Microsoft SQL Server (MSSQL) often exposes two ports:
1433 - Used by clients to interact with the database
1434 - Used to list available instances (a Server can run multiple instances on high ports)
Default credentials are often set to sa:sa, which sa equivalent to Sysadmin.
MSSQL Scanning and Enumeration
Tool
Script/Module
Auth
MITRE ATT&CK Tactic
Command
MSF
mssql_enum
?
Reconnaissance
MSF
mssql_ping
?
Reconnaissance
Nmap
ms-sql-info
N
Reconnaissance
sudo nmap -A -p 1433,1434 -n 10.10.10.10
MSSQL Exploitation
Tool
Script/Module
Auth
MITRE ATT&CK Tactic
Command
MSF
mssql_escalate_dbowner
mssql_escalate_escalate_as
Y
Privilege Escalation
MSF
mssql_hashdump
Y
Credential Access
MSF
mssql_idf
Y
Discovery
MSF
mssql_local_auth_bypass
Y
Persistence
Privilege Escalation
MSF
mssql_ntlm_stealer
Y
Credential Access
MSF
mssql_payload
Y
Execution
MSF
mssql_sql_file
Y
Execution
MSSQL Database Interaction
the mssqlclient.py python tool that comes pre-installed on Kali Linux as part of the Impacket suite, can be used to interact with a remote MSSQL server.
# Connecting to a Remote MSSQL Server (Requires Database selection, Domain, Username, Password, and IP address entry.)
mssqlclient.py -db %DATABASE% -windows-auth %DOMAIN%/%USERNAME%:%PASSWORD%@%IP%
# Database Enumeration
SELECT * from %TABLE% # Show all stored data under a select table
SELECT * FROM %DATABASE%.INFORMATION_SCHEMA.TABLES; # Show tables under a select database
# Exploitation
CREATE LOGIN &USERNAME% WITH PASSWORD = '&PASSWORD%' # Create a new user and assign sysadmin privileges
sp_addsrvrolemember '%USERNAME%', 'sysadmin'
