Querier - Windows - 10.10.10.125
Ports ouverts :
nmap -sV -p- 10.10.10.125 Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-04 06:01 UTC Strange read error from 10.10.10.125 (71 - 'Protocol error') Nmap scan report for ip-10-10-10-125.us-east-2.compute.internal (10.10.10.125) Host is up (0.13s latency). Not shown: 65075 closed ports, 445 filtered ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 1433/tcp open ms-sql-s Microsoft SQL Server vNext tech preview 14.00.1000 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 49671/tcp open msrpc Microsoft Windows RPC 53537/tcp open tcpwrapped Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 36410.39 seconds
1433/tcp open ms-sql-s Microsoft SQL Server vNext tech preview 14.00.1000 indique un MS SQL Server, version 2017 si on se réfère à ce lien.
Tentative bruteforce compte sa n'aboutit pas mais la VM a peut-être été reset entre deux :
[-] 10.10.10.125:1433 - 10.10.10.125:1433 - LOGIN FAILED: WORKSTATION\sa:lagorda (Incorrect: ) [-] 10.10.10.125:1433 - 10.10.10.125:1433 - LOGIN FAILED: WORKSTATION\sa:lafayette (Unable to Connect: ) [-] 10.10.10.125:1433 - 10.10.10.125:1433 - LOGIN FAILED: WORKSTATION\sa:lacrosse1 (Unable to Connect: ) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(scanner/mssql/mssql_login) >
Je relance une tentative bruteforce avec quelques paramètres différents pour voir :
msf auxiliary(scanner/mssql/mssql_login) > show options Module options (auxiliary/scanner/mssql/mssql_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS true no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE /home/ec2-user/rockyou.txt no File containing passwords, one per line RHOSTS 10.10.10.125 yes The target address range or CIDR identifier RPORT 1433 yes The target port (TCP) STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host TDSENCRYPTION false yes Use TLS/SSL for TDS data "Force Encryption" THREADS 10 yes The number of concurrent threads USERNAME administrator no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line USE_WINDOWS_AUTHENT true yes Use windows authentification (requires DOMAIN option set) VERBOSE true yes Whether to print output for all attempts msf auxiliary(scanner/mssql/mssql_login) > exploit
CVE
https://www.cvedetails.com/cve/CVE-2018-8273/
Je n'ai pas trouvé d'exploit pour cette CVE.