1433 - MSSQL - CSPSec

# **Basic Information** According to [HTB Academy](https://academy.hackthebox.com/module/112/section/1246): > [Microsoft SQL](https://www.microsoft.com/en-us/sql-server/sql-server-2019) (`MSSQL`) is Microsoft's SQL-based relational database management system. Unlike MySQL, which we discussed in the last section, MSSQL is closed source and was initially written to run on Windows operating systems. It is popular among database administrators and developers when building applications that run on Microsoft's .NET framework due to its strong native support for .NET. There are versions of MSSQL that will run on Linux and MacOS, but we will more likely come across MSSQL instances on targets running Windows. > > [SQL Server Management Studio](https://docs.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms?view=sql-server-ver15) (`SSMS`) comes as a feature that can be installed with the MSSQL install package or can be downloaded & installed separately. It is commonly installed on the server for initial configuration and long-term management of databases by admins. Keep in mind that since SSMS is a client-side application, it can be installed and used on any system an admin or developer is planning to manage the database from. It doesn't only exist on the server hosting the database. This means we could come across a vulnerable system with SSMS with saved credentials that allow us to connect to the database. The image below shows SSMS in action. > > Many other clients can be used to access a database running on MSSQL. Including but not limited to: > - mssql-cli > - SQL Server PowerShell > - HeidiSQL > - SQLPro > - Impacket's mssqlclient.py # **Enumeration** - Check for the existence of the default `sa` account ## **Scanning** ```bash # default scan sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <target_ip> # metasploit scanner msfconsole -qn use scanner/mssql/mssql_ping ``` ## **Impacket's Mssqlclient.py** - Guess or gain access to credentials ```bash # connect to mssql server python3 mssqlclient.py <username>@<target_ip> -windows-auth impacket-mssqlclient <username>@<target_ip> -windows-auth # list available commands help # show queries ran under the hood show_query # list databases select name from sys.databases # run system commands enable_xp_cmdshell xp_cmdshell <system_cmd> ``` ## **Sqlite Commands** ```bash # connect to local database file sqlite3 database.db # display available tables .tables # display column headings for the specified table .schema <table_name> # display selected columns for the specified table SELECT username,password FROM <table_name>; ``` # **References** * [Command Line Shell For SQLite](https://www.sqlite.org/cli.html) # **Practical Application** | Platform | Name | Notes | | ----------------- | ------------- | ----- | | Hack the Box Labs | [[Chemistry]] | |