MSSQL
Port: TCP/1433
Clients:
Impacket's mssqlclient.py (Usually
mssqlclient.py
, or tryimpacket-mssqlclient
)
For Impacket's (often included in pentesting distros):
locate mssqlclient
Impacket's default login is NOT the Windows login, use -windows-auth
Default System Database
Description
master
Tracks all system information for an SQL server instance
model
Template database that acts as a structure for every new database created. Any setting changed in the model database will be reflected in any new database created after changes to the model database
msdb
The SQL Server Agent uses this database to schedule jobs & alerts
tempdb
Stores temporary objects
resource
Read-only database containing system objects included with SQL server
nmap command
sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248
Metasplot
module: mssql_ping
set rhosts 10.129.201.248
run
Common enumeration
from HackTricks
# Get version
select @@version;
# Get user
select user_name();
# Get databases
SELECT name FROM master.dbo.sysdatabases;
# Use database
USE master
#Get table names
SELECT * FROM <databaseName>.INFORMATION_SCHEMA.TABLES;
#List Linked Servers
EXEC sp_linkedservers
SELECT * FROM sys.servers;
#List users
select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;
#Create user with sysadmin privs
CREATE LOGIN hacker WITH PASSWORD = 'P@ssword123!'
EXEC sp_addsrvrolemember 'hacker', 'sysadmin'
#Enumerate links
enum_links
#Use a link
use_link [NAME]
Last updated