiliary(scanner/postgres/postgres_login) > sessions
|
||||
|
||||
Active sessions
|
||||
===============
|
||||
|
||||
Id Name Type Information Connection
|
||||
-- ---- ---- ----------- ----------
|
||||
1 postgresql PostgreSQL postgres @ 127.0.0.1:5432 127.0.0.1:61324 -> 127.0.0.1:5432 (127.0.0.1)
|
||||
|
||||
msf6 auxiliary(scanner/postgres/postgres_login) > sessions -i 1
|
||||
[*] Starting interaction with 1...
|
||||
```
|
||||
|
||||
When interacting with a session, the help command can be useful:
|
||||
|
||||
```msf
|
||||
postgresql @ 127.0.0.1:5432 (template1) > help
|
||||
|
||||
Core Commands
|
||||
=============
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
? Help menu
|
||||
background Backgrounds the current session
|
||||
bg Alias for background
|
||||
exit Terminate the PostgreSQL session
|
||||
help Help menu
|
||||
irb Open an interactive Ruby shell on the current session
|
||||
pry Open the Pry debugger on the current session
|
||||
sessions Quickly switch to another session
|
||||
|
||||
|
||||
PostgreSQL Client Commands
|
||||
==========================
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
query Run a single SQL query
|
||||
query_interactive Enter an interactive prompt for running multiple SQL queries
|
||||
|
||||
|
||||
Local File System Commands
|
||||
==========================
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
getlwd Print local working directory (alias for lpwd)
|
||||
lcat Read the contents of a local file to the screen
|
||||
lcd Change local working directory
|
||||
ldir List local files (alias for lls)
|
||||
lls List local files
|
||||
lmkdir Create new directory on local machine
|
||||
lpwd Print local working directory
|
||||
|
||||
This session also works with the following modules:
|
||||
|
||||
auxiliary/admin/postgres/postgres_readfile
|
||||
auxiliary/admin/postgres/postgres_sql
|
||||
auxiliary/scanner/postgres/postgres_hashdump
|
||||
auxiliary/scanner/postgres/postgres_schemadump
|
||||
auxiliary/scanner/postgres/postgres_version
|
||||
exploit/linux/postgres/postgres_payload
|
||||
exploit/multi/postgres/postgres_copy_from_program_cmd_exec
|
||||
exploit/multi/postgres/postgres_createlang
|
||||
exploit/windows/postgres/postgres_payload
|
||||
```
|
||||
|
||||
Once you've done that, you can run any Postgres query against the target using the `query` command:
|
||||
|
||||
```msf
|
||||
postgresql @ 127.0.0.1:5432 (template1) > query -h
|
||||
Usage: query
|
||||
|
||||
Run a single SQL query on the target.
|
||||
|
||||
OPTIONS:
|
||||
|
||||
-h, --help Help menu.
|
||||
-i, --interact Enter an interactive prompt for running multiple SQL queries
|
||||
|
||||
Examples:
|
||||
|
||||
query SELECT user;
|
||||
query SELECT version();
|
||||
query SELECT * FROM pg_catalog.pg_tables;
|
||||
|
||||
postgresql @ 127.0.0.1:5432 (template1) > query 'SELECT version();'
|
||||
[*] SELECT 1
|
||||
|
||||
Response
|
||||
========
|
||||
|
||||
# version
|
||||
- -------
|
||||
0 PostgreSQL 14.1 on aarch64-apple-darwin20.6.0, compiled by Apple clang version 12.0.5 (clang-1205.0.22.9), 64-bit
|
||||
```
|
||||
|
||||
Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands:
|
||||
|
||||
```msf
|
||||
postgresql @ 127.0.0.1:5432 (template1) > query_interactive -h
|
||||
Usage: query_interactive
|
||||
|
||||
Go into an interactive SQL shell where SQL queries can be executed.
|
||||
To exit, type 'exit', 'quit', 'end' or 'stop'.
|
||||
|
||||
postgresql @ 127.0.0.1:5432 (template1) > query_interactive
|
||||
[*] Starting interactive SQL shell for postgresql @ 127.0.0.1:5432 (template1)
|
||||
[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
|
||||
|
||||
SQL >> SELECT table_name
|
||||
SQL *> FROM information_schema.tables
|
||||
SQL *> LIMIT 2;
|
||||
[*] Executing query: SELECT table_name FROM information_schema.tables LIMIT 2;
|
||||
[*] SELECT 2
|
||||
|
||||
Response
|
||||
========
|
||||
|
||||
# table_name
|
||||
- ----------
|
||||
0 pg_statistic
|
||||
1 pg_type
|
||||
|
||||
SQL >>
|
||||
```
|
||||
|
||||
### PostgreSQL Capture Server
|
||||
|
||||
Captures and log PostgreSQL credentials:
|
||||
|
|
|
@ -27,6 +27,12 @@ There are more modules than listed here, for the full list of modules run the `s
|
|||
msf6 > search smb
|
||||
```
|
||||
|
||||
Or to search for modules that work with a specific session type:
|
||||
|
||||
```msf
|
||||
msf6 > search session_type:smb
|
||||
```
|
||||
|
||||
### Lab Environment
|
||||
|
||||
When testing in a lab environment - SMB can be used on a Window's host machine, or within Docker.
|
||||
|
@ -63,6 +69,122 @@ Restart the service:
|
|||
service smbd restart
|
||||
```
|
||||
|
||||
### SMB Login and Interactive Sessions
|
||||
|
||||
When using the smb_login module, the CreateSession option can be used to obtain an interactive
|
||||
session within the smb instance. Running with the following options:
|
||||
|
||||
```msf
|
||||
msf6 auxiliary(scanner/smb/smb_login) > run CreateSession=true RHOSTS=172.14.2.164 RPORT=445 SMBDomain=windomain.local SMBPass=password SMBUser=username
|
||||
```
|
||||
|
||||
Should give you output similar to
|
||||
|
||||
```msf
|
||||
[*] 172.14.2.164:445 - 172.14.2.164:445 - Starting SMB login bruteforce
|
||||
[+] 172.14.2.164:445 - 172.14.2.164:445 - Success: 'windomain.local\username:password' Administrator
|
||||
[*] SMB session 1 opened (172.16.158.1:62793 -> 172.14.2.164:445) at 2024-03-12 17:03:09 +0000
|
||||
[*] 172.14.2.164:445 - Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
|
||||
[*] Starting interaction with 1...
|
||||
```
|
||||
|
||||
Which you can interact with using `sessions -i <session id>` or `sessions -i -1` to interact with the most recently opened session.
|
||||
|
||||
```msf
|
||||
msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
|
||||
[*] Starting interaction with 1...
|
||||
|
||||
SMB (172.14.2.164) > shares
|
||||
Shares
|
||||
======
|
||||
|
||||
# Name Type comment
|
||||
- ---- ---- -------
|
||||
0 ADMIN$ DISK|SPECIAL Remote Admin
|
||||
1 C$ DISK|SPECIAL Default share
|
||||
2 foo DISK
|
||||
3 IPC$ IPC|SPECIAL Remote IPC
|
||||
|
||||
SMB (172.14.2.164) > shares -i foo
|
||||
[+] Successfully connected to foo
|
||||
SMB (172.14.2.164\foo) > ls
|
||||
ls
|
||||
===
|
||||
[truncated]
|
||||
```
|
||||
|
||||
When interacting with a session, the help command can be useful:
|
||||
|
||||
```msf
|
||||
SMB (172.14.2.164\foo) > help
|
||||
|
||||
Core Commands
|
||||
=============
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
? Help menu
|
||||
background Backgrounds the current session
|
||||
bg Alias for background
|
||||
exit Terminate the SMB session
|
||||
help Help menu
|
||||
irb Open an interactive Ruby shell on the current session
|
||||
pry Open the Pry debugger on the current session
|
||||
sessions Quickly switch to another session
|
||||
|
||||
|
||||
Shares Commands
|
||||
===============
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
cat Read the file at the given path
|
||||
cd Change the current remote working directory
|
||||
delete Delete a file
|
||||
dir List all files in the current directory (alias for ls)
|
||||
download Download a file
|
||||
ls List all files in the current directory
|
||||
mkdir Make a new directory
|
||||
pwd Print the current remote working directory
|
||||
rmdir Delete a directory
|
||||
shares View the available shares and interact with one
|
||||
upload Upload a file
|
||||
|
||||
|
||||
Local File System Commands
|
||||
==========================
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
getlwd Print local working directory (alias for lpwd)
|
||||
lcat Read the contents of a local file to the screen
|
||||
lcd Change local working directory
|
||||
ldir List local files (alias for lls)
|
||||
lls List local files
|
||||
lmkdir Create new directory on local machine
|
||||
lpwd Print local working directory
|
||||
|
||||
This session also works with the following modules:
|
||||
|
||||
auxiliary/admin/dcerpc/icpr_cert
|
||||
auxiliary/admin/dcerpc/samr_computer
|
||||
auxiliary/admin/smb/delete_file
|
||||
auxiliary/admin/smb/download_file
|
||||
auxiliary/admin/smb/psexec_ntdsgrab
|
||||
auxiliary/admin/smb/upload_file
|
||||
auxiliary/gather/windows_secrets_dump
|
||||
auxiliary/scanner/smb/pipe_auditor
|
||||
auxiliary/scanner/smb/pipe_dcerpc_auditor
|
||||
auxiliary/scanner/smb/smb_enum_gpp
|
||||
auxiliary/scanner/smb/smb_enumshares
|
||||
auxiliary/scanner/smb/smb_enumusers
|
||||
auxiliary/scanner/smb/smb_enumusers_domain
|
||||
auxiliary/scanner/smb/smb_lookupsid
|
||||
exploit/windows/smb/psexec
|
||||
```
|
||||
|
||||
### SMB Enumeration
|
||||
|
||||
Enumerate SMB version:
|
||||
|
|
|
@ -15,6 +15,174 @@ A docker container can be spun up with the following command to test this module
|
|||
|
||||
## Options
|
||||
|
||||
### CreateSession
|
||||
|
||||
When using the `scanner/mssql/mssql_login` module, the CreateSession option can be used to obtain an interactive
|
||||
session within the MSSQL instance. Running the following commands with all other options set:
|
||||
|
||||
```msf
|
||||
msf6 auxiliary(scanner/mssql/mssql_login) > run CreateSession=true RPORT=1433 RHOSTS=192.168.2.242 USERNAME=user PASSWORD=password
|
||||
```
|
||||
|
||||
Should give you output containing:
|
||||
|
||||
```msf
|
||||
[*] 192.168.2.242:1433 - 192.168.2.242:1433 - MSSQL - Starting authentication scanner.
|
||||
[!] 192.168.2.242:1433 - No active DB -- Credential data will not be saved!
|
||||
[+] 192.168.2.242:1433 - 192.168.2.242:1433 - Login Successful: WORKSTATION\user:password
|
||||
[*] MSSQL session 1 opened (192.168.2.1:60963 -> 192.168.2.242:1433) at 2024-03-15 13:41:31 -0500
|
||||
[*] 192.168.2.242:1433 - Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
|
||||
Which you can interact with using `sessions -i <session id>` or `sessions -i -1` to interact with the most recently opened session.
|
||||
|
||||
```msf
|
||||
msf6 auxiliary(scanner/mssql/mssql_login) > sessions
|
||||
|
||||
Active sessions
|
||||
===============
|
||||
|
||||
Id Name Type Information Connection
|
||||
-- ---- ---- ----------- ----------
|
||||
1 mssql MSSQL test @ 192.168.2.242:1433 192.168.2.1:60963 -> 192.168.2.242:1433 (192.168.2.242)
|
||||
|
||||
msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i 1
|
||||
[*] Starting interaction with 1...
|
||||
|
||||
mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
|
||||
Response
|
||||
========
|
||||
|
||||
# NULL
|
||||
- ----
|
||||
0 Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
|
||||
Oct 8 2022 05:58:25
|
||||
Copyright (C) 2022 Microsoft Corporation
|
||||
Developer Edition (64-bit) on Windows Server 2022 Stand
|
||||
ard 10.0 <X64> (Build 20348: ) (Hypervisor)
|
||||
```
|
||||
|
||||
When interacting with a session, the help command can be useful:
|
||||
|
||||
```msf
|
||||
mssql @ 192.168.2.242:1433 (master) > help
|
||||
|
||||
Core Commands
|
||||
=============
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
? Help menu
|
||||
background Backgrounds the current session
|
||||
bg Alias for background
|
||||
exit Terminate the PostgreSQL session
|
||||
help Help menu
|
||||
irb Open an interactive Ruby shell on the current session
|
||||
pry Open the Pry debugger on the current session
|
||||
sessions Quickly switch to another session
|
||||
|
||||
|
||||
MSSQL Client Commands
|
||||
=====================
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
query Run a single SQL query
|
||||
query_interactive Enter an interactive prompt for running multiple SQL queri
|
||||
es
|
||||
|
||||
|
||||
Local File System Commands
|
||||
==========================
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
getlwd Print local working directory (alias for lpwd)
|
||||
lcat Read the contents of a local file to the screen
|
||||
lcd Change local working directory
|
||||
ldir List local files (alias for lls)
|
||||
lls List local files
|
||||
lmkdir Create new directory on local machine
|
||||
lpwd Print local working directory
|
||||
|
||||
This session also works with the following modules:
|
||||
|
||||
auxiliary/admin/mssql/mssql_enum
|
||||
auxiliary/admin/mssql/mssql_escalate_dbowner
|
||||
auxiliary/admin/mssql/mssql_escalate_execute_as
|
||||
auxiliary/admin/mssql/mssql_exec
|
||||
auxiliary/admin/mssql/mssql_findandsampledata
|
||||
auxiliary/admin/mssql/mssql_idf
|
||||
auxiliary/admin/mssql/mssql_sql
|
||||
auxiliary/admin/mssql/mssql_sql_file
|
||||
auxiliary/scanner/mssql/mssql_hashdump
|
||||
auxiliary/scanner/mssql/mssql_schemadump
|
||||
exploit/windows/mssql/mssql_payload
|
||||
```
|
||||
|
||||
To interact directly with the session as if in a SQL prompt, you can use the `query` command.
|
||||
|
||||
```msf
|
||||
msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i -1
|
||||
[*] Starting interaction with 2...
|
||||
|
||||
mssql @ 192.168.2.242:1433 (master) > query -h
|
||||
Usage: query
|
||||
|
||||
Run a single SQL query on the target.
|
||||
|
||||
OPTIONS:
|
||||
|
||||
-h, --help Help menu.
|
||||
-i, --interact Enter an interactive prompt for running multiple SQL queries
|
||||
|
||||
Examples:
|
||||
|
||||
query select @@version;
|
||||
query select user_name();
|
||||
query select name from master.dbo.sysdatabases;
|
||||
|
||||
mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
|
||||
Response
|
||||
========
|
||||
|
||||
# NULL
|
||||
- ----
|
||||
0 Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
|
||||
Oct 8 2022 05:58:25
|
||||
Copyright (C) 2022 Microsoft Corporation
|
||||
Developer Edition (64-bit) on Windows Server 2022 Standard 10.0 <X64> (B
|
||||
uild 20348: ) (Hypervisor)
|
||||
```
|
||||
|
||||
Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands:
|
||||
|
||||
```msf
|
||||
mssql @ 192.168.2.242:1433 (master) > query_interactive -h
|
||||
Usage: query_interactive
|
||||
|
||||
Go into an interactive SQL shell where SQL queries can be executed.
|
||||
To exit, type 'exit', 'quit', 'end' or 'stop'.
|
||||
|
||||
mssql @ 192.168.2.242:1433 (master) > query_interactive
|
||||
[*] Starting interactive SQL shell for mssql @ 192.168.2.242:1433 (master)
|
||||
[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
|
||||
|
||||
SQL >> select top 2 table_catalog, table_schema
|
||||
SQL *> from information_schema.tables;
|
||||
[*] Executing query: select top 2 table_catalog, table_schema from information_schema.tables;
|
||||
Response
|
||||
========
|
||||
|
||||
# table_catalog table_schema
|
||||
- ------------- ------------
|
||||
0 master dbo
|
||||
1 master dbo
|
||||
|
||||
SQL >>
|
||||
```
|
||||
|
||||
### USER_FILE
|
||||
|
||||
File containing users, one per line.
|
||||
|
@ -24,7 +192,8 @@ File containing users, one per line.
|
|||
File containing passwords, one per line
|
||||
|
||||
## Scenarios
|
||||
```
|
||||
|
||||
```msf
|
||||
msf > use scanner/mssql/mssql_login
|
||||
msf6 auxiliary(scanner/mssql/mssql_login) > set rhosts 127.0.0.1
|
||||
rhosts => 127.0.0.1
|
||||
|
|
|
@ -12,7 +12,7 @@ This auxiliary module is a brute-force login tool for MySQL servers.
|
|||
|
||||
## Scenarios
|
||||
|
||||
```
|
||||
```msf
|
||||
msf > use auxiliary/scanner/mysql/mysql_login
|
||||
msf auxiliary(mysql_login) > set PASS_FILE /tmp/passes.txt
|
||||
PASS_FILE => /tmp/passes.txt
|
||||
|
@ -61,3 +61,154 @@ msf auxiliary(mysql_login) > run
|
|||
[*] Auxiliary module execution completed
|
||||
msf auxiliary(mysql_login) >
|
||||
```
|
||||
|
||||
## Obtaining an Interactive Session
|
||||
|
||||
The CreateSession option allows you to obtain an interactive session
|
||||
for the MySQL client you're connecting to. The run command with CreateSession
|
||||
set to true should give you an interactive session:
|
||||
|
||||
```msf
|
||||
run rhost=127.0.0.1 rport=4306 username=root password=password createsession=true
|
||||
|
||||
[+] 127.0.0.1:4306 - 127.0.0.1:4306 - Found remote MySQL version 11.2.2
|
||||
[+] 127.0.0.1:4306 - 127.0.0.1:4306 - Success: 'root:password'
|
||||
[*] MySQL session 1 opened (127.0.0.1:53241 -> 127.0.0.1:4306) at 2024-03-12 12:40:46 -0500
|
||||
[*] 127.0.0.1:4306 - Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i -1
|
||||
[*] Starting interaction with 1...
|
||||
|
||||
mysql @ 127.0.0.1:4306 >
|
||||
```
|
||||
|
||||
You can interact with your new session using `sessions -i -1` or `sessions -i <session id>`.
|
||||
You can also use `help` to get more information about how to use your session.
|
||||
|
||||
```msf
|
||||
msf6 auxiliary(scanner/mysql/mysql_login) > sessions
|
||||
|
||||
Active sessions
|
||||
===============
|
||||
|
||||
Id Name Type Information Connection
|
||||
-- ---- ---- ----------- ----------
|
||||
2 mssql MSSQL test @ 192.168.2.242:1433 192.168.2.1:61428 -> 192.168.2.242:1433 (192.168.2.242)
|
||||
3 mysql MySQL root @ 127.0.0.1:4306 127.0.0.1:61450 -> 127.0.0.1:4306 (127.0.0.1)
|
||||
|
||||
msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i 3
|
||||
[*] Starting interaction with 3...
|
||||
```
|
||||
|
||||
When interacting with a session, the help command can be useful:
|
||||
|
||||
```msf
|
||||
mysql @ 127.0.0.1:4306 > help
|
||||
|
||||
Core Commands
|
||||
=============
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
? Help menu
|
||||
background Backgrounds the current session
|
||||
bg Alias for background
|
||||
exit Terminate the PostgreSQL session
|
||||
help Help menu
|
||||
irb Open an interactive Ruby shell on the current session
|
||||
pry Open the Pry debugger on the current session
|
||||
sessions Quickly switch to another session
|
||||
|
||||
|
||||
MySQL Client Commands
|
||||
=====================
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
query Run a single SQL query
|
||||
query_interactive Enter an interactive prompt for running multiple SQL queries
|
||||
|
||||
|
||||
Local File System Commands
|
||||
==========================
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
getlwd Print local working directory (alias for lpwd)
|
||||
lcat Read the contents of a local file to the screen
|
||||
lcd Change local working directory
|
||||
ldir List local files (alias for lls)
|
||||
lls List local files
|
||||
lmkdir Create new directory on local machine
|
||||
lpwd Print local working directory
|
||||
|
||||
This session also works with the following modules:
|
||||
|
||||
auxiliary/admin/mysql/mysql_enum
|
||||
auxiliary/admin/mysql/mysql_sql
|
||||
auxiliary/scanner/mysql/mysql_file_enum
|
||||
auxiliary/scanner/mysql/mysql_hashdump
|
||||
auxiliary/scanner/mysql/mysql_schemadump
|
||||
auxiliary/scanner/mysql/mysql_version
|
||||
auxiliary/scanner/mysql/mysql_writable_dirs
|
||||
exploit/multi/mysql/mysql_udf_payload
|
||||
exploit/windows/mysql/mysql_mof
|
||||
exploit/windows/mysql/mysql_start_up
|
||||
```
|
||||
|
||||
Once you've done that, you can run any MySQL query against the target using the `query` command:
|
||||
|
||||
```msf
|
||||
mysql @ 127.0.0.1:4306 > query -h
|
||||
Usage: query
|
||||
|
||||
Run a single SQL query on the target.
|
||||
|
||||
OPTIONS:
|
||||
|
||||
-h, --help Help menu.
|
||||
-i, --interact Enter an interactive prompt for running multiple SQL queries
|
||||
|
||||
Examples:
|
||||
|
||||
query SHOW DATABASES;
|
||||
query USE information_schema;
|
||||
query SELECT * FROM SQL_FUNCTIONS;
|
||||
query SELECT version();
|
||||
|
||||
mysql @ 127.0.0.1:4306 > query 'SELECT version();'
|
||||
Response
|
||||
========
|
||||
|
||||
# version()
|
||||
- ---------
|
||||
0 11.2.2-MariaDB-1:11.2.2+maria~ubu2204
|
||||
```
|
||||
|
||||
Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands:
|
||||
|
||||
```msf
|
||||
mysql @ 127.0.0.1:4306 > query_interactive -h
|
||||
Usage: query_interactive
|
||||
|
||||
Go into an interactive SQL shell where SQL queries can be executed.
|
||||
To exit, type 'exit', 'quit', 'end' or 'stop'.
|
||||
|
||||
mysql @ 127.0.0.1:4306 > query_interactive
|
||||
[*] Starting interactive SQL shell for mysql @ 127.0.0.1:4306
|
||||
[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
|
||||
|
||||
SQL >> SELECT table_name
|
||||
SQL *> FROM information_schema.tables
|
||||
SQL *> LIMIT 2;
|
||||
[*] Executing query: SELECT table_name FROM information_schema.tables LIMIT 2;
|
||||
Response
|
||||
========
|
||||
|
||||
# table_name
|
||||
- ----------
|
||||
0 ALL_PLUGINS
|
||||
1 APPLICABLE_ROLES
|
||||
|
||||
SQL >>
|
||||
```
|
||||
|
|
|
@ -0,0 +1,168 @@
|
|||
## Description
|
||||
|
||||
This auxiliary module is a brute-force login tool for Postgres servers.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Do: `use auxiliary/scanner/postgres/postgres_login`
|
||||
2. Do: `set PASS_FILE [file containing passwords]`
|
||||
3. Do: `set RHOSTS [IP]`
|
||||
4. Do: `set USER_FILE [file containing usernames]`
|
||||
5. Do: `set DATABASE [template name]`
|
||||
6. Do: `run`
|
||||
|
||||
The above USER_FILE and PASS_FILE options can be replaced with USERNAME
|
||||
and PASSWORD if you know the credentials.
|
||||
|
||||
## Getting an Interactive Session
|
||||
|
||||
The CreateSession option allows you to obtain an interactive session
|
||||
for the Postgres client you're connecting to. The run command with CreateSession
|
||||
set to true should give you an interactive session.
|
||||
|
||||
For example:
|
||||
|
||||
```msf
|
||||
msf6 auxiliary(scanner/postgres/postgres_login) > run rhost=127.0.0.1 rport=5432 username=postgres password=password database=template1 createsession=true
|
||||
```
|
||||
|
||||
Should yield:
|
||||
|
||||
```msf
|
||||
[+] 127.0.0.1:5432 - Login Successful: postgres:password@template1
|
||||
[*] PostgreSQL session 1 opened (127.0.0.1:61324 -> 127.0.0.1:5432) at 2024-03-15 14:00:12 -0500
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
|
||||
You can interact with your session using `sessions -i -1` or `sessions <session id>`.
|
||||
Use the help command for more info.
|
||||
|
||||
```msf
|
||||
msf6 auxiliary(scanner/postgres/postgres_login) > sessions
|
||||
|
||||
Active sessions
|
||||
===============
|
||||
|
||||
Id Name Type Information Connection
|
||||
-- ---- ---- ----------- ----------
|
||||
1 postgresql PostgreSQL postgres @ 127.0.0.1:5432 127.0.0.1:61324 -> 127.0.0.1:5432 (127.0.0.1)
|
||||
|
||||
msf6 auxiliary(scanner/postgres/postgres_login) > sessions -i 1
|
||||
[*] Starting interaction with 1...
|
||||
```
|
||||
|
||||
When interacting with a session, the help command can be useful:
|
||||
|
||||
```msf
|
||||
postgresql @ 127.0.0.1:5432 (template1) > help
|
||||
|
||||
Core Commands
|
||||
=============
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
? Help menu
|
||||
background Backgrounds the current session
|
||||
bg Alias for background
|
||||
exit Terminate the PostgreSQL session
|
||||
help Help menu
|
||||
irb Open an interactive Ruby shell on the current session
|
||||
pry Open the Pry debugger on the current session
|
||||
sessions Quickly switch to another session
|
||||
|
||||
|
||||
PostgreSQL Client Commands
|
||||
==========================
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
query Run a single SQL query
|
||||
query_interactive Enter an interactive prompt for running multiple SQL queries
|
||||
|
||||
|
||||
Local File System Commands
|
||||
==========================
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
getlwd Print local working directory (alias for lpwd)
|
||||
lcat Read the contents of a local file to the screen
|
||||
lcd Change local working directory
|
||||
ldir List local files (alias for lls)
|
||||
lls List local files
|
||||
lmkdir Create new directory on local machine
|
||||
lpwd Print local working directory
|
||||
|
||||
This session also works with the following modules:
|
||||
|
||||
auxiliary/admin/postgres/postgres_readfile
|
||||
auxiliary/admin/postgres/postgres_sql
|
||||
auxiliary/scanner/postgres/postgres_hashdump
|
||||
auxiliary/scanner/postgres/postgres_schemadump
|
||||
auxiliary/scanner/postgres/postgres_version
|
||||
exploit/linux/postgres/postgres_payload
|
||||
exploit/multi/postgres/postgres_copy_from_program_cmd_exec
|
||||
exploit/multi/postgres/postgres_createlang
|
||||
exploit/windows/postgres/postgres_payload
|
||||
```
|
||||
|
||||
Once you've done that, you can run any Postgres query against the target using the `query` command:
|
||||
|
||||
```msf
|
||||
postgresql @ 127.0.0.1:5432 (template1) > query -h
|
||||
Usage: query
|
||||
|
||||
Run a single SQL query on the target.
|
||||
|
||||
OPTIONS:
|
||||
|
||||
-h, --help Help menu.
|
||||
-i, --interact Enter an interactive prompt for running multiple SQL queries
|
||||
|
||||
Examples:
|
||||
|
||||
query SELECT user;
|
||||
query SELECT version();
|
||||
query SELECT * FROM pg_catalog.pg_tables;
|
||||
|
||||
postgresql @ 127.0.0.1:5432 (template1) > query 'SELECT version();'
|
||||
[*] SELECT 1
|
||||
|
||||
Response
|
||||
========
|
||||
|
||||
# version
|
||||
- -------
|
||||
0 PostgreSQL 14.1 on aarch64-apple-darwin20.6.0, compiled by Apple clang version 12.0.5 (clang-1205.0.22.9), 64-bit
|
||||
```
|
||||
|
||||
Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands:
|
||||
|
||||
```msf
|
||||
postgresql @ 127.0.0.1:5432 (template1) > query_interactive -h
|
||||
Usage: query_interactive
|
||||
|
||||
Go into an interactive SQL shell where SQL queries can be executed.
|
||||
To exit, type 'exit', 'quit', 'end' or 'stop'.
|
||||
|
||||
postgresql @ 127.0.0.1:5432 (template1) > query_interactive
|
||||
[*] Starting interactive SQL shell for postgresql @ 127.0.0.1:5432 (template1)
|
||||
[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
|
||||
|
||||
SQL >> SELECT table_name
|
||||
SQL *> FROM information_schema.tables
|
||||
SQL *> LIMIT 2;
|
||||
[*] Executing query: SELECT table_name FROM information_schema.tables LIMIT 2;
|
||||
[*] SELECT 2
|
||||
|
||||
Response
|
||||
========
|
||||
|
||||
# table_name
|
||||
- ----------
|
||||
0 pg_statistic
|
||||
1 pg_type
|
||||
|
||||
SQL >>
|
||||
```
|
|
@ -8,7 +8,7 @@ To use smb_login, make sure you are able to connect to a SMB service that suppor
|
|||
|
||||
The following demonstrates a basic scenario of using the [built-in wordlists](https://github.com/rapid7/metasploit-framework/tree/master/data/wordlists) to brute-force SMB:
|
||||
|
||||
```
|
||||
```msf
|
||||
msf > use auxiliary/scanner/smb/smb_login
|
||||
msf auxiliary(smb_login) > set RHOSTS 192.168.1.80
|
||||
RHOSTS => 192.168.1.80
|
||||
|
@ -21,12 +21,12 @@ msf auxiliary(smb_login) > run
|
|||
[+] 192.168.1.80:445 - 192.168.1.80:445 SMB - Success: '.\root:monkey' Administrator
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
msf auxiliary(smb_login) >
|
||||
msf auxiliary(smb_login) >
|
||||
```
|
||||
|
||||
If you have a database connected, you should also see this credential logged:
|
||||
|
||||
```
|
||||
```msf
|
||||
msf auxiliary(smb_login) > creds
|
||||
Credentials
|
||||
===========
|
||||
|
@ -35,10 +35,126 @@ host origin service public private realm private_type
|
|||
---- ------ ------- ------ ------- ----- ------------
|
||||
192.168.1.80 192.168.1.80 445/tcp (smb) root monkey Password
|
||||
|
||||
msf auxiliary(smb_login)
|
||||
msf auxiliary(smb_login) >
|
||||
```
|
||||
|
||||
## Options
|
||||
## Obtaining a Session
|
||||
|
||||
When using the smb_login module, the CreateSession option can be used to obtain an interactive
|
||||
session within the smb instance. Running with the following options:
|
||||
|
||||
```msf
|
||||
msf6 auxiliary(scanner/smb/smb_login) > run CreateSession=true RHOSTS=172.14.2.164 RPORT=445 SMBDomain=windomain.local SMBPass=password SMBUser=username
|
||||
```
|
||||
|
||||
Should give you output containing:
|
||||
|
||||
```msf
|
||||
[*] 172.14.2.164:445 - 172.14.2.164:445 - Starting SMB login bruteforce
|
||||
[+] 172.14.2.164:445 - 172.14.2.164:445 - Success: 'windomain.local\username:password' Administrator
|
||||
[*] SMB session 1 opened (172.16.158.1:62793 -> 172.14.2.164:445) at 2024-03-12 17:03:09 +0000
|
||||
[*] 172.14.2.164:445 - Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
|
||||
[*] Starting interaction with 1...
|
||||
```
|
||||
|
||||
Which you can interact with using `sessions -i <session id>` or `sessions -i -1` to interact with the most recently opened session.
|
||||
|
||||
```msf
|
||||
msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
|
||||
[*] Starting interaction with 1...
|
||||
|
||||
SMB (172.14.2.164) > shares
|
||||
Shares
|
||||
======
|
||||
|
||||
# Name Type comment
|
||||
- ---- ---- -------
|
||||
0 ADMIN$ DISK|SPECIAL Remote Admin
|
||||
1 C$ DISK|SPECIAL Default share
|
||||
2 foo DISK
|
||||
3 IPC$ IPC|SPECIAL Remote IPC
|
||||
|
||||
SMB (172.14.2.164) > shares -i foo
|
||||
[+] Successfully connected to foo
|
||||
SMB (172.14.2.164\foo) > ls
|
||||
ls
|
||||
===
|
||||
[truncated]
|
||||
```
|
||||
|
||||
When interacting with a session, the help command can be useful:
|
||||
|
||||
```msf
|
||||
SMB (172.14.2.164\foo) > help
|
||||
|
||||
Core Commands
|
||||
=============
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
? Help menu
|
||||
background Backgrounds the current session
|
||||
bg Alias for background
|
||||
exit Terminate the SMB session
|
||||
help Help menu
|
||||
irb Open an interactive Ruby shell on the current session
|
||||
pry Open the Pry debugger on the current session
|
||||
sessions Quickly switch to another session
|
||||
|
||||
|
||||
Shares Commands
|
||||
===============
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
cat Read the file at the given path
|
||||
cd Change the current remote working directory
|
||||
delete Delete a file
|
||||
dir List all files in the current directory (alias for ls)
|
||||
download Download a file
|
||||
ls List all files in the current directory
|
||||
mkdir Make a new directory
|
||||
pwd Print the current remote working directory
|
||||
rmdir Delete a directory
|
||||
shares View the available shares and interact with one
|
||||
upload Upload a file
|
||||
|
||||
|
||||
Local File System Commands
|
||||
==========================
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
getlwd Print local working directory (alias for lpwd)
|
||||
lcat Read the contents of a local file to the screen
|
||||
lcd Change local working directory
|
||||
ldir List local files (alias for lls)
|
||||
lls List local files
|
||||
lmkdir Create new directory on local machine
|
||||
lpwd Print local working directory
|
||||
|
||||
This session also works with the following modules:
|
||||
|
||||
auxiliary/admin/dcerpc/icpr_cert
|
||||
auxiliary/admin/dcerpc/samr_computer
|
||||
auxiliary/admin/smb/delete_file
|
||||
auxiliary/admin/smb/download_file
|
||||
auxiliary/admin/smb/psexec_ntdsgrab
|
||||
auxiliary/admin/smb/upload_file
|
||||
auxiliary/gather/windows_secrets_dump
|
||||
auxiliary/scanner/smb/pipe_auditor
|
||||
auxiliary/scanner/smb/pipe_dcerpc_auditor
|
||||
auxiliary/scanner/smb/smb_enum_gpp
|
||||
auxiliary/scanner/smb/smb_enumshares
|
||||
auxiliary/scanner/smb/smb_enumusers
|
||||
auxiliary/scanner/smb/smb_enumusers_domain
|
||||
auxiliary/scanner/smb/smb_lookupsid
|
||||
exploit/windows/smb/psexec
|
||||
```
|
||||
|
||||
## Credential Options
|
||||
|
||||
By default, the smb_login module only requires the RHOSTS option to run. But in reality, you will
|
||||
also need to supply user names and passwords. The following options are available to support
|
||||
|
|
|
@ -90,7 +90,14 @@ I.E. the filename john will produce two files, `john_netntlm` and `john_netntlmv
|
|||
|
||||
### DOMAIN
|
||||
|
||||
The domain name used during smb exchange.
|
||||
The domain name used during SMB exchange.
|
||||
|
||||
### ACTION
|
||||
|
||||
Determines which of two actions smb_relay will use against the target.
|
||||
The default is to run `PSEXEC`, but can be changed to `CREATE_SMB_SESSION` to
|
||||
open an interactive SMB session against the target instead of running
|
||||
psexec.
|
||||
|
||||
### TIMEOUT
|
||||
|
||||
|
|
|
@ -149,10 +149,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
def available_actions
|
||||
actions = [
|
||||
['PSEXEC', { 'Description' => 'Run psexec against the relay target' }]
|
||||
['PSEXEC', { 'Description' => 'Use the SMB Connection to run the exploit/windows/psexec module against the relay target' }]
|
||||
]
|
||||
if framework.features.enabled?(Msf::FeatureManager::SMB_SESSION_TYPE)
|
||||
actions << ['CREATE_SMB_SESSION', { 'Description' => 'Get an SMB session' }]
|
||||
actions << ['CREATE_SMB_SESSION', { 'Description' => 'Do not close the SMB connection after relaying, and instead create an SMB session' }]
|
||||
end
|
||||
|
||||
actions
|
||||
|
|
Loading…
Reference in New Issue