diff --git a/docs/metasploit-framework.wiki/Metasploit-Guide-MSSQL.md b/docs/metasploit-framework.wiki/Metasploit-Guide-MSSQL.md index 7667fc35aa..b47e41b9b7 100644 --- a/docs/metasploit-framework.wiki/Metasploit-Guide-MSSQL.md +++ b/docs/metasploit-framework.wiki/Metasploit-Guide-MSSQL.md @@ -8,6 +8,18 @@ MSSQL is frequently found on port on the following ports: - 1433/TCP - 1434/UDP +For a full list of MSSQL modules run the `search` command within msfconsole: + +```msf +msf6 > search mssql +``` + +Or to search for modules that work with a specific session type: + +```msf +msf6 > search session_type:mssql +``` + ### Lab Environment Environment setup: @@ -46,7 +58,7 @@ on a successful login: [*] Auxiliary module execution completed ``` -Which you can interact with using `sessions -i ` or `sessions -1` to interact with the most recently opened session. +Which you can interact with using `sessions -i ` or `sessions -i -1` to interact with the most recently opened session. ```msf msf6 auxiliary(scanner/mssql/mssql_login) > sessions @@ -54,10 +66,9 @@ msf6 auxiliary(scanner/mssql/mssql_login) > sessions Active sessions =============== - Id Name Type Information Connection - -- ---- ---- ----------- ---------- - 1 mssql MSSQL test @ 192.168.2.242:143 192.168.2.1:60963 -> 192.168.2 - 3 .242:1433 (192.168.2.242) + Id Name Type Information Connection + -- ---- ---- ----------- ---------- + 1 mssql MSSQL test @ 192.168.2.242:1433 192.168.2.1:60963 -> 192.168.23.242:1433 (192.168.2.242) msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i 1 [*] Starting interaction with 1... @@ -101,8 +112,7 @@ MSSQL Client Commands Command Description ------- ----------- query Run a single SQL query - query_interactive Enter an interactive prompt for running multiple SQL queri - es + query_interactive Enter an interactive prompt for running multiple SQL queries Local File System Commands @@ -181,17 +191,20 @@ mssql @ 192.168.2.242:1433 (master) > query_interactive [*] Starting interactive SQL shell for mssql @ 192.168.2.242:1433 (master) [*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit. -SQL >> select top 2 table_catalog, table_schema -SQL *> from information_schema.tables; -[*] Executing query: select top 2 table_catalog, table_schema from information_schema.tables; +SQL >> select * +SQL *> from information_schema.tables +SQL *> where table_type = 'BASE TABLE'; +[*] Executing query: select * from information_schema.tables where table_type = 'BASE TABLE'; Response ======== - - # table_catalog table_schema - - ------------- ------------ - 0 master dbo - 1 master dbo - + # TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE + - ------------- ------------ ---------- ---------- + 0 master dbo spt_fallback_db BASE TABLE + 1 master dbo spt_fallback_dev BASE TABLE + 2 master dbo spt_fallback_usg BASE TABLE + 4 master dbo Users BASE TABLE + 5 master dbo spt_monitor BASE TABLE + 6 master dbo MSreplication_options BASE TABLE SQL >> ``` diff --git a/docs/metasploit-framework.wiki/Metasploit-Guide-MySQL.md b/docs/metasploit-framework.wiki/Metasploit-Guide-MySQL.md index 8726a6ac1a..8958e9e866 100644 --- a/docs/metasploit-framework.wiki/Metasploit-Guide-MySQL.md +++ b/docs/metasploit-framework.wiki/Metasploit-Guide-MySQL.md @@ -17,6 +17,12 @@ There are more modules than listed here, for the full list of modules run the `s msf6 > search mysql ``` +Or to search for modules that work with a specific session type: + +```msf +msf6 > search session_type:mysql +``` + ### Lab Environment When testing in a lab environment MySQL can either be installed on the host machine or within Docker: @@ -81,12 +87,13 @@ run cidr:/24:mysql://user@192.168.222.0 threads=50 pass_file=./wordlist.txt ### Obtaining an Interactive Session on the Target -The CreateSession option in `scanner/mysql/msql_login` allows you to obtain an interactive session +The CreateSession option in `auxiliary/scanner/mysql/msql_login` allows you to obtain an interactive session for the MySQL client you're connecting to. The run command with CreateSession set to true should give you an interactive session: ```msf -run rhost=127.0.0.1 rport=4306 username=root password=password createsession=true +msf6 > use scanner/mysql/mysql_login +msf6 auxiliary(scanner/mysql/mysql_login) > run rhost=127.0.0.1 rport=4306 username=root password=password createsession=true [+] 127.0.0.1:4306 - 127.0.0.1:4306 - Found remote MySQL version 11.2.2 [+] 127.0.0.1:4306 - 127.0.0.1:4306 - Success: 'root:password' @@ -173,7 +180,7 @@ This session also works with the following modules: exploit/windows/mysql/mysql_start_up ``` -Once you've done that, you can run any MySQL query against the target using the `query` command. +Once you've done that, you can run any MySQL query against the target using the `query` command: ```msf mysql @ 127.0.0.1:4306 > query -h diff --git a/docs/metasploit-framework.wiki/Metasploit-Guide-PostgreSQL.md b/docs/metasploit-framework.wiki/Metasploit-Guide-PostgreSQL.md index 24d0a0ec65..32b8e583e3 100644 --- a/docs/metasploit-framework.wiki/Metasploit-Guide-PostgreSQL.md +++ b/docs/metasploit-framework.wiki/Metasploit-Guide-PostgreSQL.md @@ -17,6 +17,13 @@ There are more modules than listed here, for the full list of modules run the `s msf6 > search postgres ``` +Or to search for modules that work with a specific session type: + +```msf +msf6 > search session_type:postgres +``` + + ### Lab Environment When testing in a lab environment PostgreSQL can either be installed on the host machine or within Docker: @@ -172,7 +179,7 @@ This session also works with the following modules: exploit/windows/postgres/postgres_payload ``` -Once you've done that, you can run any Postgres query against the target using the `query` command. +Once you've done that, you can run any Postgres query against the target using the `query` command: ```msf postgresql @ 127.0.0.1:5432 (template1) > query -h diff --git a/docs/metasploit-framework.wiki/Metasploit-Guide-SMB.md b/docs/metasploit-framework.wiki/Metasploit-Guide-SMB.md index a7b1a189a2..f5cd5e00f9 100644 --- a/docs/metasploit-framework.wiki/Metasploit-Guide-SMB.md +++ b/docs/metasploit-framework.wiki/Metasploit-Guide-SMB.md @@ -27,6 +27,12 @@ There are more modules than listed here, for the full list of modules run the `s msf6 > search smb ``` +Or to search for modules that work with a specific session type: + +```msf +msf6 > search session_type:smb +``` + ### Lab Environment When testing in a lab environment - SMB can be used on a Window's host machine, or within Docker. @@ -80,14 +86,14 @@ Should give you output similar to [*] SMB session 1 opened (172.16.158.1:62793 -> 172.14.2.164:445) at 2024-03-12 17:03:09 +0000 [*] 172.14.2.164:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf6 auxiliary(scanner/smb/smb_login) > sessions -1 +msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1 [*] Starting interaction with 1... ``` -Which you can interact with using `sessions -i ` or `sessions -1` to interact with the most recently opened session. +Which you can interact with using `sessions -i ` or `sessions -i -1` to interact with the most recently opened session. ```msf -msf6 auxiliary(scanner/smb/smb_login) > sessions -1 +msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1 [*] Starting interaction with 1... SMB (172.14.2.164) > shares diff --git a/documentation/modules/auxiliary/scanner/mssql/mssql_login.md b/documentation/modules/auxiliary/scanner/mssql/mssql_login.md index 7547f2ab0d..1d18899bd3 100644 --- a/documentation/modules/auxiliary/scanner/mssql/mssql_login.md +++ b/documentation/modules/auxiliary/scanner/mssql/mssql_login.md @@ -24,7 +24,7 @@ session within the MSSQL instance. Running the following commands with all other msf6 auxiliary(scanner/mssql/mssql_login) > run CreateSession=true RPORT=1433 RHOSTS=192.168.2.242 USERNAME=user PASSWORD=password ``` -Should give you output containing +Should give you output containing: ```msf [*] 192.168.2.242:1433 - 192.168.2.242:1433 - MSSQL - Starting authentication scanner. @@ -35,7 +35,7 @@ Should give you output containing [*] Auxiliary module execution completed ``` -Which you can interact with using `sessions -i ` or `sessions -1` to interact with the most recently opened session. +Which you can interact with using `sessions -i ` or `sessions -i -1` to interact with the most recently opened session. ```msf msf6 auxiliary(scanner/mssql/mssql_login) > sessions @@ -43,10 +43,9 @@ msf6 auxiliary(scanner/mssql/mssql_login) > sessions Active sessions =============== - Id Name Type Information Connection - -- ---- ---- ----------- ---------- - 1 mssql MSSQL test @ 192.168.2.242:143 192.168.2.1:60963 -> 192.168.2 - 3 .242:1433 (192.168.2.242) + Id Name Type Information Connection + -- ---- ---- ----------- ---------- + 1 mssql MSSQL test @ 192.168.2.242:1433 192.168.2.1:60963 -> 192.168.2.242:1433 (192.168.2.242) msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i 1 [*] Starting interaction with 1... diff --git a/documentation/modules/auxiliary/scanner/mysql/mysql_login.md b/documentation/modules/auxiliary/scanner/mysql/mysql_login.md index ce7c902ed0..d99a4df137 100644 --- a/documentation/modules/auxiliary/scanner/mysql/mysql_login.md +++ b/documentation/modules/auxiliary/scanner/mysql/mysql_login.md @@ -156,7 +156,7 @@ This session also works with the following modules: exploit/windows/mysql/mysql_start_up ``` -Once you've done that, you can run any MySQL query against the target using the `query` command. +Once you've done that, you can run any MySQL query against the target using the `query` command: ```msf mysql @ 127.0.0.1:4306 > query -h @@ -212,5 +212,3 @@ Response SQL >> ``` - - diff --git a/documentation/modules/auxiliary/scanner/postgres/postgres_login.md b/documentation/modules/auxiliary/scanner/postgres/postgres_login.md index 3efb0f4a34..23bbf5080f 100644 --- a/documentation/modules/auxiliary/scanner/postgres/postgres_login.md +++ b/documentation/modules/auxiliary/scanner/postgres/postgres_login.md @@ -4,12 +4,12 @@ This auxiliary module is a brute-force login tool for Postgres servers. ## Verification Steps -1. Do: ```use auxiliary/scanner/postgres/postgres_login``` -2. Do: ```set PASS_FILE [file containing passwords]``` -3. Do: ```set RHOSTS [IP]``` -4. Do: ```set USER_FILE [file containing usernames]``` -5. Do: ```set DATABASE [template name]``` -6. Do: ```run``` +1. Do: `use auxiliary/scanner/postgres/postgres_login` +2. Do: `set PASS_FILE [file containing passwords]` +3. Do: `set RHOSTS [IP]` +4. Do: `set USER_FILE [file containing usernames]` +5. Do: `set DATABASE [template name]` +6. Do: `run` The above USER_FILE and PASS_FILE options can be replaced with USERNAME and PASSWORD if you know the credentials. @@ -107,7 +107,7 @@ This session also works with the following modules: exploit/windows/postgres/postgres_payload ``` -Once you've done that, you can run any Postgres query against the target using the `query` command. +Once you've done that, you can run any Postgres query against the target using the `query` command: ```msf postgresql @ 127.0.0.1:5432 (template1) > query -h diff --git a/documentation/modules/auxiliary/scanner/smb/smb_login.md b/documentation/modules/auxiliary/scanner/smb/smb_login.md index 07fe7ffdb2..076611a7f1 100644 --- a/documentation/modules/auxiliary/scanner/smb/smb_login.md +++ b/documentation/modules/auxiliary/scanner/smb/smb_login.md @@ -47,7 +47,7 @@ session within the smb instance. Running with the following options: msf6 auxiliary(scanner/smb/smb_login) > run CreateSession=true RHOSTS=172.14.2.164 RPORT=445 SMBDomain=windomain.local SMBPass=password SMBUser=username ``` -Should give you output containing +Should give you output containing: ```msf [*] 172.14.2.164:445 - 172.14.2.164:445 - Starting SMB login bruteforce @@ -55,14 +55,14 @@ Should give you output containing [*] SMB session 1 opened (172.16.158.1:62793 -> 172.14.2.164:445) at 2024-03-12 17:03:09 +0000 [*] 172.14.2.164:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed -msf6 auxiliary(scanner/smb/smb_login) > sessions -1 +msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1 [*] Starting interaction with 1... ``` -Which you can interact with using `sessions -i ` or `sessions -1` to interact with the most recently opened session. +Which you can interact with using `sessions -i ` or `sessions -i -1` to interact with the most recently opened session. ```msf -msf6 auxiliary(scanner/smb/smb_login) > sessions -1 +msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1 [*] Starting interaction with 1... SMB (172.14.2.164) > shares diff --git a/documentation/modules/exploit/windows/smb/smb_relay.md b/documentation/modules/exploit/windows/smb/smb_relay.md index f8b9608b68..69599b2755 100644 --- a/documentation/modules/exploit/windows/smb/smb_relay.md +++ b/documentation/modules/exploit/windows/smb/smb_relay.md @@ -90,12 +90,13 @@ I.E. the filename john will produce two files, `john_netntlm` and `john_netntlmv ### DOMAIN -The domain name used during smb exchange. +The domain name used during SMB exchange. ### ACTION + Determines which of two actions smb_relay will use against the target. -The default is to run PSEXEC, but can be changed to CREATE_SMB_SESSION to -open an interactive smb session against the target instead of running +The default is to run `PSEXEC`, but can be changed to `CREATE_SMB_SESSION` to +open an interactive SMB session against the target instead of running psexec. ### TIMEOUT diff --git a/modules/exploits/windows/smb/smb_relay.rb b/modules/exploits/windows/smb/smb_relay.rb index 793dcdac8b..b85bda2a16 100644 --- a/modules/exploits/windows/smb/smb_relay.rb +++ b/modules/exploits/windows/smb/smb_relay.rb @@ -149,10 +149,10 @@ class MetasploitModule < Msf::Exploit::Remote def available_actions actions = [ - ['PSEXEC', { 'Description' => 'Run psexec against the relay target' }] + ['PSEXEC', { 'Description' => 'Use the SMB Connection to run the exploit/windows/psexec module against the relay target' }] ] if framework.features.enabled?(Msf::FeatureManager::SMB_SESSION_TYPE) - actions << ['CREATE_SMB_SESSION', { 'Description' => 'Get an SMB session' }] + actions << ['CREATE_SMB_SESSION', { 'Description' => 'Do not close the SMB connection after relaying, and instead create an SMB session' }] end actions