From 2c307f1bb392c9a5e328ed15f1bf1126904d32ab Mon Sep 17 00:00:00 2001 From: Zach Goldman Date: Wed, 13 Mar 2024 12:08:44 -0500 Subject: [PATCH] Adds session documentation add more console output, add to pentesting side split out session, help, query, query_interactive sections add multiline examples update mysql, smb --- .../Metasploit-Guide-MSSQL.md | 171 ++++++++++++++++- .../Metasploit-Guide-MySQL.md | 151 +++++++++++++++ .../Metasploit-Guide-PostgreSQL.md | 152 ++++++++++++++++ .../Metasploit-Guide-SMB.md | 116 ++++++++++++ .../auxiliary/scanner/mssql/mssql_login.md | 172 +++++++++++++++++- .../auxiliary/scanner/mysql/mysql_login.md | 155 +++++++++++++++- .../scanner/postgres/postgres_login.md | 168 +++++++++++++++++ .../auxiliary/scanner/smb/smb_login.md | 126 ++++++++++++- .../modules/exploit/windows/smb/smb_relay.md | 6 + 9 files changed, 1209 insertions(+), 8 deletions(-) create mode 100644 documentation/modules/auxiliary/scanner/postgres/postgres_login.md diff --git a/docs/metasploit-framework.wiki/Metasploit-Guide-MSSQL.md b/docs/metasploit-framework.wiki/Metasploit-Guide-MSSQL.md index 0b2ac47dbbfb..7667fc35aa60 100644 --- a/docs/metasploit-framework.wiki/Metasploit-Guide-MSSQL.md +++ b/docs/metasploit-framework.wiki/Metasploit-Guide-MSSQL.md @@ -3,7 +3,7 @@ Microsoft SQL Server (MSSQL) is a relational database management system. Commonly used in conjunction with web applications and other software that need to persist data. MSSQL is a useful target for data extraction and code execution. -MySQL is frequently found on port on the following ports: +MSSQL is frequently found on port on the following ports: - 1433/TCP - 1434/UDP @@ -26,6 +26,175 @@ use auxiliary/admin/mssql/mssql_sql run rhost=192.168.123.13 username=administrator password=p4$$w0rd sql='select auth_scheme from sys.dm_exec_connections where session_id=@@spid' ``` +### Logging in and obtaining a session +To log in or obtain an interactive session on an MSSQL instance running on the target, use mssql_login + +```msf +use auxiliary/scanner/mssql_login +run CreateSession=true RPORT=1433 RHOSTS=192.168.2.242 USERNAME=user PASSWORD=password +``` + +The CreateSession option, when set to true, will result in returning an interactive MSSQL session with the target machine +on a successful login: + +```msf +[*] 192.168.2.242:1433 - 192.168.2.242:1433 - MSSQL - Starting authentication scanner. +[!] 192.168.2.242:1433 - No active DB -- Credential data will not be saved! +[+] 192.168.2.242:1433 - 192.168.2.242:1433 - Login Successful: WORKSTATION\user:password +[*] MSSQL session 1 opened (192.168.2.1:60963 -> 192.168.2.242:1433) at 2024-03-15 13:41:31 -0500 +[*] 192.168.2.242:1433 - Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +``` + +Which you can interact with using `sessions -i ` or `sessions -1` to interact with the most recently opened session. + +```msf +msf6 auxiliary(scanner/mssql/mssql_login) > sessions + +Active sessions +=============== + + Id Name Type Information Connection + -- ---- ---- ----------- ---------- + 1 mssql MSSQL test @ 192.168.2.242:143 192.168.2.1:60963 -> 192.168.2 + 3 .242:1433 (192.168.2.242) + +msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i 1 +[*] Starting interaction with 1... + +mssql @ 192.168.2.242:1433 (master) > query 'select @@version;' +Response +======== + + # NULL + - ---- + 0 Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64) + Oct 8 2022 05:58:25 + Copyright (C) 2022 Microsoft Corporation + Developer Edition (64-bit) on Windows Server 2022 Stand + ard 10.0 (Build 20348: ) (Hypervisor) +``` + +When interacting with a session, the help command can be useful: + +```msf +mssql @ 192.168.2.242:1433 (master) > help + +Core Commands +============= + + Command Description + ------- ----------- + ? Help menu + background Backgrounds the current session + bg Alias for background + exit Terminate the PostgreSQL session + help Help menu + irb Open an interactive Ruby shell on the current session + pry Open the Pry debugger on the current session + sessions Quickly switch to another session + + +MSSQL Client Commands +===================== + + Command Description + ------- ----------- + query Run a single SQL query + query_interactive Enter an interactive prompt for running multiple SQL queri + es + + +Local File System Commands +========================== + + Command Description + ------- ----------- + getlwd Print local working directory (alias for lpwd) + lcat Read the contents of a local file to the screen + lcd Change local working directory + ldir List local files (alias for lls) + lls List local files + lmkdir Create new directory on local machine + lpwd Print local working directory + +This session also works with the following modules: + + auxiliary/admin/mssql/mssql_enum + auxiliary/admin/mssql/mssql_escalate_dbowner + auxiliary/admin/mssql/mssql_escalate_execute_as + auxiliary/admin/mssql/mssql_exec + auxiliary/admin/mssql/mssql_findandsampledata + auxiliary/admin/mssql/mssql_idf + auxiliary/admin/mssql/mssql_sql + auxiliary/admin/mssql/mssql_sql_file + auxiliary/scanner/mssql/mssql_hashdump + auxiliary/scanner/mssql/mssql_schemadump + exploit/windows/mssql/mssql_payload +``` + +To interact directly with the session as if in a SQL prompt, you can use the `query` command. + +```msf +msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i -1 +[*] Starting interaction with 2... + +mssql @ 192.168.2.242:1433 (master) > query -h +Usage: query + +Run a single SQL query on the target. + +OPTIONS: + + -h, --help Help menu. + -i, --interact Enter an interactive prompt for running multiple SQL queries + +Examples: + + query select @@version; + query select user_name(); + query select name from master.dbo.sysdatabases; + +mssql @ 192.168.2.242:1433 (master) > query 'select @@version;' +Response +======== + + # NULL + - ---- + 0 Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64) + Oct 8 2022 05:58:25 + Copyright (C) 2022 Microsoft Corporation + Developer Edition (64-bit) on Windows Server 2022 Standard 10.0 (B + uild 20348: ) (Hypervisor) +``` + +Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands: + +```msf +mssql @ 192.168.2.242:1433 (master) > query_interactive -h +Usage: query_interactive + +Go into an interactive SQL shell where SQL queries can be executed. +To exit, type 'exit', 'quit', 'end' or 'stop'. + +mssql @ 192.168.2.242:1433 (master) > query_interactive +[*] Starting interactive SQL shell for mssql @ 192.168.2.242:1433 (master) +[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit. + +SQL >> select top 2 table_catalog, table_schema +SQL *> from information_schema.tables; +[*] Executing query: select top 2 table_catalog, table_schema from information_schema.tables; +Response +======== + + # table_catalog table_schema + - ------------- ------------ + 0 master dbo + 1 master dbo + +SQL >> +``` + ### Link crawling Identify if the SQL server has been configured with trusted links, which allows running queries on other MSSQL instances: diff --git a/docs/metasploit-framework.wiki/Metasploit-Guide-MySQL.md b/docs/metasploit-framework.wiki/Metasploit-Guide-MySQL.md index 26b96cb8db65..8726a6ac1a7e 100644 --- a/docs/metasploit-framework.wiki/Metasploit-Guide-MySQL.md +++ b/docs/metasploit-framework.wiki/Metasploit-Guide-MySQL.md @@ -79,6 +79,157 @@ run cidr:/24:mysql://user:pass@192.168.222.0 threads=50 run cidr:/24:mysql://user@192.168.222.0 threads=50 pass_file=./wordlist.txt ``` +### Obtaining an Interactive Session on the Target + +The CreateSession option in `scanner/mysql/msql_login` allows you to obtain an interactive session +for the MySQL client you're connecting to. The run command with CreateSession +set to true should give you an interactive session: + +```msf +run rhost=127.0.0.1 rport=4306 username=root password=password createsession=true + +[+] 127.0.0.1:4306 - 127.0.0.1:4306 - Found remote MySQL version 11.2.2 +[+] 127.0.0.1:4306 - 127.0.0.1:4306 - Success: 'root:password' +[*] MySQL session 1 opened (127.0.0.1:53241 -> 127.0.0.1:4306) at 2024-03-12 12:40:46 -0500 +[*] 127.0.0.1:4306 - Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i -1 +[*] Starting interaction with 1... + +mysql @ 127.0.0.1:4306 > +``` + +You can interact with your new session using `sessions -i -1` or `sessions `. +You can also use `help` to get more information about how to use your session. + +```msf +msf6 auxiliary(scanner/mysql/mysql_login) > sessions + +Active sessions +=============== + + Id Name Type Information Connection + -- ---- ---- ----------- ---------- + 2 mssql MSSQL test @ 192.168.2.242:1433 192.168.2.1:61428 -> 192.168.2.242:1433 (192.168.2.242) + 3 mysql MySQL root @ 127.0.0.1:4306 127.0.0.1:61450 -> 127.0.0.1:4306 (127.0.0.1) + +msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i 3 +[*] Starting interaction with 3... +``` + +When interacting with a session, the help command can be useful: + +```msf +mysql @ 127.0.0.1:4306 > help + +Core Commands +============= + + Command Description + ------- ----------- + ? Help menu + background Backgrounds the current session + bg Alias for background + exit Terminate the PostgreSQL session + help Help menu + irb Open an interactive Ruby shell on the current session + pry Open the Pry debugger on the current session + sessions Quickly switch to another session + + +MySQL Client Commands +===================== + + Command Description + ------- ----------- + query Run a single SQL query + query_interactive Enter an interactive prompt for running multiple SQL queries + + +Local File System Commands +========================== + + Command Description + ------- ----------- + getlwd Print local working directory (alias for lpwd) + lcat Read the contents of a local file to the screen + lcd Change local working directory + ldir List local files (alias for lls) + lls List local files + lmkdir Create new directory on local machine + lpwd Print local working directory + +This session also works with the following modules: + + auxiliary/admin/mysql/mysql_enum + auxiliary/admin/mysql/mysql_sql + auxiliary/scanner/mysql/mysql_file_enum + auxiliary/scanner/mysql/mysql_hashdump + auxiliary/scanner/mysql/mysql_schemadump + auxiliary/scanner/mysql/mysql_version + auxiliary/scanner/mysql/mysql_writable_dirs + exploit/multi/mysql/mysql_udf_payload + exploit/windows/mysql/mysql_mof + exploit/windows/mysql/mysql_start_up +``` + +Once you've done that, you can run any MySQL query against the target using the `query` command. + +```msf +mysql @ 127.0.0.1:4306 > query -h +Usage: query + +Run a single SQL query on the target. + +OPTIONS: + + -h, --help Help menu. + -i, --interact Enter an interactive prompt for running multiple SQL queries + +Examples: + + query SHOW DATABASES; + query USE information_schema; + query SELECT * FROM SQL_FUNCTIONS; + query SELECT version(); + +mysql @ 127.0.0.1:4306 > query 'SELECT version();' +Response +======== + + # version() + - --------- + 0 11.2.2-MariaDB-1:11.2.2+maria~ubu2204 +``` + +Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands: + +```msf +mysql @ 127.0.0.1:4306 () > query_interactive -h +Usage: query_interactive + +Go into an interactive SQL shell where SQL queries can be executed. +To exit, type 'exit', 'quit', 'end' or 'stop'. + +mysql @ 127.0.0.1:4306 () > query_interactive +[*] Starting interactive SQL shell for mysql @ 127.0.0.1:4306 () +[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit. + +SQL >> SELECT table_name +SQL *> FROM information_schema.tables +SQL *> LIMIT 2; +[*] Executing query: SELECT table_name FROM information_schema.tables LIMIT 2; +Response +======== + + # table_name + - ---------- + 0 ALL_PLUGINS + 1 APPLICABLE_ROLES + +SQL >> +``` + ### MySQL Dumping User and hash dump: diff --git a/docs/metasploit-framework.wiki/Metasploit-Guide-PostgreSQL.md b/docs/metasploit-framework.wiki/Metasploit-Guide-PostgreSQL.md index 7f17438299e2..24d0a0ec654c 100644 --- a/docs/metasploit-framework.wiki/Metasploit-Guide-PostgreSQL.md +++ b/docs/metasploit-framework.wiki/Metasploit-Guide-PostgreSQL.md @@ -80,6 +80,158 @@ run cidr:/24:postgres://user:pass@192.168.222.0 threads=50 run cidr:/24:postgres://user@192.168.222.0 threads=50 pass_file=./wordlist.txt ``` +### Obtaining an Interactive Session +The CreateSession option for `auxiliary/scanner/postgres/postgres_login` allows you to obtain an +interactive session for the Postgres client you're connecting to. The run command with CreateSession +set to true should give you an interactive session. + +For example: + +```msf +msf6 auxiliary(scanner/postgres/postgres_login) > run rhost=127.0.0.1 rport=5432 username=postgres password=password database=template1 createsession=true +``` + +Should yield: + +```msf +[+] 127.0.0.1:5432 - Login Successful: postgres:password@template1 +[*] PostgreSQL session 1 opened (127.0.0.1:61324 -> 127.0.0.1:5432) at 2024-03-15 14:00:12 -0500 +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +``` + +You can interact with your session using `sessions -i -1` or `sessions `. +Use the help command for more info. + +```msf +msf6 auxiliary(scanner/postgres/postgres_login) > sessions + +Active sessions +=============== + + Id Name Type Information Connection + -- ---- ---- ----------- ---------- + 1 postgresql PostgreSQL postgres @ 127.0.0.1:5432 127.0.0.1:61324 -> 127.0.0.1:5432 (127.0.0.1) + +msf6 auxiliary(scanner/postgres/postgres_login) > sessions -i 1 +[*] Starting interaction with 1... +``` + +When interacting with a session, the help command can be useful: + +```msf +postgresql @ 127.0.0.1:5432 (template1) > help + +Core Commands +============= + + Command Description + ------- ----------- + ? Help menu + background Backgrounds the current session + bg Alias for background + exit Terminate the PostgreSQL session + help Help menu + irb Open an interactive Ruby shell on the current session + pry Open the Pry debugger on the current session + sessions Quickly switch to another session + + +PostgreSQL Client Commands +========================== + + Command Description + ------- ----------- + query Run a single SQL query + query_interactive Enter an interactive prompt for running multiple SQL queries + + +Local File System Commands +========================== + + Command Description + ------- ----------- + getlwd Print local working directory (alias for lpwd) + lcat Read the contents of a local file to the screen + lcd Change local working directory + ldir List local files (alias for lls) + lls List local files + lmkdir Create new directory on local machine + lpwd Print local working directory + +This session also works with the following modules: + + auxiliary/admin/postgres/postgres_readfile + auxiliary/admin/postgres/postgres_sql + auxiliary/scanner/postgres/postgres_hashdump + auxiliary/scanner/postgres/postgres_schemadump + auxiliary/scanner/postgres/postgres_version + exploit/linux/postgres/postgres_payload + exploit/multi/postgres/postgres_copy_from_program_cmd_exec + exploit/multi/postgres/postgres_createlang + exploit/windows/postgres/postgres_payload +``` + +Once you've done that, you can run any Postgres query against the target using the `query` command. + +```msf +postgresql @ 127.0.0.1:5432 (template1) > query -h +Usage: query + +Run a single SQL query on the target. + +OPTIONS: + + -h, --help Help menu. + -i, --interact Enter an interactive prompt for running multiple SQL queries + +Examples: + + query SELECT user; + query SELECT version(); + query SELECT * FROM pg_catalog.pg_tables; + +postgresql @ 127.0.0.1:5432 (template1) > query 'SELECT version();' +[*] SELECT 1 + +Response +======== + + # version + - ------- + 0 PostgreSQL 14.1 on aarch64-apple-darwin20.6.0, compiled by Apple clang version 12.0.5 (clang-1205.0.22.9), 64-bit +``` + +Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands: + +```msf +postgresql @ 127.0.0.1:5432 (template1) > query_interactive -h +Usage: query_interactive + +Go into an interactive SQL shell where SQL queries can be executed. +To exit, type 'exit', 'quit', 'end' or 'stop'. + +postgresql @ 127.0.0.1:5432 (template1) > query_interactive +[*] Starting interactive SQL shell for postgresql @ 127.0.0.1:5432 (template1) +[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit. + +SQL >> SELECT table_name +SQL *> FROM information_schema.tables +SQL *> LIMIT 2; +[*] Executing query: SELECT table_name FROM information_schema.tables LIMIT 2; +[*] SELECT 2 + +Response +======== + + # table_name + - ---------- + 0 pg_statistic + 1 pg_type + +SQL >> +``` + ### PostgreSQL Capture Server Captures and log PostgreSQL credentials: diff --git a/docs/metasploit-framework.wiki/Metasploit-Guide-SMB.md b/docs/metasploit-framework.wiki/Metasploit-Guide-SMB.md index d905a7c6609e..a7b1a189a278 100644 --- a/docs/metasploit-framework.wiki/Metasploit-Guide-SMB.md +++ b/docs/metasploit-framework.wiki/Metasploit-Guide-SMB.md @@ -63,6 +63,122 @@ Restart the service: service smbd restart ``` +### SMB Login and Interactive Sessions + +When using the smb_login module, the CreateSession option can be used to obtain an interactive +session within the smb instance. Running with the following options: + +```msf +msf6 auxiliary(scanner/smb/smb_login) > run CreateSession=true RHOSTS=172.14.2.164 RPORT=445 SMBDomain=windomain.local SMBPass=password SMBUser=username +``` + +Should give you output similar to + +```msf +[*] 172.14.2.164:445 - 172.14.2.164:445 - Starting SMB login bruteforce +[+] 172.14.2.164:445 - 172.14.2.164:445 - Success: 'windomain.local\username:password' Administrator +[*] SMB session 1 opened (172.16.158.1:62793 -> 172.14.2.164:445) at 2024-03-12 17:03:09 +0000 +[*] 172.14.2.164:445 - Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +msf6 auxiliary(scanner/smb/smb_login) > sessions -1 +[*] Starting interaction with 1... +``` + +Which you can interact with using `sessions -i ` or `sessions -1` to interact with the most recently opened session. + +```msf +msf6 auxiliary(scanner/smb/smb_login) > sessions -1 +[*] Starting interaction with 1... + +SMB (172.14.2.164) > shares +Shares +====== + + # Name Type comment + - ---- ---- ------- + 0 ADMIN$ DISK|SPECIAL Remote Admin + 1 C$ DISK|SPECIAL Default share + 2 foo DISK + 3 IPC$ IPC|SPECIAL Remote IPC + +SMB (172.14.2.164) > shares -i foo +[+] Successfully connected to foo +SMB (172.14.2.164\foo) > ls +ls +=== +[truncated] +``` + +When interacting with a session, the help command can be useful: + +```msf +SMB (172.14.2.164\foo) > help + +Core Commands +============= + + Command Description + ------- ----------- + ? Help menu + background Backgrounds the current session + bg Alias for background + exit Terminate the SMB session + help Help menu + irb Open an interactive Ruby shell on the current session + pry Open the Pry debugger on the current session + sessions Quickly switch to another session + + +Shares Commands +=============== + + Command Description + ------- ----------- + cat Read the file at the given path + cd Change the current remote working directory + delete Delete a file + dir List all files in the current directory (alias for ls) + download Download a file + ls List all files in the current directory + mkdir Make a new directory + pwd Print the current remote working directory + rmdir Delete a directory + shares View the available shares and interact with one + upload Upload a file + + +Local File System Commands +========================== + + Command Description + ------- ----------- + getlwd Print local working directory (alias for lpwd) + lcat Read the contents of a local file to the screen + lcd Change local working directory + ldir List local files (alias for lls) + lls List local files + lmkdir Create new directory on local machine + lpwd Print local working directory + +This session also works with the following modules: + + auxiliary/admin/dcerpc/icpr_cert + auxiliary/admin/dcerpc/samr_computer + auxiliary/admin/smb/delete_file + auxiliary/admin/smb/download_file + auxiliary/admin/smb/psexec_ntdsgrab + auxiliary/admin/smb/upload_file + auxiliary/gather/windows_secrets_dump + auxiliary/scanner/smb/pipe_auditor + auxiliary/scanner/smb/pipe_dcerpc_auditor + auxiliary/scanner/smb/smb_enum_gpp + auxiliary/scanner/smb/smb_enumshares + auxiliary/scanner/smb/smb_enumusers + auxiliary/scanner/smb/smb_enumusers_domain + auxiliary/scanner/smb/smb_lookupsid + exploit/windows/smb/psexec +``` + ### SMB Enumeration Enumerate SMB version: diff --git a/documentation/modules/auxiliary/scanner/mssql/mssql_login.md b/documentation/modules/auxiliary/scanner/mssql/mssql_login.md index 9dd71f0b02a9..7547f2ab0d5b 100644 --- a/documentation/modules/auxiliary/scanner/mssql/mssql_login.md +++ b/documentation/modules/auxiliary/scanner/mssql/mssql_login.md @@ -15,6 +15,175 @@ A docker container can be spun up with the following command to test this module ## Options +### CreateSession + +When using the `scanner/mssql/mssql_login` module, the CreateSession option can be used to obtain an interactive +session within the MSSQL instance. Running the following commands with all other options set: + +```msf +msf6 auxiliary(scanner/mssql/mssql_login) > run CreateSession=true RPORT=1433 RHOSTS=192.168.2.242 USERNAME=user PASSWORD=password +``` + +Should give you output containing + +```msf +[*] 192.168.2.242:1433 - 192.168.2.242:1433 - MSSQL - Starting authentication scanner. +[!] 192.168.2.242:1433 - No active DB -- Credential data will not be saved! +[+] 192.168.2.242:1433 - 192.168.2.242:1433 - Login Successful: WORKSTATION\user:password +[*] MSSQL session 1 opened (192.168.2.1:60963 -> 192.168.2.242:1433) at 2024-03-15 13:41:31 -0500 +[*] 192.168.2.242:1433 - Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +``` + +Which you can interact with using `sessions -i ` or `sessions -1` to interact with the most recently opened session. + +```msf +msf6 auxiliary(scanner/mssql/mssql_login) > sessions + +Active sessions +=============== + + Id Name Type Information Connection + -- ---- ---- ----------- ---------- + 1 mssql MSSQL test @ 192.168.2.242:143 192.168.2.1:60963 -> 192.168.2 + 3 .242:1433 (192.168.2.242) + +msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i 1 +[*] Starting interaction with 1... + +mssql @ 192.168.2.242:1433 (master) > query 'select @@version;' +Response +======== + + # NULL + - ---- + 0 Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64) + Oct 8 2022 05:58:25 + Copyright (C) 2022 Microsoft Corporation + Developer Edition (64-bit) on Windows Server 2022 Stand + ard 10.0 (Build 20348: ) (Hypervisor) +``` + +When interacting with a session, the help command can be useful: + +```msf +mssql @ 192.168.2.242:1433 (master) > help + +Core Commands +============= + + Command Description + ------- ----------- + ? Help menu + background Backgrounds the current session + bg Alias for background + exit Terminate the PostgreSQL session + help Help menu + irb Open an interactive Ruby shell on the current session + pry Open the Pry debugger on the current session + sessions Quickly switch to another session + + +MSSQL Client Commands +===================== + + Command Description + ------- ----------- + query Run a single SQL query + query_interactive Enter an interactive prompt for running multiple SQL queri + es + + +Local File System Commands +========================== + + Command Description + ------- ----------- + getlwd Print local working directory (alias for lpwd) + lcat Read the contents of a local file to the screen + lcd Change local working directory + ldir List local files (alias for lls) + lls List local files + lmkdir Create new directory on local machine + lpwd Print local working directory + +This session also works with the following modules: + + auxiliary/admin/mssql/mssql_enum + auxiliary/admin/mssql/mssql_escalate_dbowner + auxiliary/admin/mssql/mssql_escalate_execute_as + auxiliary/admin/mssql/mssql_exec + auxiliary/admin/mssql/mssql_findandsampledata + auxiliary/admin/mssql/mssql_idf + auxiliary/admin/mssql/mssql_sql + auxiliary/admin/mssql/mssql_sql_file + auxiliary/scanner/mssql/mssql_hashdump + auxiliary/scanner/mssql/mssql_schemadump + exploit/windows/mssql/mssql_payload +``` + +To interact directly with the session as if in a SQL prompt, you can use the `query` command. + +```msf +msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i -1 +[*] Starting interaction with 2... + +mssql @ 192.168.2.242:1433 (master) > query -h +Usage: query + +Run a single SQL query on the target. + +OPTIONS: + + -h, --help Help menu. + -i, --interact Enter an interactive prompt for running multiple SQL queries + +Examples: + + query select @@version; + query select user_name(); + query select name from master.dbo.sysdatabases; + +mssql @ 192.168.2.242:1433 (master) > query 'select @@version;' +Response +======== + + # NULL + - ---- + 0 Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64) + Oct 8 2022 05:58:25 + Copyright (C) 2022 Microsoft Corporation + Developer Edition (64-bit) on Windows Server 2022 Standard 10.0 (B + uild 20348: ) (Hypervisor) +``` + +Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands: + +```msf +mssql @ 192.168.2.242:1433 (master) > query_interactive -h +Usage: query_interactive + +Go into an interactive SQL shell where SQL queries can be executed. +To exit, type 'exit', 'quit', 'end' or 'stop'. + +mssql @ 192.168.2.242:1433 (master) > query_interactive +[*] Starting interactive SQL shell for mssql @ 192.168.2.242:1433 (master) +[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit. + +SQL >> select top 2 table_catalog, table_schema +SQL *> from information_schema.tables; +[*] Executing query: select top 2 table_catalog, table_schema from information_schema.tables; +Response +======== + + # table_catalog table_schema + - ------------- ------------ + 0 master dbo + 1 master dbo + +SQL >> +``` + ### USER_FILE File containing users, one per line. @@ -24,7 +193,8 @@ File containing users, one per line. File containing passwords, one per line ## Scenarios -``` + +```msf msf > use scanner/mssql/mssql_login msf6 auxiliary(scanner/mssql/mssql_login) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 diff --git a/documentation/modules/auxiliary/scanner/mysql/mysql_login.md b/documentation/modules/auxiliary/scanner/mysql/mysql_login.md index 6d86c530b001..ce7c902ed025 100644 --- a/documentation/modules/auxiliary/scanner/mysql/mysql_login.md +++ b/documentation/modules/auxiliary/scanner/mysql/mysql_login.md @@ -12,7 +12,7 @@ This auxiliary module is a brute-force login tool for MySQL servers. ## Scenarios -``` +```msf msf > use auxiliary/scanner/mysql/mysql_login msf auxiliary(mysql_login) > set PASS_FILE /tmp/passes.txt PASS_FILE => /tmp/passes.txt @@ -61,3 +61,156 @@ msf auxiliary(mysql_login) > run [*] Auxiliary module execution completed msf auxiliary(mysql_login) > ``` + +## Obtaining an Interactive Session + +The CreateSession option allows you to obtain an interactive session +for the MySQL client you're connecting to. The run command with CreateSession +set to true should give you an interactive session: + +```msf +run rhost=127.0.0.1 rport=4306 username=root password=password createsession=true + +[+] 127.0.0.1:4306 - 127.0.0.1:4306 - Found remote MySQL version 11.2.2 +[+] 127.0.0.1:4306 - 127.0.0.1:4306 - Success: 'root:password' +[*] MySQL session 1 opened (127.0.0.1:53241 -> 127.0.0.1:4306) at 2024-03-12 12:40:46 -0500 +[*] 127.0.0.1:4306 - Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i -1 +[*] Starting interaction with 1... + +mysql @ 127.0.0.1:4306 > +``` + +You can interact with your new session using `sessions -i -1` or `sessions -i `. +You can also use `help` to get more information about how to use your session. + +```msf +msf6 auxiliary(scanner/mysql/mysql_login) > sessions + +Active sessions +=============== + + Id Name Type Information Connection + -- ---- ---- ----------- ---------- + 2 mssql MSSQL test @ 192.168.2.242:1433 192.168.2.1:61428 -> 192.168.2.242:1433 (192.168.2.242) + 3 mysql MySQL root @ 127.0.0.1:4306 127.0.0.1:61450 -> 127.0.0.1:4306 (127.0.0.1) + +msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i 3 +[*] Starting interaction with 3... +``` + +When interacting with a session, the help command can be useful: + +```msf +mysql @ 127.0.0.1:4306 > help + +Core Commands +============= + + Command Description + ------- ----------- + ? Help menu + background Backgrounds the current session + bg Alias for background + exit Terminate the PostgreSQL session + help Help menu + irb Open an interactive Ruby shell on the current session + pry Open the Pry debugger on the current session + sessions Quickly switch to another session + + +MySQL Client Commands +===================== + + Command Description + ------- ----------- + query Run a single SQL query + query_interactive Enter an interactive prompt for running multiple SQL queries + + +Local File System Commands +========================== + + Command Description + ------- ----------- + getlwd Print local working directory (alias for lpwd) + lcat Read the contents of a local file to the screen + lcd Change local working directory + ldir List local files (alias for lls) + lls List local files + lmkdir Create new directory on local machine + lpwd Print local working directory + +This session also works with the following modules: + + auxiliary/admin/mysql/mysql_enum + auxiliary/admin/mysql/mysql_sql + auxiliary/scanner/mysql/mysql_file_enum + auxiliary/scanner/mysql/mysql_hashdump + auxiliary/scanner/mysql/mysql_schemadump + auxiliary/scanner/mysql/mysql_version + auxiliary/scanner/mysql/mysql_writable_dirs + exploit/multi/mysql/mysql_udf_payload + exploit/windows/mysql/mysql_mof + exploit/windows/mysql/mysql_start_up +``` + +Once you've done that, you can run any MySQL query against the target using the `query` command. + +```msf +mysql @ 127.0.0.1:4306 > query -h +Usage: query + +Run a single SQL query on the target. + +OPTIONS: + + -h, --help Help menu. + -i, --interact Enter an interactive prompt for running multiple SQL queries + +Examples: + + query SHOW DATABASES; + query USE information_schema; + query SELECT * FROM SQL_FUNCTIONS; + query SELECT version(); + +mysql @ 127.0.0.1:4306 > query 'SELECT version();' +Response +======== + + # version() + - --------- + 0 11.2.2-MariaDB-1:11.2.2+maria~ubu2204 +``` + +Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands: + +```msf +mysql @ 127.0.0.1:4306 > query_interactive -h +Usage: query_interactive + +Go into an interactive SQL shell where SQL queries can be executed. +To exit, type 'exit', 'quit', 'end' or 'stop'. + +mysql @ 127.0.0.1:4306 > query_interactive +[*] Starting interactive SQL shell for mysql @ 127.0.0.1:4306 +[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit. + +SQL >> SELECT table_name +SQL *> FROM information_schema.tables +SQL *> LIMIT 2; +[*] Executing query: SELECT table_name FROM information_schema.tables LIMIT 2; +Response +======== + + # table_name + - ---------- + 0 ALL_PLUGINS + 1 APPLICABLE_ROLES + +SQL >> +``` + + diff --git a/documentation/modules/auxiliary/scanner/postgres/postgres_login.md b/documentation/modules/auxiliary/scanner/postgres/postgres_login.md new file mode 100644 index 000000000000..3efb0f4a3434 --- /dev/null +++ b/documentation/modules/auxiliary/scanner/postgres/postgres_login.md @@ -0,0 +1,168 @@ +## Description + +This auxiliary module is a brute-force login tool for Postgres servers. + +## Verification Steps + +1. Do: ```use auxiliary/scanner/postgres/postgres_login``` +2. Do: ```set PASS_FILE [file containing passwords]``` +3. Do: ```set RHOSTS [IP]``` +4. Do: ```set USER_FILE [file containing usernames]``` +5. Do: ```set DATABASE [template name]``` +6. Do: ```run``` + +The above USER_FILE and PASS_FILE options can be replaced with USERNAME +and PASSWORD if you know the credentials. + +## Getting an Interactive Session + +The CreateSession option allows you to obtain an interactive session +for the Postgres client you're connecting to. The run command with CreateSession +set to true should give you an interactive session. + +For example: + +```msf +msf6 auxiliary(scanner/postgres/postgres_login) > run rhost=127.0.0.1 rport=5432 username=postgres password=password database=template1 createsession=true +``` + +Should yield: + +```msf +[+] 127.0.0.1:5432 - Login Successful: postgres:password@template1 +[*] PostgreSQL session 1 opened (127.0.0.1:61324 -> 127.0.0.1:5432) at 2024-03-15 14:00:12 -0500 +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +``` + +You can interact with your session using `sessions -i -1` or `sessions `. +Use the help command for more info. + +```msf +msf6 auxiliary(scanner/postgres/postgres_login) > sessions + +Active sessions +=============== + + Id Name Type Information Connection + -- ---- ---- ----------- ---------- + 1 postgresql PostgreSQL postgres @ 127.0.0.1:5432 127.0.0.1:61324 -> 127.0.0.1:5432 (127.0.0.1) + +msf6 auxiliary(scanner/postgres/postgres_login) > sessions -i 1 +[*] Starting interaction with 1... +``` + +When interacting with a session, the help command can be useful: + +```msf +postgresql @ 127.0.0.1:5432 (template1) > help + +Core Commands +============= + + Command Description + ------- ----------- + ? Help menu + background Backgrounds the current session + bg Alias for background + exit Terminate the PostgreSQL session + help Help menu + irb Open an interactive Ruby shell on the current session + pry Open the Pry debugger on the current session + sessions Quickly switch to another session + + +PostgreSQL Client Commands +========================== + + Command Description + ------- ----------- + query Run a single SQL query + query_interactive Enter an interactive prompt for running multiple SQL queries + + +Local File System Commands +========================== + + Command Description + ------- ----------- + getlwd Print local working directory (alias for lpwd) + lcat Read the contents of a local file to the screen + lcd Change local working directory + ldir List local files (alias for lls) + lls List local files + lmkdir Create new directory on local machine + lpwd Print local working directory + +This session also works with the following modules: + + auxiliary/admin/postgres/postgres_readfile + auxiliary/admin/postgres/postgres_sql + auxiliary/scanner/postgres/postgres_hashdump + auxiliary/scanner/postgres/postgres_schemadump + auxiliary/scanner/postgres/postgres_version + exploit/linux/postgres/postgres_payload + exploit/multi/postgres/postgres_copy_from_program_cmd_exec + exploit/multi/postgres/postgres_createlang + exploit/windows/postgres/postgres_payload +``` + +Once you've done that, you can run any Postgres query against the target using the `query` command. + +```msf +postgresql @ 127.0.0.1:5432 (template1) > query -h +Usage: query + +Run a single SQL query on the target. + +OPTIONS: + + -h, --help Help menu. + -i, --interact Enter an interactive prompt for running multiple SQL queries + +Examples: + + query SELECT user; + query SELECT version(); + query SELECT * FROM pg_catalog.pg_tables; + +postgresql @ 127.0.0.1:5432 (template1) > query 'SELECT version();' +[*] SELECT 1 + +Response +======== + + # version + - ------- + 0 PostgreSQL 14.1 on aarch64-apple-darwin20.6.0, compiled by Apple clang version 12.0.5 (clang-1205.0.22.9), 64-bit +``` + +Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands: + +```msf +postgresql @ 127.0.0.1:5432 (template1) > query_interactive -h +Usage: query_interactive + +Go into an interactive SQL shell where SQL queries can be executed. +To exit, type 'exit', 'quit', 'end' or 'stop'. + +postgresql @ 127.0.0.1:5432 (template1) > query_interactive +[*] Starting interactive SQL shell for postgresql @ 127.0.0.1:5432 (template1) +[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit. + +SQL >> SELECT table_name +SQL *> FROM information_schema.tables +SQL *> LIMIT 2; +[*] Executing query: SELECT table_name FROM information_schema.tables LIMIT 2; +[*] SELECT 2 + +Response +======== + + # table_name + - ---------- + 0 pg_statistic + 1 pg_type + +SQL >> +``` diff --git a/documentation/modules/auxiliary/scanner/smb/smb_login.md b/documentation/modules/auxiliary/scanner/smb/smb_login.md index 86d7238c1b6c..07fe7ffdb20c 100644 --- a/documentation/modules/auxiliary/scanner/smb/smb_login.md +++ b/documentation/modules/auxiliary/scanner/smb/smb_login.md @@ -8,7 +8,7 @@ To use smb_login, make sure you are able to connect to a SMB service that suppor The following demonstrates a basic scenario of using the [built-in wordlists](https://github.com/rapid7/metasploit-framework/tree/master/data/wordlists) to brute-force SMB: -``` +```msf msf > use auxiliary/scanner/smb/smb_login msf auxiliary(smb_login) > set RHOSTS 192.168.1.80 RHOSTS => 192.168.1.80 @@ -21,12 +21,12 @@ msf auxiliary(smb_login) > run [+] 192.168.1.80:445 - 192.168.1.80:445 SMB - Success: '.\root:monkey' Administrator [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf auxiliary(smb_login) > +msf auxiliary(smb_login) > ``` If you have a database connected, you should also see this credential logged: -``` +```msf msf auxiliary(smb_login) > creds Credentials =========== @@ -35,10 +35,126 @@ host origin service public private realm private_type ---- ------ ------- ------ ------- ----- ------------ 192.168.1.80 192.168.1.80 445/tcp (smb) root monkey Password -msf auxiliary(smb_login) +msf auxiliary(smb_login) > +``` + +## Obtaining a Session + +When using the smb_login module, the CreateSession option can be used to obtain an interactive +session within the smb instance. Running with the following options: + +```msf +msf6 auxiliary(scanner/smb/smb_login) > run CreateSession=true RHOSTS=172.14.2.164 RPORT=445 SMBDomain=windomain.local SMBPass=password SMBUser=username ``` -## Options +Should give you output containing + +```msf +[*] 172.14.2.164:445 - 172.14.2.164:445 - Starting SMB login bruteforce +[+] 172.14.2.164:445 - 172.14.2.164:445 - Success: 'windomain.local\username:password' Administrator +[*] SMB session 1 opened (172.16.158.1:62793 -> 172.14.2.164:445) at 2024-03-12 17:03:09 +0000 +[*] 172.14.2.164:445 - Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed +msf6 auxiliary(scanner/smb/smb_login) > sessions -1 +[*] Starting interaction with 1... +``` + +Which you can interact with using `sessions -i ` or `sessions -1` to interact with the most recently opened session. + +```msf +msf6 auxiliary(scanner/smb/smb_login) > sessions -1 +[*] Starting interaction with 1... + +SMB (172.14.2.164) > shares +Shares +====== + + # Name Type comment + - ---- ---- ------- + 0 ADMIN$ DISK|SPECIAL Remote Admin + 1 C$ DISK|SPECIAL Default share + 2 foo DISK + 3 IPC$ IPC|SPECIAL Remote IPC + +SMB (172.14.2.164) > shares -i foo +[+] Successfully connected to foo +SMB (172.14.2.164\foo) > ls +ls +=== +[truncated] +``` + +When interacting with a session, the help command can be useful: + +```msf +SMB (172.14.2.164\foo) > help + +Core Commands +============= + + Command Description + ------- ----------- + ? Help menu + background Backgrounds the current session + bg Alias for background + exit Terminate the SMB session + help Help menu + irb Open an interactive Ruby shell on the current session + pry Open the Pry debugger on the current session + sessions Quickly switch to another session + + +Shares Commands +=============== + + Command Description + ------- ----------- + cat Read the file at the given path + cd Change the current remote working directory + delete Delete a file + dir List all files in the current directory (alias for ls) + download Download a file + ls List all files in the current directory + mkdir Make a new directory + pwd Print the current remote working directory + rmdir Delete a directory + shares View the available shares and interact with one + upload Upload a file + + +Local File System Commands +========================== + + Command Description + ------- ----------- + getlwd Print local working directory (alias for lpwd) + lcat Read the contents of a local file to the screen + lcd Change local working directory + ldir List local files (alias for lls) + lls List local files + lmkdir Create new directory on local machine + lpwd Print local working directory + +This session also works with the following modules: + + auxiliary/admin/dcerpc/icpr_cert + auxiliary/admin/dcerpc/samr_computer + auxiliary/admin/smb/delete_file + auxiliary/admin/smb/download_file + auxiliary/admin/smb/psexec_ntdsgrab + auxiliary/admin/smb/upload_file + auxiliary/gather/windows_secrets_dump + auxiliary/scanner/smb/pipe_auditor + auxiliary/scanner/smb/pipe_dcerpc_auditor + auxiliary/scanner/smb/smb_enum_gpp + auxiliary/scanner/smb/smb_enumshares + auxiliary/scanner/smb/smb_enumusers + auxiliary/scanner/smb/smb_enumusers_domain + auxiliary/scanner/smb/smb_lookupsid + exploit/windows/smb/psexec +``` + +## Credential Options By default, the smb_login module only requires the RHOSTS option to run. But in reality, you will also need to supply user names and passwords. The following options are available to support diff --git a/documentation/modules/exploit/windows/smb/smb_relay.md b/documentation/modules/exploit/windows/smb/smb_relay.md index 1103562a3e9e..f8b9608b6889 100644 --- a/documentation/modules/exploit/windows/smb/smb_relay.md +++ b/documentation/modules/exploit/windows/smb/smb_relay.md @@ -92,6 +92,12 @@ I.E. the filename john will produce two files, `john_netntlm` and `john_netntlmv The domain name used during smb exchange. +### ACTION +Determines which of two actions smb_relay will use against the target. +The default is to run PSEXEC, but can be changed to CREATE_SMB_SESSION to +open an interactive smb session against the target instead of running +psexec. + ### TIMEOUT Seconds that the server socket will wait for a response after the client has initiated communication.