darkcybe
  • 👋whoami
  • Security Operations
    • 💉Threat Mangement
      • Identify
        • Developing a Security Program
        • Governance, Risk, and Compliance (GRC)
        • Security Architecture
      • Protect
        • Vulnerability Mangement
        • Identity and Access Management (IAM)
        • Zero Trust
    • 👩‍💻Threat Detection
      • Detect
        • Continuous Monitoring & Security Operations Center (SOC)
        • Cyber Threat Intelligence (CTI)
    • 🚒Threat Response
      • Respond
        • Digital Forensics and Incident Response (DFIR)
      • Recover
  • Offensive Security Operations
    • 🎯Penetration Testing
      • Techniques
        • MITRE ATT&CK
          • Reconnaissance
          • Resource Development
            • T1608 - Stage Capabilities
              • Staging Malware and Tools on Kali Linux
          • Initial Access
          • Execution
          • Persistence
          • Privilege Escalation
          • Defense Evasion
          • Credential Access
          • Discovery
          • Lateral Movement
          • Collection
          • Command and Control
          • Exfiltration
          • Impact
        • CAPEC
          • 100 - Overflow Buffers
          • 66 - SQL Injection
          • 94 - Adversary-in-the-Middle (AiTM)
          • 252 - PHP Local File Inclusion (LFI)
          • 560 - Use of Known Domain Credentials
          • 644 - Use of Captured Hashes (Pass-the-Hash (PtH))
          • 633 - Token Impersonation
        • Technology Focused
          • Cloud
            • Amazon Web Services (AWS)
            • Google Cloud Platform (GCP)
          • Network Protocols and Services
            • Port 20/21 - FTP
            • Port 22 - SSH
            • Port 23 - Telnet
            • Port 25 - SMTP
            • Port 53 - DNS
            • Port 80 - HTTP
            • Port 110/995 - POP3
            • Port 135/593 - MSRPC
            • Port 137-139 - NetBIOS
            • Port 143/993 - IMAP
            • Port 443 - HTTPS
            • Port 445 - SMB
            • Port 3389 - RDP
            • Port 5355 - LLMNR
            • ARP
            • Databases
              • Port 1433/1434 - MSSQL
              • Port 3306 - MySQL/MariaDB
            • DHCP
          • Web
            • PHP
          • Windows
            • Active Directory
          • Wireless
          • Linux
      • Offensive Security Tools
    • 🚩Capture The Flag (CTF)
  • Guides
    • 🔍DFIR
      • Evidence Artifacts
        • Event Logs
        • Windows
          • Evidence of...
            • Account Usage
            • File Download
            • Program Execution
            • External Device Activity
            • File and Folder Interaction
            • Lateral Movement
            • Network and Browser History
      • DFIR Tools
        • Malware and File Analysis
          • Sigcheck
          • DensityScout
        • Memory Forensics
          • Volatility
        • Program Execution
          • PeCmd
          • WxTcmd
          • AmcacheParser
          • JumpListExplorer (JLE)
          • AppCompatCacheParser
          • SrumECmd
        • DFIR Toolkits
          • Registry Explorer
          • Incident Timelines
      • Theat Analysis
        • Analysis
          • iOS Popup Scam
        • Emulation
    • 🥷Ethical Hacking
      • Exploitation
      • Post-Exploitation
      • Reporting and Documentation
    • ⛳CTF Walkthroughs
      • 📦Hack The Box (HTB)
        • 🚶HTB Walkthroughs
    • 👷‍♀️Security Engineering
      • Building a Cybersecurity Home Lab
        • Step 1: Lab Design and Architecture
        • Step 2: Installing and Configuring VMware ESXi 8
        • Step 3: Installing the OPNsense Firewall
        • Step 4: Configuring OPNsense Firewall Rules
  • General Resources
    • 🐳Deep Dives
      • Public Key Infrastructure (PKI)
    • 🐍Programming
      • Python
    • 🏋️Training
      • 🗓️Study Methodology
    • 🥠Semi-Pro Tips
      • Linux
      • Windows
      • Resources
Powered by GitBook
On this page
  • MSSQL
  • MSSQL Scanning and Enumeration
  • MSSQL Exploitation
  • MSSQL Database Interaction
  1. Offensive Security Operations
  2. Penetration Testing
  3. Techniques
  4. Technology Focused
  5. Network Protocols and Services
  6. Databases

Port 1433/1434 - MSSQL

MSSQL

Microsoft SQL Server (MSSQL) often exposes two ports:

  1. 1433 - Used by clients to interact with the database

  2. 1434 - Used to list available instances (a Server can run multiple instances on high ports)

Default credentials are often set to sa:sa, which sa equivalent to Sysadmin.

MSSQL Scanning and Enumeration

Tool
Script/Module
Auth
MITRE ATT&CK Tactic
Command

MSF

mssql_enum

?

Reconnaissance

MSF

mssql_ping

?

Reconnaissance

Nmap

ms-sql-info

N

Reconnaissance

sudo nmap -A -p 1433,1434 -n 10.10.10.10

MSSQL Exploitation

Tool
Script/Module
Auth
MITRE ATT&CK Tactic
Command

MSF

mssql_escalate_dbowner mssql_escalate_escalate_as

Y

Privilege Escalation

MSF

mssql_hashdump

Y

Credential Access

MSF

mssql_idf

Y

Discovery

MSF

mssql_local_auth_bypass

Y

Persistence Privilege Escalation

MSF

mssql_ntlm_stealer

Y

Credential Access

MSF

mssql_payload

Y

Execution

MSF

mssql_sql_file

Y

Execution

MSSQL Database Interaction

the mssqlclient.py python tool that comes pre-installed on Kali Linux as part of the Impacket suite, can be used to interact with a remote MSSQL server.

# Connecting to a Remote MSSQL Server (Requires Database selection, Domain, Username, Password, and IP address entry.)
mssqlclient.py -db %DATABASE% -windows-auth %DOMAIN%/%USERNAME%:%PASSWORD%@%IP%

# Database Enumeration
SELECT * from %TABLE% # Show all stored data under a select table
SELECT * FROM %DATABASE%.INFORMATION_SCHEMA.TABLES; # Show tables under a select database

# Exploitation
CREATE LOGIN &USERNAME% WITH PASSWORD = '&PASSWORD%' # Create a new user and assign sysadmin privileges
sp_addsrvrolemember '%USERNAME%', 'sysadmin'
PreviousDatabasesNextPort 3306 - MySQL/MariaDB

Last updated 2 years ago

🎯