Monday 6 January 2014



The full documentation can be found in the tarball and also here, but here's a list of what the Ninja does:

Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
Data extraction, time-based or via a DNS tunnel
Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection or just to upload Meterpreter
Upload of executables using only normal HTTP requests (no FTP/TFTP needed), via vbscript or debug.exe
Direct and reverse bindshell, both TCP and UDP
DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames
ICMP-tunneled shell, when no TCP/UDP ports are available for a direct/reverse shell but the DB can ping your box
Bruteforce of 'sa' password (in 2 flavors: dictionary-based and incremental)
Privilege escalation to sysadmin group if 'sa' password has been found
Creation of a custom xp_cmdshell if the original one has been removed
TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
Evasion techniques to confuse a few IDS/IPS/WAF
Integration with churrasco.exe, to escalate privileges to SYSTEM on w2k3 via token kidnapping
Support for CVE-2010-0232, to escalate the privileges of sqlservr.exe to SYSTEM

0 comments:

Post a Comment