|
2 | 2 |
|
3 | 3 | class Metasploit3 < Msf::Auxiliary |
4 | 4 |
|
5 | | - include Rex::Text |
6 | 5 | include Msf::Exploit::Remote::MSSQL_SQLI |
7 | 6 |
|
8 | 7 | def initialize(info = {}) |
9 | 8 | super(update_info(info, |
10 | 9 | 'Name' => 'Microsoft SQL Server NTLM Stealer - SQLi', |
11 | 10 | 'Description' => %q{ |
12 | | - This module can be used to help capture or relay the LM/NTLM |
13 | | - credentials of the account running the remote SQL Server service. |
14 | | - The module will use the SQL injection from GET_PATH to connect to the |
15 | | - target SQL Server instance and execute the native "xp_dirtree" or |
16 | | - stored procedure. The stored procedures will then |
17 | | - force the service account to authenticate to the system defined in |
18 | | - the SMBProxy option. In order for the attack to be successful, the |
19 | | - SMB capture or relay module must be running on the system defined |
20 | | - as the SMBProxy. The database account used to connect to the |
21 | | - database should only require the "PUBLIC" role to execute. |
22 | | - Successful execution of this attack usually results in local |
23 | | - administrative access to the Windows system. Specifically, this |
24 | | - works great for relaying credentials between two SQL Servers using |
25 | | - a shared service account to get shells. However, if the relay fails, |
26 | | - then the LM hash can be reversed using the Halflm rainbow tables and |
27 | | - john the ripper. |
| 11 | + This module can be used to help capture or relay the LM/NTLM credentials of the |
| 12 | + account running the remote SQL Server service. The module will use the SQL |
| 13 | + injection from GET_PATH to connect to the target SQL Server instance and execute |
| 14 | + the native "xp_dirtree" or stored procedure. The stored procedures will then |
| 15 | + force the service account to authenticate to the system defined in the SMBProxy |
| 16 | + option. In order for the attack to be successful, the SMB capture or relay module |
| 17 | + must be running on the system defined as the SMBProxy. The database account used to |
| 18 | + connect to the database should only require the "PUBLIC" role to execute. |
| 19 | + Successful execution of this attack usually results in local administrative access |
| 20 | + to the Windows system. Specifically, this works great for relaying credentials |
| 21 | + between two SQL Servers using a shared service account to get shells. However, if |
| 22 | + the relay fails, then the LM hash can be reversed using the Halflm rainbow tables |
| 23 | + and john the ripper. |
28 | 24 | }, |
29 | | - 'Author' => [ 'nullbind <scott.sutherland[at]netspi.com>', 'Antti <antti.rantasaari[at]netspi.com>' ], |
| 25 | + 'Author' => |
| 26 | + [ |
| 27 | + 'nullbind <scott.sutherland[at]netspi.com>', |
| 28 | + 'Antti <antti.rantasaari[at]netspi.com>' |
| 29 | + ], |
30 | 30 | 'License' => MSF_LICENSE, |
31 | 31 | 'Targets' => |
32 | 32 | [ |
|
0 commit comments