EmaPat

Harming or damaging servers wasn't by any way my goal and I have never do it against any server right now even if it is easiest in comparison to harvest credentials from database, just a tiny script can damage a server with dos but hard work is needed to gain access to sensitive info into databases. Tha is why I agree that a real pentest or hacker will never do something harmful to the server but a good behavior is after the attack everything will looks just normal as if nothing has be done ever. I appreciate your tool for getting MSSQL creds. This the kind of tools I am talking about. Unfortunately there is no such tool available for other databases such oracle & mssql but before assuming your tool work for any situation please let me test it first and this require me some time of course. I am open to test any tools that grab users credentials from tables but give me some time to test them or at least get a look to their docs to see how well they can perform pentests. Don't hesitates to give further tools that grabs interesting data from database neither here or you can send it to email joashjohn alt rocketmail dot com

It is nice to see so many people said GAME OVER once they got System Admin privileges. For servers attack and after getting SYS privs than there is nothing to do better than getting server databases into your computer do you ? Their are stored all users credentials but in hash ways so you still need to make some effort to revert it back to plain text. Strangely no body has writing a module to dump databases ORACLE, MSSQL and then download them with the known download tool in meterpreter.

Hi to everyone, This is a long time when HD MOORE has invented this stuff and everyone is scare regarding its server security, youtube is full of thousands of videos showing peoples making exploits running on computers, then the shell pop out and hope I have access to the system, but do you know that metasploit is the last thing to think about to make a real remote exploit ? Metasploit and SET "Social Engineer Toolkit" are useless below is the reasons : First of all, the goal of a real and smart attack is not destroying a system but instead get users credentials from the server, ask just yourself this question : What are you going to win if you just destroy e.g. google servers ? Instead it is better to leave the server working fine and steal credentials of some users for later use no ? All successful Metasploit and SET attacks that steal credentials e.g. sniffing ssl traffic and decrypt it are almost local !!! But who sniff, attack or catch creds of his own network ? Those attacks are just STUPID. Maybe they will be useful for an agent who is managing a corporate server and wants to steal creds of this corporation for later use but this is very far for being useful to 99.999% of the rest of the world. Lately, People are talking about Browser Web attacks and a revolution of exploitation, I want to know just what thos people are talking about ??? If you succeed to clone any website in the world ~~YAY I am a Hero~~ into something like 192.168.1.7:8081 but who care about your link ? ~~Shut up you are a complete idiot not a hero at all~~ because if you want this attack to succeed than you should give this link to the victim to click on it. And I am just talking about myself, I have never got such links from someone neither clicked on it. All that to said that there is no single exploit that can create a shell to the victim machine if this one browse directly to the website "I mean here without clicking any abnormal link" we wants to steal credentials from it. Of course this exploit doesn't exist yet not because Google is strong, but because it can't be done for almost any website online. It is not a server security issue but rather it is network topology issue that makes it impossible for those tools even for normal configured servers. So you still believe that Metasploit & Social Engineer toolkit can do something really useful for you ?