dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Land #18961, Adds session documentation

This commit is contained in:
cgranleese-r7 2024-03-25 11:23:05 +00:00 committed by GitHub
parent 685a2e9df6 decba4350e
commit 9b4114eda0
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
10 changed files with 1243 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

184
docs/metasploit-framework.wiki/Metasploit-Guide-MSSQL.md
View File

@ -3,11 +3,23 @@
Microsoft SQL Server (MSSQL) is a relational database management system. Commonly used in conjunction with web applications
and other software that need to persist data. MSSQL is a useful target for data extraction and code execution.
MySQL is frequently found on port on the following ports:
MSSQL is frequently found on port on the following ports:
- 1433/TCP
- 1434/UDP
For a full list of MSSQL modules run the `search` command within msfconsole:
```msf
msf6 > search mssql
```
Or to search for modules that work with a specific session type:
```msf
msf6 > search session_type:mssql
```
### Lab Environment
Environment setup:
@ -26,6 +38,176 @@ use auxiliary/admin/mssql/mssql_sql
run rhost=192.168.123.13 username=administrator password=p4$$w0rd sql='select auth_scheme from sys.dm_exec_connections where session_id=@@spid'
```
### Logging in and obtaining a session
To log in or obtain an interactive session on an MSSQL instance running on the target, use mssql_login
```msf
use auxiliary/scanner/mssql_login
run CreateSession=true RPORT=1433 RHOSTS=192.168.2.242 USERNAME=user PASSWORD=password
```
The CreateSession option, when set to true, will result in returning an interactive MSSQL session with the target machine
on a successful login:
```msf
[*] 192.168.2.242:1433 - 192.168.2.242:1433 - MSSQL - Starting authentication scanner.
[!] 192.168.2.242:1433 - No active DB -- Credential data will not be saved!
[+] 192.168.2.242:1433 - 192.168.2.242:1433 - Login Successful: WORKSTATION\user:password
[*] MSSQL session 1 opened (192.168.2.1:60963 -> 192.168.2.242:1433) at 2024-03-15 13:41:31 -0500
[*] 192.168.2.242:1433 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
Which you can interact with using `sessions -i <session id>` or `sessions -i -1` to interact with the most recently opened session.
```msf
msf6 auxiliary(scanner/mssql/mssql_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 mssql MSSQL test @ 192.168.2.242:1433 192.168.2.1:60963 -> 192.168.23.242:1433 (192.168.2.242)
msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i 1
[*] Starting interaction with 1...
mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
Response
========
# NULL
- ----
0 Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
Oct 8 2022 05:58:25
Copyright (C) 2022 Microsoft Corporation
Developer Edition (64-bit) on Windows Server 2022 Stand
ard 10.0 <X64> (Build 20348: ) (Hypervisor)
```
When interacting with a session, the help command can be useful:
```msf
mssql @ 192.168.2.242:1433 (master) > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
exit Terminate the PostgreSQL session
help Help menu
irb Open an interactive Ruby shell on the current session
pry Open the Pry debugger on the current session
sessions Quickly switch to another session
MSSQL Client Commands
=====================
Command Description
------- -----------
query Run a single SQL query
query_interactive Enter an interactive prompt for running multiple SQL queries
Local File System Commands
==========================
Command Description
------- -----------
getlwd Print local working directory (alias for lpwd)
lcat Read the contents of a local file to the screen
lcd Change local working directory
ldir List local files (alias for lls)
lls List local files
lmkdir Create new directory on local machine
lpwd Print local working directory
This session also works with the following modules:
auxiliary/admin/mssql/mssql_enum
auxiliary/admin/mssql/mssql_escalate_dbowner
auxiliary/admin/mssql/mssql_escalate_execute_as
auxiliary/admin/mssql/mssql_exec
auxiliary/admin/mssql/mssql_findandsampledata
auxiliary/admin/mssql/mssql_idf
auxiliary/admin/mssql/mssql_sql
auxiliary/admin/mssql/mssql_sql_file
auxiliary/scanner/mssql/mssql_hashdump
auxiliary/scanner/mssql/mssql_schemadump
exploit/windows/mssql/mssql_payload
```
To interact directly with the session as if in a SQL prompt, you can use the `query` command.
```msf
msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i -1
[*] Starting interaction with 2...
mssql @ 192.168.2.242:1433 (master) > query -h
Usage: query
Run a single SQL query on the target.
OPTIONS:
-h, --help Help menu.
-i, --interact Enter an interactive prompt for running multiple SQL queries
Examples:
query select @@version;
query select user_name();
query select name from master.dbo.sysdatabases;
mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
Response
========
# NULL
- ----
0 Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
Oct 8 2022 05:58:25
Copyright (C) 2022 Microsoft Corporation
Developer Edition (64-bit) on Windows Server 2022 Standard 10.0 <X64> (B
uild 20348: ) (Hypervisor)
```
Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands:
```msf
mssql @ 192.168.2.242:1433 (master) > query_interactive -h
Usage: query_interactive
Go into an interactive SQL shell where SQL queries can be executed.
To exit, type 'exit', 'quit', 'end' or 'stop'.
mssql @ 192.168.2.242:1433 (master) > query_interactive
[*] Starting interactive SQL shell for mssql @ 192.168.2.242:1433 (master)
[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
SQL >> select *
SQL *> from information_schema.tables
SQL *> where table_type = 'BASE TABLE';
[*] Executing query: select * from information_schema.tables where table_type = 'BASE TABLE';
Response
========
# TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
- ------------- ------------ ---------- ----------
0 master dbo spt_fallback_db BASE TABLE
1 master dbo spt_fallback_dev BASE TABLE
2 master dbo spt_fallback_usg BASE TABLE
4 master dbo Users BASE TABLE
5 master dbo spt_monitor BASE TABLE
6 master dbo MSreplication_options BASE TABLE
SQL >>
```
### Link crawling
Identify if the SQL server has been configured with trusted links, which allows running queries on other MSSQL instances:

158
docs/metasploit-framework.wiki/Metasploit-Guide-MySQL.md
View File

@ -17,6 +17,12 @@ There are more modules than listed here, for the full list of modules run the `s
msf6 > search mysql
```
Or to search for modules that work with a specific session type:
```msf
msf6 > search session_type:mysql
```
### Lab Environment
When testing in a lab environment MySQL can either be installed on the host machine or within Docker:
@ -79,6 +85,158 @@ run cidr:/24:mysql://user:pass@192.168.222.0 threads=50
run cidr:/24:mysql://user@192.168.222.0 threads=50 pass_file=./wordlist.txt
```
### Obtaining an Interactive Session on the Target
The CreateSession option in `auxiliary/scanner/mysql/msql_login` allows you to obtain an interactive session
for the MySQL client you're connecting to. The run command with CreateSession
set to true should give you an interactive session:
```msf
msf6 > use scanner/mysql/mysql_login
msf6 auxiliary(scanner/mysql/mysql_login) > run rhost=127.0.0.1 rport=4306 username=root password=password createsession=true
[+] 127.0.0.1:4306 - 127.0.0.1:4306 - Found remote MySQL version 11.2.2
[+] 127.0.0.1:4306 - 127.0.0.1:4306 - Success: 'root:password'
[*] MySQL session 1 opened (127.0.0.1:53241 -> 127.0.0.1:4306) at 2024-03-12 12:40:46 -0500
[*] 127.0.0.1:4306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i -1
[*] Starting interaction with 1...
mysql @ 127.0.0.1:4306 >
```
You can interact with your new session using `sessions -i -1` or `sessions <session id>`.
You can also use `help` to get more information about how to use your session.
```msf
msf6 auxiliary(scanner/mysql/mysql_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 mssql MSSQL test @ 192.168.2.242:1433 192.168.2.1:61428 -> 192.168.2.242:1433 (192.168.2.242)
3 mysql MySQL root @ 127.0.0.1:4306 127.0.0.1:61450 -> 127.0.0.1:4306 (127.0.0.1)
msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i 3
[*] Starting interaction with 3...
```
When interacting with a session, the help command can be useful:
```msf
mysql @ 127.0.0.1:4306 > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
exit Terminate the PostgreSQL session
help Help menu
irb Open an interactive Ruby shell on the current session
pry Open the Pry debugger on the current session
sessions Quickly switch to another session
MySQL Client Commands
=====================
Command Description
------- -----------
query Run a single SQL query
query_interactive Enter an interactive prompt for running multiple SQL queries
Local File System Commands
==========================
Command Description
------- -----------
getlwd Print local working directory (alias for lpwd)
lcat Read the contents of a local file to the screen
lcd Change local working directory
ldir List local files (alias for lls)
lls List local files
lmkdir Create new directory on local machine
lpwd Print local working directory
This session also works with the following modules:
auxiliary/admin/mysql/mysql_enum
auxiliary/admin/mysql/mysql_sql
auxiliary/scanner/mysql/mysql_file_enum
auxiliary/scanner/mysql/mysql_hashdump
auxiliary/scanner/mysql/mysql_schemadump
auxiliary/scanner/mysql/mysql_version
auxiliary/scanner/mysql/mysql_writable_dirs
exploit/multi/mysql/mysql_udf_payload
exploit/windows/mysql/mysql_mof
exploit/windows/mysql/mysql_start_up
```
Once you've done that, you can run any MySQL query against the target using the `query` command:
```msf
mysql @ 127.0.0.1:4306 > query -h
Usage: query
Run a single SQL query on the target.
OPTIONS:
-h, --help Help menu.
-i, --interact Enter an interactive prompt for running multiple SQL queries
Examples:
query SHOW DATABASES;
query USE information_schema;
query SELECT * FROM SQL_FUNCTIONS;
query SELECT version();
mysql @ 127.0.0.1:4306 > query 'SELECT version();'
Response
========
# version()
- ---------
0 11.2.2-MariaDB-1:11.2.2+maria~ubu2204
```
Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands:
```msf
mysql @ 127.0.0.1:4306 () > query_interactive -h
Usage: query_interactive
Go into an interactive SQL shell where SQL queries can be executed.
To exit, type 'exit', 'quit', 'end' or 'stop'.
mysql @ 127.0.0.1:4306 () > query_interactive
[*] Starting interactive SQL shell for mysql @ 127.0.0.1:4306 ()
[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
SQL >> SELECT table_name
SQL *> FROM information_schema.tables
SQL *> LIMIT 2;
[*] Executing query: SELECT table_name FROM information_schema.tables LIMIT 2;
Response
========
# table_name
- ----------
0 ALL_PLUGINS
1 APPLICABLE_ROLES
SQL >>
```
### MySQL Dumping
User and hash dump:

159
docs/metasploit-framework.wiki/Metasploit-Guide-PostgreSQL.md
View File

@ -17,6 +17,13 @@ There are more modules than listed here, for the full list of modules run the `s
msf6 > search postgres
```
Or to search for modules that work with a specific session type:
```msf
msf6 > search session_type:postgres
```
### Lab Environment
When testing in a lab environment PostgreSQL can either be installed on the host machine or within Docker:
@ -80,6 +87,158 @@ run cidr:/24:postgres://user:pass@192.168.222.0 threads=50
run cidr:/24:postgres://user@192.168.222.0 threads=50 pass_file=./wordlist.txt
```
### Obtaining an Interactive Session
The CreateSession option for `auxiliary/scanner/postgres/postgres_login` allows you to obtain an
interactive session for the Postgres client you're connecting to. The run command with CreateSession
set to true should give you an interactive session.
For example:
```msf
msf6 auxiliary(scanner/postgres/postgres_login) > run rhost=127.0.0.1 rport=5432 username=postgres password=password database=template1 createsession=true
```
Should yield:
```msf
[+] 127.0.0.1:5432 - Login Successful: postgres:password@template1
[*] PostgreSQL session 1 opened (127.0.0.1:61324 -> 127.0.0.1:5432) at 2024-03-15 14:00:12 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
You can interact with your session using `sessions -i -1` or `sessions <session id>`.
Use the help command for more info.
```msf
msf6 auxiliary(scanner/postgres/postgres_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 postgresql PostgreSQL postgres @ 127.0.0.1:5432 127.0.0.1:61324 -> 127.0.0.1:5432 (127.0.0.1)
msf6 auxiliary(scanner/postgres/postgres_login) > sessions -i 1
[*] Starting interaction with 1...
```
When interacting with a session, the help command can be useful:
```msf
postgresql @ 127.0.0.1:5432 (template1) > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
exit Terminate the PostgreSQL session
help Help menu
irb Open an interactive Ruby shell on the current session
pry Open the Pry debugger on the current session
sessions Quickly switch to another session
PostgreSQL Client Commands
==========================
Command Description
------- -----------
query Run a single SQL query
query_interactive Enter an interactive prompt for running multiple SQL queries
Local File System Commands
==========================
Command Description
------- -----------
getlwd Print local working directory (alias for lpwd)
lcat Read the contents of a local file to the screen
lcd Change local working directory
ldir List local files (alias for lls)
lls List local files
lmkdir Create new directory on local machine
lpwd Print local working directory
This session also works with the following modules:
auxiliary/admin/postgres/postgres_readfile
auxiliary/admin/postgres/postgres_sql
auxiliary/scanner/postgres/postgres_hashdump
auxiliary/scanner/postgres/postgres_schemadump
auxiliary/scanner/postgres/postgres_version
exploit/linux/postgres/postgres_payload
exploit/multi/postgres/postgres_copy_from_program_cmd_exec
exploit/multi/postgres/postgres_createlang
exploit/windows/postgres/postgres_payload
```
Once you've done that, you can run any Postgres query against the target using the `query` command:
```msf
postgresql @ 127.0.0.1:5432 (template1) > query -h
Usage: query
Run a single SQL query on the target.
OPTIONS:
-h, --help Help menu.
-i, --interact Enter an interactive prompt for running multiple SQL queries
Examples:
query SELECT user;
query SELECT version();
query SELECT * FROM pg_catalog.pg_tables;
postgresql @ 127.0.0.1:5432 (template1) > query 'SELECT version();'
[*] SELECT 1
Response
========
# version
- -------
0 PostgreSQL 14.1 on aarch64-apple-darwin20.6.0, compiled by Apple clang version 12.0.5 (clang-1205.0.22.9), 64-bit
```
Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands:
```msf
postgresql @ 127.0.0.1:5432 (template1) > query_interactive -h
Usage: query_interactive
Go into an interactive SQL shell where SQL queries can be executed.
To exit, type 'exit', 'quit', 'end' or 'stop'.
postgresql @ 127.0.0.1:5432 (template1) > query_interactive
[*] Starting interactive SQL shell for postgresql @ 127.0.0.1:5432 (template1)
[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
SQL >> SELECT table_name
SQL *> FROM information_schema.tables
SQL *> LIMIT 2;
[*] Executing query: SELECT table_name FROM information_schema.tables LIMIT 2;
[*] SELECT 2
Response
========
# table_name
- ----------
0 pg_statistic
1 pg_type
SQL >>
```
### PostgreSQL Capture Server
Captures and log PostgreSQL credentials:

122
docs/metasploit-framework.wiki/Metasploit-Guide-SMB.md
View File

@ -27,6 +27,12 @@ There are more modules than listed here, for the full list of modules run the `s
msf6 > search smb
```
Or to search for modules that work with a specific session type:
```msf
msf6 > search session_type:smb
```
### Lab Environment
When testing in a lab environment - SMB can be used on a Window's host machine, or within Docker.
@ -63,6 +69,122 @@ Restart the service:
service smbd restart
```
### SMB Login and Interactive Sessions
When using the smb_login module, the CreateSession option can be used to obtain an interactive
session within the smb instance. Running with the following options:
```msf
msf6 auxiliary(scanner/smb/smb_login) > run CreateSession=true RHOSTS=172.14.2.164 RPORT=445 SMBDomain=windomain.local SMBPass=password SMBUser=username
```
Should give you output similar to
```msf
[*] 172.14.2.164:445 - 172.14.2.164:445 - Starting SMB login bruteforce
[+] 172.14.2.164:445 - 172.14.2.164:445 - Success: 'windomain.local\username:password' Administrator
[*] SMB session 1 opened (172.16.158.1:62793 -> 172.14.2.164:445) at 2024-03-12 17:03:09 +0000
[*] 172.14.2.164:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
[*] Starting interaction with 1...
```
Which you can interact with using `sessions -i <session id>` or `sessions -i -1` to interact with the most recently opened session.
```msf
msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
[*] Starting interaction with 1...
SMB (172.14.2.164) > shares
Shares
======
# Name Type comment
- ---- ---- -------
0 ADMIN$ DISK|SPECIAL Remote Admin
1 C$ DISK|SPECIAL Default share
2 foo DISK
3 IPC$ IPC|SPECIAL Remote IPC
SMB (172.14.2.164) > shares -i foo
[+] Successfully connected to foo
SMB (172.14.2.164\foo) > ls
ls
===
[truncated]
```
When interacting with a session, the help command can be useful:
```msf
SMB (172.14.2.164\foo) > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
exit Terminate the SMB session
help Help menu
irb Open an interactive Ruby shell on the current session
pry Open the Pry debugger on the current session
sessions Quickly switch to another session
Shares Commands
===============
Command Description
------- -----------
cat Read the file at the given path
cd Change the current remote working directory
delete Delete a file
dir List all files in the current directory (alias for ls)
download Download a file
ls List all files in the current directory
mkdir Make a new directory
pwd Print the current remote working directory
rmdir Delete a directory
shares View the available shares and interact with one
upload Upload a file
Local File System Commands
==========================
Command Description
------- -----------
getlwd Print local working directory (alias for lpwd)
lcat Read the contents of a local file to the screen
lcd Change local working directory
ldir List local files (alias for lls)
lls List local files
lmkdir Create new directory on local machine
lpwd Print local working directory
This session also works with the following modules:
auxiliary/admin/dcerpc/icpr_cert
auxiliary/admin/dcerpc/samr_computer
auxiliary/admin/smb/delete_file
auxiliary/admin/smb/download_file
auxiliary/admin/smb/psexec_ntdsgrab
auxiliary/admin/smb/upload_file
auxiliary/gather/windows_secrets_dump
auxiliary/scanner/smb/pipe_auditor
auxiliary/scanner/smb/pipe_dcerpc_auditor
auxiliary/scanner/smb/smb_enum_gpp
auxiliary/scanner/smb/smb_enumshares
auxiliary/scanner/smb/smb_enumusers
auxiliary/scanner/smb/smb_enumusers_domain
auxiliary/scanner/smb/smb_lookupsid
exploit/windows/smb/psexec
```
### SMB Enumeration
Enumerate SMB version:

171
documentation/modules/auxiliary/scanner/mssql/mssql_login.md
View File

@ -15,6 +15,174 @@ A docker container can be spun up with the following command to test this module
## Options
### CreateSession
When using the `scanner/mssql/mssql_login` module, the CreateSession option can be used to obtain an interactive
session within the MSSQL instance. Running the following commands with all other options set:
```msf
msf6 auxiliary(scanner/mssql/mssql_login) > run CreateSession=true RPORT=1433 RHOSTS=192.168.2.242 USERNAME=user PASSWORD=password
```
Should give you output containing:
```msf
[*] 192.168.2.242:1433 - 192.168.2.242:1433 - MSSQL - Starting authentication scanner.
[!] 192.168.2.242:1433 - No active DB -- Credential data will not be saved!
[+] 192.168.2.242:1433 - 192.168.2.242:1433 - Login Successful: WORKSTATION\user:password
[*] MSSQL session 1 opened (192.168.2.1:60963 -> 192.168.2.242:1433) at 2024-03-15 13:41:31 -0500
[*] 192.168.2.242:1433 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
Which you can interact with using `sessions -i <session id>` or `sessions -i -1` to interact with the most recently opened session.
```msf
msf6 auxiliary(scanner/mssql/mssql_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 mssql MSSQL test @ 192.168.2.242:1433 192.168.2.1:60963 -> 192.168.2.242:1433 (192.168.2.242)
msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i 1
[*] Starting interaction with 1...
mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
Response
========
# NULL
- ----
0 Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
Oct 8 2022 05:58:25
Copyright (C) 2022 Microsoft Corporation
Developer Edition (64-bit) on Windows Server 2022 Stand
ard 10.0 <X64> (Build 20348: ) (Hypervisor)
```
When interacting with a session, the help command can be useful:
```msf
mssql @ 192.168.2.242:1433 (master) > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
exit Terminate the PostgreSQL session
help Help menu
irb Open an interactive Ruby shell on the current session
pry Open the Pry debugger on the current session
sessions Quickly switch to another session
MSSQL Client Commands
=====================
Command Description
------- -----------
query Run a single SQL query
query_interactive Enter an interactive prompt for running multiple SQL queri
es
Local File System Commands
==========================
Command Description
------- -----------
getlwd Print local working directory (alias for lpwd)
lcat Read the contents of a local file to the screen
lcd Change local working directory
ldir List local files (alias for lls)
lls List local files
lmkdir Create new directory on local machine
lpwd Print local working directory
This session also works with the following modules:
auxiliary/admin/mssql/mssql_enum
auxiliary/admin/mssql/mssql_escalate_dbowner
auxiliary/admin/mssql/mssql_escalate_execute_as
auxiliary/admin/mssql/mssql_exec
auxiliary/admin/mssql/mssql_findandsampledata
auxiliary/admin/mssql/mssql_idf
auxiliary/admin/mssql/mssql_sql
auxiliary/admin/mssql/mssql_sql_file
auxiliary/scanner/mssql/mssql_hashdump
auxiliary/scanner/mssql/mssql_schemadump
exploit/windows/mssql/mssql_payload
```
To interact directly with the session as if in a SQL prompt, you can use the `query` command.
```msf
msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i -1
[*] Starting interaction with 2...
mssql @ 192.168.2.242:1433 (master) > query -h
Usage: query
Run a single SQL query on the target.
OPTIONS:
-h, --help Help menu.
-i, --interact Enter an interactive prompt for running multiple SQL queries
Examples:
query select @@version;
query select user_name();
query select name from master.dbo.sysdatabases;
mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
Response
========
# NULL
- ----
0 Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
Oct 8 2022 05:58:25
Copyright (C) 2022 Microsoft Corporation
Developer Edition (64-bit) on Windows Server 2022 Standard 10.0 <X64> (B
uild 20348: ) (Hypervisor)
```
Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands:
```msf
mssql @ 192.168.2.242:1433 (master) > query_interactive -h
Usage: query_interactive
Go into an interactive SQL shell where SQL queries can be executed.
To exit, type 'exit', 'quit', 'end' or 'stop'.
mssql @ 192.168.2.242:1433 (master) > query_interactive
[*] Starting interactive SQL shell for mssql @ 192.168.2.242:1433 (master)
[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
SQL >> select top 2 table_catalog, table_schema
SQL *> from information_schema.tables;
[*] Executing query: select top 2 table_catalog, table_schema from information_schema.tables;
Response
========
# table_catalog table_schema
- ------------- ------------
0 master dbo
1 master dbo
SQL >>
```
### USER_FILE
File containing users, one per line.
@ -24,7 +192,8 @@ File containing users, one per line.
File containing passwords, one per line
## Scenarios
```
```msf
msf > use scanner/mssql/mssql_login
msf6 auxiliary(scanner/mssql/mssql_login) > set rhosts 127.0.0.1
rhosts => 127.0.0.1

153
documentation/modules/auxiliary/scanner/mysql/mysql_login.md
View File

@ -12,7 +12,7 @@ This auxiliary module is a brute-force login tool for MySQL servers.
## Scenarios
```
```msf
msf > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(mysql_login) > set PASS_FILE /tmp/passes.txt
PASS_FILE => /tmp/passes.txt
@ -61,3 +61,154 @@ msf auxiliary(mysql_login) > run
[*] Auxiliary module execution completed
msf auxiliary(mysql_login) >
```
## Obtaining an Interactive Session
The CreateSession option allows you to obtain an interactive session
for the MySQL client you're connecting to. The run command with CreateSession
set to true should give you an interactive session:
```msf
run rhost=127.0.0.1 rport=4306 username=root password=password createsession=true
[+] 127.0.0.1:4306 - 127.0.0.1:4306 - Found remote MySQL version 11.2.2
[+] 127.0.0.1:4306 - 127.0.0.1:4306 - Success: 'root:password'
[*] MySQL session 1 opened (127.0.0.1:53241 -> 127.0.0.1:4306) at 2024-03-12 12:40:46 -0500
[*] 127.0.0.1:4306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i -1
[*] Starting interaction with 1...
mysql @ 127.0.0.1:4306 >
```
You can interact with your new session using `sessions -i -1` or `sessions -i <session id>`.
You can also use `help` to get more information about how to use your session.
```msf
msf6 auxiliary(scanner/mysql/mysql_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 mssql MSSQL test @ 192.168.2.242:1433 192.168.2.1:61428 -> 192.168.2.242:1433 (192.168.2.242)
3 mysql MySQL root @ 127.0.0.1:4306 127.0.0.1:61450 -> 127.0.0.1:4306 (127.0.0.1)
msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i 3
[*] Starting interaction with 3...
```
When interacting with a session, the help command can be useful:
```msf
mysql @ 127.0.0.1:4306 > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
exit Terminate the PostgreSQL session
help Help menu
irb Open an interactive Ruby shell on the current session
pry Open the Pry debugger on the current session
sessions Quickly switch to another session
MySQL Client Commands
=====================
Command Description
------- -----------
query Run a single SQL query
query_interactive Enter an interactive prompt for running multiple SQL queries
Local File System Commands
==========================
Command Description
------- -----------
getlwd Print local working directory (alias for lpwd)
lcat Read the contents of a local file to the screen
lcd Change local working directory
ldir List local files (alias for lls)
lls List local files
lmkdir Create new directory on local machine
lpwd Print local working directory
This session also works with the following modules:
auxiliary/admin/mysql/mysql_enum
auxiliary/admin/mysql/mysql_sql
auxiliary/scanner/mysql/mysql_file_enum
auxiliary/scanner/mysql/mysql_hashdump
auxiliary/scanner/mysql/mysql_schemadump
auxiliary/scanner/mysql/mysql_version
auxiliary/scanner/mysql/mysql_writable_dirs
exploit/multi/mysql/mysql_udf_payload
exploit/windows/mysql/mysql_mof
exploit/windows/mysql/mysql_start_up
```
Once you've done that, you can run any MySQL query against the target using the `query` command:
```msf
mysql @ 127.0.0.1:4306 > query -h
Usage: query
Run a single SQL query on the target.
OPTIONS:
-h, --help Help menu.
-i, --interact Enter an interactive prompt for running multiple SQL queries
Examples:
query SHOW DATABASES;
query USE information_schema;
query SELECT * FROM SQL_FUNCTIONS;
query SELECT version();
mysql @ 127.0.0.1:4306 > query 'SELECT version();'
Response
========
# version()
- ---------
0 11.2.2-MariaDB-1:11.2.2+maria~ubu2204
```
Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands:
```msf
mysql @ 127.0.0.1:4306 > query_interactive -h
Usage: query_interactive
Go into an interactive SQL shell where SQL queries can be executed.
To exit, type 'exit', 'quit', 'end' or 'stop'.
mysql @ 127.0.0.1:4306 > query_interactive
[*] Starting interactive SQL shell for mysql @ 127.0.0.1:4306
[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
SQL >> SELECT table_name
SQL *> FROM information_schema.tables
SQL *> LIMIT 2;
[*] Executing query: SELECT table_name FROM information_schema.tables LIMIT 2;
Response
========
# table_name
- ----------
0 ALL_PLUGINS
1 APPLICABLE_ROLES
SQL >>
```

168
documentation/modules/auxiliary/scanner/postgres/postgres_login.md Normal file
View File

@ -0,0 +1,168 @@
## Description
This auxiliary module is a brute-force login tool for Postgres servers.
## Verification Steps
1. Do: `use auxiliary/scanner/postgres/postgres_login`
2. Do: `set PASS_FILE [file containing passwords]`
3. Do: `set RHOSTS [IP]`
4. Do: `set USER_FILE [file containing usernames]`
5. Do: `set DATABASE [template name]`
6. Do: `run`
The above USER_FILE and PASS_FILE options can be replaced with USERNAME
and PASSWORD if you know the credentials.
## Getting an Interactive Session
The CreateSession option allows you to obtain an interactive session
for the Postgres client you're connecting to. The run command with CreateSession
set to true should give you an interactive session.
For example:
```msf
msf6 auxiliary(scanner/postgres/postgres_login) > run rhost=127.0.0.1 rport=5432 username=postgres password=password database=template1 createsession=true
```
Should yield:
```msf
[+] 127.0.0.1:5432 - Login Successful: postgres:password@template1
[*] PostgreSQL session 1 opened (127.0.0.1:61324 -> 127.0.0.1:5432) at 2024-03-15 14:00:12 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
You can interact with your session using `sessions -i -1` or `sessions <session id>`.
Use the help command for more info.
```msf
msf6 auxiliary(scanner/postgres/postgres_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 postgresql PostgreSQL postgres @ 127.0.0.1:5432 127.0.0.1:61324 -> 127.0.0.1:5432 (127.0.0.1)
msf6 auxiliary(scanner/postgres/postgres_login) > sessions -i 1
[*] Starting interaction with 1...
```
When interacting with a session, the help command can be useful:
```msf
postgresql @ 127.0.0.1:5432 (template1) > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
exit Terminate the PostgreSQL session
help Help menu
irb Open an interactive Ruby shell on the current session
pry Open the Pry debugger on the current session
sessions Quickly switch to another session
PostgreSQL Client Commands
==========================
Command Description
------- -----------
query Run a single SQL query
query_interactive Enter an interactive prompt for running multiple SQL queries
Local File System Commands
==========================
Command Description
------- -----------
getlwd Print local working directory (alias for lpwd)
lcat Read the contents of a local file to the screen
lcd Change local working directory
ldir List local files (alias for lls)
lls List local files
lmkdir Create new directory on local machine
lpwd Print local working directory
This session also works with the following modules:
auxiliary/admin/postgres/postgres_readfile
auxiliary/admin/postgres/postgres_sql
auxiliary/scanner/postgres/postgres_hashdump
auxiliary/scanner/postgres/postgres_schemadump
auxiliary/scanner/postgres/postgres_version
exploit/linux/postgres/postgres_payload
exploit/multi/postgres/postgres_copy_from_program_cmd_exec
exploit/multi/postgres/postgres_createlang
exploit/windows/postgres/postgres_payload
```
Once you've done that, you can run any Postgres query against the target using the `query` command:
```msf
postgresql @ 127.0.0.1:5432 (template1) > query -h
Usage: query
Run a single SQL query on the target.
OPTIONS:
-h, --help Help menu.
-i, --interact Enter an interactive prompt for running multiple SQL queries
Examples:
query SELECT user;
query SELECT version();
query SELECT * FROM pg_catalog.pg_tables;
postgresql @ 127.0.0.1:5432 (template1) > query 'SELECT version();'
[*] SELECT 1
Response
========
# version
- -------
0 PostgreSQL 14.1 on aarch64-apple-darwin20.6.0, compiled by Apple clang version 12.0.5 (clang-1205.0.22.9), 64-bit
```
Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands:
```msf
postgresql @ 127.0.0.1:5432 (template1) > query_interactive -h
Usage: query_interactive
Go into an interactive SQL shell where SQL queries can be executed.
To exit, type 'exit', 'quit', 'end' or 'stop'.
postgresql @ 127.0.0.1:5432 (template1) > query_interactive
[*] Starting interactive SQL shell for postgresql @ 127.0.0.1:5432 (template1)
[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
SQL >> SELECT table_name
SQL *> FROM information_schema.tables
SQL *> LIMIT 2;
[*] Executing query: SELECT table_name FROM information_schema.tables LIMIT 2;
[*] SELECT 2
Response
========
# table_name
- ----------
0 pg_statistic
1 pg_type
SQL >>
```

126
documentation/modules/auxiliary/scanner/smb/smb_login.md
View File

@ -8,7 +8,7 @@ To use smb_login, make sure you are able to connect to a SMB service that suppor
The following demonstrates a basic scenario of using the [built-in wordlists](https://github.com/rapid7/metasploit-framework/tree/master/data/wordlists) to brute-force SMB:
```
```msf
msf > use auxiliary/scanner/smb/smb_login
msf auxiliary(smb_login) > set RHOSTS 192.168.1.80
RHOSTS => 192.168.1.80
@ -21,12 +21,12 @@ msf auxiliary(smb_login) > run
[+] 192.168.1.80:445 - 192.168.1.80:445 SMB - Success: '.\root:monkey' Administrator
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_login) >
msf auxiliary(smb_login) >
```
If you have a database connected, you should also see this credential logged:
```
```msf
msf auxiliary(smb_login) > creds
Credentials
===========
@ -35,10 +35,126 @@ host origin service public private realm private_type
---- ------ ------- ------ ------- ----- ------------
192.168.1.80 192.168.1.80 445/tcp (smb) root monkey Password
msf auxiliary(smb_login)
msf auxiliary(smb_login) >
```
## Options
## Obtaining a Session
When using the smb_login module, the CreateSession option can be used to obtain an interactive
session within the smb instance. Running with the following options:
```msf
msf6 auxiliary(scanner/smb/smb_login) > run CreateSession=true RHOSTS=172.14.2.164 RPORT=445 SMBDomain=windomain.local SMBPass=password SMBUser=username
```
Should give you output containing:
```msf
[*] 172.14.2.164:445 - 172.14.2.164:445 - Starting SMB login bruteforce
[+] 172.14.2.164:445 - 172.14.2.164:445 - Success: 'windomain.local\username:password' Administrator
[*] SMB session 1 opened (172.16.158.1:62793 -> 172.14.2.164:445) at 2024-03-12 17:03:09 +0000
[*] 172.14.2.164:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
[*] Starting interaction with 1...
```
Which you can interact with using `sessions -i <session id>` or `sessions -i -1` to interact with the most recently opened session.
```msf
msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
[*] Starting interaction with 1...
SMB (172.14.2.164) > shares
Shares
======
# Name Type comment
- ---- ---- -------
0 ADMIN$ DISK|SPECIAL Remote Admin
1 C$ DISK|SPECIAL Default share
2 foo DISK
3 IPC$ IPC|SPECIAL Remote IPC
SMB (172.14.2.164) > shares -i foo
[+] Successfully connected to foo
SMB (172.14.2.164\foo) > ls
ls
===
[truncated]
```
When interacting with a session, the help command can be useful:
```msf
SMB (172.14.2.164\foo) > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
exit Terminate the SMB session
help Help menu
irb Open an interactive Ruby shell on the current session
pry Open the Pry debugger on the current session
sessions Quickly switch to another session
Shares Commands
===============
Command Description
------- -----------
cat Read the file at the given path
cd Change the current remote working directory
delete Delete a file
dir List all files in the current directory (alias for ls)
download Download a file
ls List all files in the current directory
mkdir Make a new directory
pwd Print the current remote working directory
rmdir Delete a directory
shares View the available shares and interact with one
upload Upload a file
Local File System Commands
==========================
Command Description
------- -----------
getlwd Print local working directory (alias for lpwd)
lcat Read the contents of a local file to the screen
lcd Change local working directory
ldir List local files (alias for lls)
lls List local files
lmkdir Create new directory on local machine
lpwd Print local working directory
This session also works with the following modules:
auxiliary/admin/dcerpc/icpr_cert
auxiliary/admin/dcerpc/samr_computer
auxiliary/admin/smb/delete_file
auxiliary/admin/smb/download_file
auxiliary/admin/smb/psexec_ntdsgrab
auxiliary/admin/smb/upload_file
auxiliary/gather/windows_secrets_dump
auxiliary/scanner/smb/pipe_auditor
auxiliary/scanner/smb/pipe_dcerpc_auditor
auxiliary/scanner/smb/smb_enum_gpp
auxiliary/scanner/smb/smb_enumshares
auxiliary/scanner/smb/smb_enumusers
auxiliary/scanner/smb/smb_enumusers_domain
auxiliary/scanner/smb/smb_lookupsid
exploit/windows/smb/psexec
```
## Credential Options
By default, the smb_login module only requires the RHOSTS option to run. But in reality, you will
also need to supply user names and passwords. The following options are available to support

9
documentation/modules/exploit/windows/smb/smb_relay.md
View File

@ -90,7 +90,14 @@ I.E. the filename john will produce two files, `john_netntlm` and `john_netntlmv
### DOMAIN
The domain name used during smb exchange.
The domain name used during SMB exchange.
### ACTION
Determines which of two actions smb_relay will use against the target.
The default is to run `PSEXEC`, but can be changed to `CREATE_SMB_SESSION` to
open an interactive SMB session against the target instead of running
psexec.
### TIMEOUT

4
modules/exploits/windows/smb/smb_relay.rb
View File

@ -149,10 +149,10 @@ class MetasploitModule < Msf::Exploit::Remote
def available_actions
actions = [
['PSEXEC', { 'Description' => 'Run psexec against the relay target' }]
['PSEXEC', { 'Description' => 'Use the SMB Connection to run the exploit/windows/psexec module against the relay target' }]
]
if framework.features.enabled?(Msf::FeatureManager::SMB_SESSION_TYPE)
actions << ['CREATE_SMB_SESSION', { 'Description' => 'Get an SMB session' }]
actions << ['CREATE_SMB_SESSION', { 'Description' => 'Do not close the SMB connection after relaying, and instead create an SMB session' }]
end
actions