Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,000 --> 00:00:03,332 2 00:00:03,332 --> 00:00:04,760 [ELECTRONIC NOISES] 3 00:00:04,760 --> 00:00:10,010 4 00:00:10,010 --> 00:00:15,440 Now that we've looked at how to enumerate MSSQL with Nmap, 5 00:00:15,440 --> 00:00:18,538 let's dig in and see how we do it with Metasploit. 6 00:00:18,538 --> 00:00:21,290 7 00:00:21,290 --> 00:00:22,325 We have our IP address. 8 00:00:22,325 --> 00:00:31,135 9 00:00:31,135 --> 00:00:37,470 We do a simple Nmap scan, and we get 1433 along 10 00:00:37,470 --> 00:00:42,900 with a lot of other services running, but focusing on MSSQL 11 00:00:42,900 --> 00:00:43,410 right now. 12 00:00:43,410 --> 00:00:51,090 13 00:00:51,090 --> 00:00:55,260 We can run that same skin. 14 00:00:55,260 --> 00:01:02,670 Looking at 1433, we'll do service as well as a script 15 00:01:02,670 --> 00:01:05,820 for MSSQL info. 16 00:01:05,820 --> 00:01:10,750 17 00:01:10,750 --> 00:01:12,715 It's a script we've run before. 18 00:01:12,715 --> 00:01:18,188 19 00:01:18,188 --> 00:01:19,730 And our service enumeration came back 20 00:01:19,730 --> 00:01:24,260 with Microsoft SQL Server 2019. 21 00:01:24,260 --> 00:01:28,580 We have the same information from our script. 22 00:01:28,580 --> 00:01:32,510 That is good to double check. 23 00:01:32,510 --> 00:01:33,695 We load up msfconsole. 24 00:01:33,695 --> 00:01:41,500 25 00:01:41,500 --> 00:01:46,390 We did a brute force using Nmap last time. 26 00:01:46,390 --> 00:01:49,600 This time, we'll use Metasploit to brute force our way 27 00:01:49,600 --> 00:01:53,605 into user log on and password. 28 00:01:53,605 --> 00:02:02,280 29 00:02:02,280 --> 00:02:11,980 It is an auxiliary scanner for mssql_login. 30 00:02:11,980 --> 00:02:23,005 31 00:02:23,005 --> 00:02:23,770 We'll set rhosts. 32 00:02:23,770 --> 00:02:26,590 33 00:02:26,590 --> 00:02:29,170 And let's setg rhosts. 34 00:02:29,170 --> 00:02:32,990 35 00:02:32,990 --> 00:02:35,690 That way, it stays persistent throughout all 36 00:02:35,690 --> 00:02:37,325 of the tools we use. 37 00:02:37,325 --> 00:02:40,440 38 00:02:40,440 --> 00:02:47,790 We'll set user_file to me this wordlist 39 00:02:47,790 --> 00:02:54,940 from the Desktop, common_users. 40 00:02:54,940 --> 00:03:07,190 I'll set the pass_file to be the 100 most common passwords. 41 00:03:07,190 --> 00:03:10,070 42 00:03:10,070 --> 00:03:14,100 These wordlists exist for a reason. 43 00:03:14,100 --> 00:03:16,975 They are the most common passwords. 44 00:03:16,975 --> 00:03:19,760 I'll set verbose to false. 45 00:03:19,760 --> 00:03:21,800 I'll double check options. 46 00:03:21,800 --> 00:03:24,530 Everything is filled in that's required, 47 00:03:24,530 --> 00:03:25,655 and we can run that module. 48 00:03:25,655 --> 00:03:28,220 49 00:03:28,220 --> 00:03:32,270 We come up with sa and no password, which is useful. 50 00:03:32,270 --> 00:03:49,650 51 00:03:49,650 --> 00:03:51,520 And that was quite useful. 52 00:03:51,520 --> 00:03:56,700 The next one, we came up with database admin 53 00:03:56,700 --> 00:03:59,985 as anamaria and auditor as nikita. 54 00:03:59,985 --> 00:04:02,610 We'll write all those down, and we can come back to them later. 55 00:04:02,610 --> 00:04:06,250 56 00:04:06,250 --> 00:04:13,080 The next scanner we're going to look at is going to be enum. 57 00:04:13,080 --> 00:04:18,390 We've already set our rhosts because we set it 58 00:04:18,390 --> 00:04:21,959 as a global variable for this whole Metasploit session. 59 00:04:21,959 --> 00:04:22,950 So you can just run. 60 00:04:22,950 --> 00:04:27,180 61 00:04:27,180 --> 00:04:29,700 It'll try those log-ins. 62 00:04:29,700 --> 00:04:31,120 We're still running the log-in. 63 00:04:31,120 --> 00:04:43,860 64 00:04:43,860 --> 00:04:45,480 It did not load the module. 65 00:04:45,480 --> 00:04:50,653 66 00:04:50,653 --> 00:04:51,570 Let's try that again-- 67 00:04:51,570 --> 00:04:58,190 68 00:04:58,190 --> 00:05:05,200 mssql, ping, schemadump, login, hashdump. 69 00:05:05,200 --> 00:05:19,990 70 00:05:19,990 --> 00:05:27,790 Ah, auxiliary admin mssql_enum and let's run that. 71 00:05:27,790 --> 00:05:31,950 72 00:05:31,950 --> 00:05:34,980 And it came back with a lot of information. 73 00:05:34,980 --> 00:05:41,820 And we could dig through here, see 74 00:05:41,820 --> 00:05:44,410 what audits have been set up. 75 00:05:44,410 --> 00:05:49,290 Some of our database information that we found last time 76 00:05:49,290 --> 00:05:52,320 using some Nmap scripts, Metasploit came up with them 77 00:05:52,320 --> 00:05:53,740 with this. 78 00:05:53,740 --> 00:05:59,910 So we'll admin enum script-- 79 00:05:59,910 --> 00:06:00,840 module, rather. 80 00:06:00,840 --> 00:06:09,150 81 00:06:09,150 --> 00:06:17,940 If we were to continue with the auxiliary admin tools, 82 00:06:17,940 --> 00:06:22,280 there is enum and then sql_logins. 83 00:06:22,280 --> 00:06:28,700 84 00:06:28,700 --> 00:06:31,720 We can run that. 85 00:06:31,720 --> 00:06:33,295 We see that sa is a sysadmin. 86 00:06:33,295 --> 00:06:39,930 87 00:06:39,930 --> 00:06:42,650 That's useful. 88 00:06:42,650 --> 00:06:46,403 Some more log-ins, we'll write all those down. 89 00:06:46,403 --> 00:06:47,945 We can come back and use those later. 90 00:06:47,945 --> 00:06:51,010 91 00:06:51,010 --> 00:06:53,220 The last thing we would want to check 92 00:06:53,220 --> 00:06:55,080 is if we can run commands. 93 00:06:55,080 --> 00:06:57,820 94 00:06:57,820 --> 00:07:03,090 So it's going to be another auxiliary admin. 95 00:07:03,090 --> 00:07:08,220 And this one instead of enum is exec for execute. 96 00:07:08,220 --> 00:07:12,870 And we'll set the command to be whoami. 97 00:07:12,870 --> 00:07:14,820 Let's look at those options. 98 00:07:14,820 --> 00:07:17,630 It'll connect, ask it. 99 00:07:17,630 --> 00:07:24,200 If we can execute whoami, let's see what it looks like. 100 00:07:24,200 --> 00:07:29,690 And it came back as net service/mssql/$sqlexpress, 101 00:07:29,690 --> 00:07:36,530 which is what we would expect the SQL service to be 102 00:07:36,530 --> 00:07:39,140 identified as. 103 00:07:39,140 --> 00:07:44,840 Let's enumerate some domain accounts. 104 00:07:44,840 --> 00:07:51,570 105 00:07:51,570 --> 00:07:53,460 And to switch it up, use exploit. 106 00:07:53,460 --> 00:07:54,840 You can use exploit or run. 107 00:07:54,840 --> 00:07:56,010 They both do the same thing. 108 00:07:56,010 --> 00:07:59,992 109 00:07:59,992 --> 00:08:01,575 And it's pulling some domain accounts. 110 00:08:01,575 --> 00:08:06,300 111 00:08:06,300 --> 00:08:07,715 And it should be quite a list. 112 00:08:07,715 --> 00:08:11,620 113 00:08:11,620 --> 00:08:13,000 We got alice and bob. 114 00:08:13,000 --> 00:08:25,210 115 00:08:25,210 --> 00:08:28,840 You might recognize them from discussions of encryption. 116 00:08:28,840 --> 00:08:37,059 117 00:08:37,059 --> 00:08:39,059 Again, with enumeration everything that we find, 118 00:08:39,059 --> 00:08:40,380 we're going to write down. 119 00:08:40,380 --> 00:08:43,350 And we can determine whether it's useful later. 120 00:08:43,350 --> 00:08:45,540 But during enumeration, it's all about 121 00:08:45,540 --> 00:08:50,070 gathering, gather, gather, gather as much as you can. 122 00:08:50,070 --> 00:08:54,810 123 00:08:54,810 --> 00:08:57,680 And that completed. 124 00:08:57,680 --> 00:09:01,550 With that, that's the end of our SQL enumeration. 125 00:09:01,550 --> 00:09:06,900 And hopefully, you got something to take with you 126 00:09:06,900 --> 00:09:10,160 for all of your enumerations here on out. 127 00:09:10,160 --> 00:09:11,000 7757