MSSQL

Source CTF and HTB Academy

Microsoft SQL (MSSQL) is Microsoft's SQL-based relational database management system. Unlike MySQL, MSSQL is closed source and was initially written to run on Windows operating systems. It is popular among database administrators and developers when building applications that run on Microsoft's .NET framework due to its strong native support for .NET. There are versions of MSSQL that will run on Linux and MacOS, but we will more likely come across MSSQL instances on targets running Windows.

Clients to access an MSSQL db

MSSQL Databases

Default System Database Description

Default System Database	Description
`master`	Tracks all system information for an SQL server instance
`model`	Template database that acts as a structure for every new database created. Any setting changed in the model database will be reflected in any new database created after changes to the model database
`msdb`	The SQL Server Agent uses this database to schedule jobs & alerts
`tempdb`	Stores temporary objects
`resource`	Read-only database containing system objects included with SQL server

master

Tracks all system information for an SQL server instance

model

Template database that acts as a structure for every new database created. Any setting changed in the model database will be reflected in any new database created after changes to the model database

msdb

The SQL Server Agent uses this database to schedule jobs & alerts

tempdb

Stores temporary objects

resource

Read-only database containing system objects included with SQL server

Dangerous Settings

MSSQL clients not using encryption to connect to the MSSQL server
The use of self-signed certificates when encryption is being used. It is possible to spoof self-signed certificates
The use of named pipes
Weak & default sa credentials. Admins may forget to disable this account

Enumeration

Nmap

sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248

Metasploit

Module: auxiliary/scanner/mssql/mssql_ping

Impacket - mssqlclient

sudo apt install python3-impacket install impacket to access mssqlclient
impacket-mssqlclient Administrator@10.129.201.248 -windows-auth connect
SELECT name, database_id, create_date FROM sys.databases; list the databases
use <dbname>;
SELECT * FROM INFORMATION_SCHEMA.TABLES; list tables

Interact with mssql

Linux

sqsh -S 10.129.20.13 -U username -P Password123
mssqlclient.py -p 1433 julio@10.129.203.7 (from impacket tool mssqlclient)
xp_cmdshell 'whoami' execute a command

Windows

sqlcmd -S 10.129.20.13 -U username -P Password123
Documentation sqlcmd

PreviousIPMI NextMYSQL

Last updated 15 days ago