Microsoft SQL (
MSSQL) is Microsoft's SQL-based relational database management system. Unlike MySQL, MSSQL is closed source and was initially written to run on Windows operating systems.
SQL Server Management Studio (
SSMS) comes as a feature that can be installed with the MSSQL install package or can be downloaded & installed separately. It is commonly installed on the server for initial configuration and long-term management of databases by admins.
Pentester's may find Impacket's mssqlclient.py to be the most useful due to SecureAuthCorp's Impacket project being present on many pentesting distributions at install.
neutron@kali[/kali]$ locate mssqlclient /usr/bin/impacket-mssqlclient /usr/share/doc/python3-impacket/examples/mssqlclient.py
MSSQL has default system databases that can help us understand the structure of all the databases that may be hosted on a target server.
|Default System Database||Description|
||Tracks all system information for an SQL server instance|
||Template database that acts as a structure for every new database created. Any setting changed in the model database will be reflected in any new database created after changes to the model database|
||The SQL Server Agent uses this database to schedule jobs & alerts|
||Stores temporary objects|
||Read-only database containing system objects included with SQL server|
Source: System Databases Microsoft Doc
When an admin initially installs and configures MSSQL to be network accessible, the SQL service will likely run as
NT SERVICE\MSSQLSERVER. Connecting from the client-side is possible through Windows Authentication, and by default, encryption is not enforced when attempting to connect.
Authentication being set to
Windows Authentication means that the underlying Windows OS will process the login request and use either the local SAM database or the domain controller (hosting Active Directory) before allowing connectivity to the database management system. Using Active Directory can be ideal for auditing activity and controlling access in a Windows environment, but if an account is compromised, it could lead to privilege escalation and lateral movement across a Windows domain environment.
It can be beneficial to place ourselves in the perspective of an IT administrator when we are on an engagement. This mindset can help us remember to look for various settings that may have been misconfigured or configured in a dangerous manner by an admin. It only takes one tiny misconfiguration that could compromise a critical server or service on the network. This applies to just about every network service and server role that can be configured, including MSSQL.
We may benefit from looking into the following:
- MSSQL clients not using encryption to connect to the MSSQL server
- The use of self-signed certificates when encryption is being used. It is possible to spoof self-signed certificates
- The use of named pipes
- Weak & default
sacredentials. Admins may forget to disable this account
Default tcp port
1433 that MSSQL listens on.
Below, we can see the
database instance name,
software version of MSSQL and
named pipes are enabled.
neutron@kali[/kali]$ sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248 Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-08 09:40 EST Nmap scan report for 10.129.201.248 Host is up (0.15s latency). PORT STATE SERVICE VERSION 1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM | ms-sql-ntlm-info: | Target_Name: SQL-01 | NetBIOS_Domain_Name: SQL-01 | NetBIOS_Computer_Name: SQL-01 | DNS_Domain_Name: SQL-01 | DNS_Computer_Name: SQL-01 |_ Product_Version: 10.0.17763 Host script results: | ms-sql-dac: |_ Instance: MSSQLSERVER; DAC port: 1434 (connection failed) | ms-sql-info: | Windows server name: SQL-01 | 10.129.201.248\MSSQLSERVER: | Instance name: MSSQLSERVER | Version: | name: Microsoft SQL Server 2019 RTM | number: 15.00.2000.00 | Product: Microsoft SQL Server 2019 | Service pack level: RTM | Post-SP patches applied: false | TCP port: 1433 | Named pipe: \\10.129.201.248\pipe\sql\query |_ Clustered: false Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.52 seconds
Metasploit to run an auxiliary scanner called
mssql_ping that will scan the MSSQL service and provide helpful information in our footprinting process.
msf6 auxiliary(scanner/mssql/mssql_ping) > set rhosts 10.129.201.248 rhosts => 10.129.201.248 msf6 auxiliary(scanner/mssql/mssql_ping) > run [*] 10.129.201.248: - SQL Server information for 10.129.201.248: [+] 10.129.201.248: - ServerName = SQL-01 [+] 10.129.201.248: - InstanceName = MSSQLSERVER [+] 10.129.201.248: - IsClustered = No [+] 10.129.201.248: - Version = 15.0.2000.5 [+] 10.129.201.248: - tcp = 1433 [+] 10.129.201.248: - np = \\SQL-01\pipe\sql\query [*] 10.129.201.248: - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
If we can guess or gain access to credentials, this allows us to remotely connect to the MSSQL server and start interacting with databases using T-SQL (
neutron@kali[/kali]$ python3 mssqlclient.py [email protected] -windows-auth Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation Password: [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(SQL-01): Line 1: Changed database context to 'master'. [*] INFO(SQL-01): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (150 7208) [!] Press help for extra shell commands SQL> select name from sys.databases name -------------------------------------------------------------------------------------- master tempdb model msdb Transactions