Ethical Hacking and Penetration Testing Guide


Fingerprinting the Version



Yüklə 22,44 Mb.
Pdf görüntüsü
səhifə114/235
tarix07.08.2023
ölçüsü22,44 Mb.
#138846
1   ...   110   111   112   113   114   115   116   117   ...   235
Ethical Hacking and Penetration Testing Guide ( PDFDrive )

177
Fingerprinting the Version
Just like for fingerprinting MySQL servers, Metasploit has an auxiliary module to fingerprint 
the MS SQL server version. It’s extremely important to know the server version because it would 
tell us what attacks can be utilized against that particular server. The auxiliary module is called 
mssql _ ping
.
Usage
The usage is pretty much the same. We would load the auxiliary module, then specify the 
RHOSTS, and finally type “run” to execute the command. Here is the screenshot:
From this screenshot, we can see that the version of MS SQL server is 9.00, so we can conclude 
that the MS SQL server version is 2005 and above. If the version were 8.00, the version would be 
2000. Alternatively, we can also use an nmap script named “mssql-info” to figure out the version 
of the MS SQL server, but I would prefer using the Metasploit auxiliary module as nmap scripts 
do not show accurate results at times.
Brute Forcing SA Account
Once we have fingerprinted the SQL server, we can try to brute-force the SA account. SA is an 
account for a database administrator. SA accounts could be very useful to us when we try to esca-
late privileges later on.
There is a built-in auxiliary module in Metasploit that can be used to brute-force the SA 
account.
Usage
The usage is pretty much the same as in fingerprinting. We load the auxiliary module, set the 
target IP, and type “run” to fire up.

178
◾ 
Ethical Hacking and Penetration Testing Guide
Using Null Passwords
We can also attempt to authenticate into the MS SQL server by using a null password. We can 
do this by using an nmap script called ms-sql-empty-password. The syntax for the script is as 
follows:
nmap –p 1433 --script=ms-sql-empty-password 

The output would look like this, if the log-in is successful:
| ms-sql-empty-password:
| [172.16.222.152\PROD]
|_ sa: => Login Success

Yüklə 22,44 Mb.

Dostları ilə paylaş:
1   ...   110   111   112   113   114   115   116   117   ...   235



Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©azkurs.org 2024
rəhbərliyinə müraciət
gir | qeydiyyatdan keç
    Ana səhifə
Stomatologiya
Anesteziologiya
Cərrahlıq
Ginekologiya
Tibb

yükləyin