6 Attacking vulnerable database services

This chapter covers

Controlling MSSQL Server using mssql-cli
Enabling the xp_cmdshell stored procedure
Copying Windows registry hive files using reg.exe
Creating an anonymous network share
Extracting Windows account password hashes using Creddump

If you’ve made it this far on an internal network penetration test (INTP), then you’re probably feeling pretty successful, and you should be--you’ve already managed to compromise a few hosts. In fact, the few hosts you’ve gained access to thus far may be all you need to elevate your access to the level of owning the entire network. Remember, though, that the purpose of phase 2, focused penetration, is to compromise as many level-one hosts as you can.

Definition

As a reminder, level-one hosts are systems with direct access vulnerabilities that you can use to gain remote control of the vulnerable target.

6.1 Compromising Microsoft SQL Server

6.1.1 MSSQL stored procedures

6.1.2 Enumerating MSSQL servers with Metasploit

6.1.3 Enabling xp_cmdshell

6.1.4 Running OS commands with xp_cmdshell

6.2 Stealing Windows account password hashes

6.2.1 Copying registry hives with reg.exe

6.2.2 Downloading registry hive copies

6.3 Extracting password hashes with creddump

6.3.1 Understanding pwdump’s output

Summary