Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,000 --> 00:00:03,437 2 00:00:03,437 --> 00:00:05,401 [ELECTRONIC NOISES] 3 00:00:05,401 --> 00:00:10,160 4 00:00:10,160 --> 00:00:13,940 Now we're going to introduce the Microsoft, most common version 5 00:00:13,940 --> 00:00:16,070 of an SQL Server, MSSQL. 6 00:00:16,070 --> 00:00:20,870 7 00:00:20,870 --> 00:00:23,075 In our environment, we've got our IP address. 8 00:00:23,075 --> 00:00:26,630 9 00:00:26,630 --> 00:00:30,150 We run an Nmap scan, and we see we're up against probably 10 00:00:30,150 --> 00:00:33,080 a Microsoft system. 11 00:00:33,080 --> 00:00:37,410 It's also running port 1433. 12 00:00:37,410 --> 00:00:46,520 If we do a service enumeration scan, we get back 13 00:00:46,520 --> 00:00:49,300 the latest version of the software, 14 00:00:49,300 --> 00:00:55,510 Microsoft SQL Server 2019. 15 00:00:55,510 --> 00:01:03,430 We can double down on that and run a script for ms-sql-info. 16 00:01:03,430 --> 00:01:07,550 17 00:01:07,550 --> 00:01:09,780 That'll give us a little more. 18 00:01:09,780 --> 00:01:11,010 We have the service. 19 00:01:11,010 --> 00:01:13,770 We've got the number, the exact version. 20 00:01:13,770 --> 00:01:17,970 And it could tell us the various service pack. 21 00:01:17,970 --> 00:01:20,498 Patches applied, it says false. 22 00:01:20,498 --> 00:01:22,290 If we don't know what that means right now, 23 00:01:22,290 --> 00:01:23,548 we can look it up later. 24 00:01:23,548 --> 00:01:25,590 But currently, we just want to enumerate and pull 25 00:01:25,590 --> 00:01:26,925 as much information as we can. 26 00:01:26,925 --> 00:01:34,400 27 00:01:34,400 --> 00:01:36,520 The next thing we can look into is ntlm-info. 28 00:01:36,520 --> 00:01:39,920 29 00:01:39,920 --> 00:01:48,110 And with this, we need some arguments to tell it 30 00:01:48,110 --> 00:01:54,131 which instance to look at. 31 00:01:54,131 --> 00:01:56,330 We want 1433. 32 00:01:56,330 --> 00:02:00,110 And we got the target name of MSSQL-SERVER, NetBIOS domain 33 00:02:00,110 --> 00:02:03,920 name of MSSQL-SERVER. 34 00:02:03,920 --> 00:02:05,045 We'll store that for later. 35 00:02:05,045 --> 00:02:11,710 36 00:02:11,710 --> 00:02:19,570 Another script we can run is an MSSQL brute force, so brute. 37 00:02:19,570 --> 00:02:22,310 38 00:02:22,310 --> 00:02:26,310 And the arguments for this one are going to be our word lists. 39 00:02:26,310 --> 00:02:34,760 So for our user, userdb=, we have these on our desktop, 40 00:02:34,760 --> 00:02:38,420 wordlist, common_users. 41 00:02:38,420 --> 00:02:41,945 42 00:02:41,945 --> 00:02:42,820 And then the passdb-- 43 00:02:42,820 --> 00:02:48,800 44 00:02:48,800 --> 00:02:49,410 very similar. 45 00:02:49,410 --> 00:03:01,278 46 00:03:01,278 --> 00:03:02,070 And we'll run that. 47 00:03:02,070 --> 00:03:04,200 And it will brute force. 48 00:03:04,200 --> 00:03:07,410 Again, the arguments for the different scripts that we run 49 00:03:07,410 --> 00:03:10,770 are going to be based on the script. 50 00:03:10,770 --> 00:03:12,900 Whoever was writing those scripts 51 00:03:12,900 --> 00:03:15,240 determines what the variables are called. 52 00:03:15,240 --> 00:03:21,450 We came back with auditor and jasmine1, dbadmin and bubbles1, 53 00:03:21,450 --> 00:03:24,810 and admin and annamaria. 54 00:03:24,810 --> 00:03:27,460 We'll take advantage of that in just a second. 55 00:03:27,460 --> 00:03:31,530 Let's see if there's any empty passwords. 56 00:03:31,530 --> 00:03:40,140 ms-sql-empty-password and we get one, 57 00:03:40,140 --> 00:03:43,992 username sa with an empty password. 58 00:03:43,992 --> 00:03:45,575 We could enumerate that a little more. 59 00:03:45,575 --> 00:03:48,310 60 00:03:48,310 --> 00:03:52,480 Well, let's take advantage of that Maria password 61 00:03:52,480 --> 00:03:53,950 we came across. 62 00:03:53,950 --> 00:04:02,790 We will run a query, pass in some arguments, 63 00:04:02,790 --> 00:04:04,345 the username of admin. 64 00:04:04,345 --> 00:04:09,025 65 00:04:09,025 --> 00:04:11,040 The password was annamaria-- 66 00:04:11,040 --> 00:04:18,360 67 00:04:18,360 --> 00:04:19,125 query.query. 68 00:04:19,125 --> 00:04:26,200 69 00:04:26,200 --> 00:04:30,514 And we will select everything from master..syslogins. 70 00:04:30,514 --> 00:04:35,930 71 00:04:35,930 --> 00:04:37,970 And this one, because it's a weird output 72 00:04:37,970 --> 00:04:39,650 we're going to output it as normal, 73 00:04:39,650 --> 00:04:43,490 oN, and call it output.text. 74 00:04:43,490 --> 00:04:47,150 And I'll show you what that looks like in a second. 75 00:04:47,150 --> 00:04:50,480 Let me correct the syntax near the star. 76 00:04:50,480 --> 00:04:52,580 Let's go with select, not "slect." 77 00:04:52,580 --> 00:04:55,900 78 00:04:55,900 --> 00:05:00,490 It gave us this database output, which is a mess. 79 00:05:00,490 --> 00:05:06,636 What we can do, if we go into root and look at output.txt, 80 00:05:06,636 --> 00:05:08,650 it made this full size. 81 00:05:08,650 --> 00:05:14,380 And we have wordwrap turned off. 82 00:05:14,380 --> 00:05:19,450 We can come in and see it in a little easier-to-read fashion. 83 00:05:19,450 --> 00:05:21,670 It's a database, so there's a lot of columns 84 00:05:21,670 --> 00:05:24,300 and a lot of rows. 85 00:05:24,300 --> 00:05:26,460 It could be even worse potentially. 86 00:05:26,460 --> 00:05:29,820 But some of the logins are these services. 87 00:05:29,820 --> 00:05:34,050 There are nt services, which are more helpful. 88 00:05:34,050 --> 00:05:35,280 That's our machine services. 89 00:05:35,280 --> 00:05:40,530 And then it looks like there are some individual user logins. 90 00:05:40,530 --> 00:05:44,175 There's this BUILTIN user and NT AUTHORITY SYSTEM also accessed. 91 00:05:44,175 --> 00:05:48,000 92 00:05:48,000 --> 00:05:51,160 We can come back to this and see what's useful later. 93 00:05:51,160 --> 00:05:54,087 For now, we're enumerating, so we gather, 94 00:05:54,087 --> 00:05:55,045 gather, gather, gather. 95 00:05:55,045 --> 00:05:59,860 96 00:05:59,860 --> 00:06:01,320 Once you're done gathering, then we 97 00:06:01,320 --> 00:06:06,250 can go back and see what is useful. 98 00:06:06,250 --> 00:06:07,350 Let's dump some hashes. 99 00:06:07,350 --> 00:06:11,620 100 00:06:11,620 --> 00:06:20,340 That's another useful thing to do because dumping hashes 101 00:06:20,340 --> 00:06:21,300 usually gets us-- 102 00:06:21,300 --> 00:06:25,170 103 00:06:25,170 --> 00:06:26,460 we can use hashes. 104 00:06:26,460 --> 00:06:34,500 We can pass a hash, which would let 105 00:06:34,500 --> 00:06:37,020 us access other machines without necessarily 106 00:06:37,020 --> 00:06:38,400 having the password. 107 00:06:38,400 --> 00:06:41,690 108 00:06:41,690 --> 00:06:43,190 I mean, we do have passwords here. 109 00:06:43,190 --> 00:06:50,630 But maybe there's stuff that didn't come with a password. 110 00:06:50,630 --> 00:06:55,730 There's more accounts than the few that we had before 111 00:06:55,730 --> 00:06:58,220 and some hashes to go with them. 112 00:06:58,220 --> 00:07:03,731 We saw this MS_PolicyEventProcessingLogin 113 00:07:03,731 --> 00:07:06,330 in that output. 114 00:07:06,330 --> 00:07:08,330 I don't know what we can deal with it right now. 115 00:07:08,330 --> 00:07:09,430 But it's useful to have. 116 00:07:09,430 --> 00:07:13,370 117 00:07:13,370 --> 00:07:20,785 You never want to count things out in your enumeration phase. 118 00:07:20,785 --> 00:07:26,300 119 00:07:26,300 --> 00:07:31,525 Let's see if we can run some actual code. 120 00:07:31,525 --> 00:07:37,180 121 00:07:37,180 --> 00:07:39,670 We need a username. 122 00:07:39,670 --> 00:07:51,000 We will use admin and annamaria again. 123 00:07:51,000 --> 00:07:53,475 And then what do we actually want to ask it to do? 124 00:07:53,475 --> 00:08:01,740 125 00:08:01,740 --> 00:08:04,485 The command, we'll have it run as ipconfig. 126 00:08:04,485 --> 00:08:09,710 127 00:08:09,710 --> 00:08:14,880 We get back the IP address of the machine. 128 00:08:14,880 --> 00:08:17,330 This default gateway could be useful to us. 129 00:08:17,330 --> 00:08:19,520 We might want to be using that later to see 130 00:08:19,520 --> 00:08:20,690 what sort of connections. 131 00:08:20,690 --> 00:08:22,580 But really, what's helpful is we were 132 00:08:22,580 --> 00:08:26,060 able to run a command in a shell on their machine 133 00:08:26,060 --> 00:08:29,330 remotely utilizing SQL. 134 00:08:29,330 --> 00:08:31,430 We saw that before with MySQL. 135 00:08:31,430 --> 00:08:38,059 Now we can do it with MSSQL, which can be quite handy. 136 00:08:38,059 --> 00:08:42,260 In this situation now instead of an ipconfig, 137 00:08:42,260 --> 00:08:47,510 let's have it do type, which is the Windows version of cat 138 00:08:47,510 --> 00:08:54,410 if you're more familiar with Linux than you are Windows. 139 00:08:54,410 --> 00:08:56,640 Let's have it read a file. 140 00:08:56,640 --> 00:08:59,990 So on the C drive, there was a file flag.txt. 141 00:08:59,990 --> 00:09:02,130 And we got the output of that file, 142 00:09:02,130 --> 00:09:03,380 which was a hash in this case. 143 00:09:03,380 --> 00:09:11,360 144 00:09:11,360 --> 00:09:16,090 It's useful to know how to enumerate multiple systems. 145 00:09:16,090 --> 00:09:19,060 If you come across another version of SQL, 146 00:09:19,060 --> 00:09:22,510 we could go into NSE, go on the website for Nmap, 147 00:09:22,510 --> 00:09:25,720 and see what other scripts apply in those situations. 148 00:09:25,720 --> 00:09:27,880 That's how you would do this enumeration thing. 149 00:09:27,880 --> 00:09:30,130 If you see something that isn't covered here, 150 00:09:30,130 --> 00:09:32,500 then you at least have an idea of, 151 00:09:32,500 --> 00:09:34,150 what should we be looking for? 152 00:09:34,150 --> 00:09:35,470 What should we be trying? 153 00:09:35,470 --> 00:09:38,190 That's what we're trying to do here. 154 00:09:38,190 --> 00:09:39,000 10163