This Metasploit module can be used to bruteforce RIDs associated with the domain of the SQL Server using the SUSER_SNAME function. This is similar to the smb_lookupsid module, but executed through SQL Server queries as any user with the PUBLIC role (everyone). Information that can be enumerated includes Windows domain users, groups, and computer accounts. Enumerated accounts can then be used in online dictionary attacks.
27cf597af1be43509aa67248838da643e3d83e1bedf784ccf8ec336af6526352
This Metasploit module can be used to help capture or relay the LM/NTLM credentials of the account running the remote SQL Server service. The module will use the SQL injection from GET_PATH to connect to the target SQL Server instance and execute the native "xp_dirtree" or stored procedure. The stored procedures will then force the service account to authenticate to the system defined in the SMBProxy option. In order for the attack to be successful, the SMB capture or relay module must be running on the system defined as the SMBProxy. The database account used to connect to the database should only require the "PUBLIC" role to execute. Successful execution of this attack usually results in local administrative access to the Windows system. Specifically, this works great for relaying credentials between two SQL Servers using a shared service account to get shells. However, if the relay fails, then the LM hash can be reversed using the Halflm rainbow tables and john the ripper.
07d8028c67f4c74422fce026d3e4f7c8c01787a332652cb8847f7c5bc5571deb
This Metasploit module can be used to bruteforce RIDs associated with the domain of the SQL Server using the SUSER_SNAME function via Error Based SQL injection. This is similar to the smb_lookupsid module, but executed through SQL Server queries as any user with the PUBLIC role (everyone). Information that can be enumerated includes Windows domain users, groups, and computer accounts. Enumerated accounts can then be used in online dictionary attacks. The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--.
0e0cd7442b34141ce286901bcc638f36f8b80933c0544ac4a91ea1079c35aa1f
This Metasploit module provides a fake SSL service that is intended to leak memory from client systems as they connect. This Metasploit module is hardcoded for using the AES-128-CBC-SHA1 cipher.
67d783fbcd4cde982f17f891681bce4e4ca4da2877dd80a91e898f0fdbf606ee
This Metasploit module implements the OpenSSL Heartbleed attack. The problem exists in the handling of heartbeat requests, where a fake length can be used to leak memory data in the response. Services that support STARTTLS may also be vulnerable.
81d080e43dc83f3e3ee46722a1679f1f403475e40beef0b849082092202ffa5c