This Metasploit module can be used to bruteforce RIDs associated with the domain of the SQL Server using the SUSER_SNAME function. This is similar to the smb_lookupsid module, but executed through SQL Server queries as any user with the PUBLIC role (everyone). Information that can be enumerated includes Windows domain users, groups, and computer accounts. Enumerated accounts can then be used in online dictionary attacks.
27cf597af1be43509aa67248838da643e3d83e1bedf784ccf8ec336af6526352This Metasploit module can be used to help capture or relay the LM/NTLM credentials of the account running the remote SQL Server service. The module will use the SQL injection from GET_PATH to connect to the target SQL Server instance and execute the native "xp_dirtree" or stored procedure. The stored procedures will then force the service account to authenticate to the system defined in the SMBProxy option. In order for the attack to be successful, the SMB capture or relay module must be running on the system defined as the SMBProxy. The database account used to connect to the database should only require the "PUBLIC" role to execute. Successful execution of this attack usually results in local administrative access to the Windows system. Specifically, this works great for relaying credentials between two SQL Servers using a shared service account to get shells. However, if the relay fails, then the LM hash can be reversed using the Halflm rainbow tables and john the ripper.
07d8028c67f4c74422fce026d3e4f7c8c01787a332652cb8847f7c5bc5571debThis Metasploit module can be used to bruteforce RIDs associated with the domain of the SQL Server using the SUSER_SNAME function via Error Based SQL injection. This is similar to the smb_lookupsid module, but executed through SQL Server queries as any user with the PUBLIC role (everyone). Information that can be enumerated includes Windows domain users, groups, and computer accounts. Enumerated accounts can then be used in online dictionary attacks. The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--.
0e0cd7442b34141ce286901bcc638f36f8b80933c0544ac4a91ea1079c35aa1fThis Metasploit module provides a fake SSL service that is intended to leak memory from client systems as they connect. This Metasploit module is hardcoded for using the AES-128-CBC-SHA1 cipher.
67d783fbcd4cde982f17f891681bce4e4ca4da2877dd80a91e898f0fdbf606eeThis Metasploit module implements the OpenSSL Heartbleed attack. The problem exists in the handling of heartbeat requests, where a fake length can be used to leak memory data in the response. Services that support STARTTLS may also be vulnerable.
81d080e43dc83f3e3ee46722a1679f1f403475e40beef0b849082092202ffa5c
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed