MSSQL (Microsoft SQL Server) - Port 1433

Basic info

MSSQL is designed to store and retrieve data as requested by applications. Its features include:

• Default Port: TCP/1433 for standard communication.

• Authentication Modes:

  • Windows Authentication

  • Mixed Mode (Windows and SQL Server Authentication)

• Common Uses:

  • Data storage for web applications, enterprise systems, and reporting services.

While MSSQL provides robust security features, misconfigurations, weak authentication, and unpatched vulnerabilities can expose it to attacks.

Banner Grabbing

Banner grabbing helps identify the MSSQL server version, authentication modes, and potential vulnerabilities.

Tools and Commands:

1. Telnet (basic connection test):

2. Nmap:

   Example Output:

3. Metasploit Framework:

Authentication Bypass Techniques

Null Authentication

If SQL Server is misconfigured, it may allow unauthenticated access:

1. Testing Null Authentication:

MSSQL Brute Force Attacks

Brute force attacks can help identify weak or default credentials.

1. Hydra:

2. Medusa:

3. Metasploit Auxiliary Module:

MSSQL Enumeration

Key Enumeration Techniques:

1. Identify Databases:

2. List Users:

3. Server Information:

4. Extract Privileges:

Automated Enumeration:

• Metasploit:

Exploitation Techniques

Command Execution via xp_cmdshell

xp_cmdshell allows executing OS commands from SQL Server.

1. Enable xp_cmdshell:

2. Execute Commands:

Privilege Escalation

Use known vulnerabilities or misconfigurations to escalate privileges:

1. CVE-2020-0618 (SQL Reporting Services RCE): Exploit unpatched SQL Reporting Services.

2. Metasploit Module for Privilege Escalation:

Execute OS Commands

Note that in order to be able to execute commands it's not only necessary to have xp_cmdshell enabled, but also have the EXECUTE permission on the xp_cmdshell stored procedure. You can get who (except sysadmins) can use xp_cmdshell with: