6 Attacking vulnerable database services
This chapter covers
- Controlling MSSQL Server using mssql-cli
- Enabling the xp_cmdshell stored procedure
- Copying Windows registry hive files using reg.exe
- Creating an anonymous network share
- Extracting Windows account password hashes using Creddump
If you’ve made it this far on an internal network penetration test (INTP), then you’re probably feeling pretty successful, and you should be because you’ve already managed to compromise a few hosts. In fact, it may be that the few hosts you’ve gained access to thus far are all that is needed to elevate your access to the level of owning the entire network. Remember though that the purpose of phase 2, focused-penetration, is to compromise as many of these level-one hosts as you can.
level-one hosts
Once again, level-one hosts are systems with direct access vulnerabilities that you can leverage to gain remote control of the vulnerable target.
In this chapter you’re going to shift focus from web services to databases services—in this case, the popular Microsoft SQL Server service that you will most certainly encounter on most engagements throughout your career.