MSSQL for Pentester: Nmap
To obtain basic information such as database names, usernames, names of tables, etc from the SQL servers on the Windows operating system, we will execute penetration testing using Nmap scripts. MSSQL is Microsoft SQL Server for database management in the network. By default, it runs on port 1433. In our previous article, we had set up a Microsoft SQL Server in Windows 10.
Table of Content
- Enumerating version
- Credential Brute Force
- Execute SQL Query
- NetBIOS Enumeration
- MS-SQL Password Hash Dump
- Command Execution
- Test Empty Password Login
- Enumerate Database Tables
Attacker: Kali Linux (NMAP)
Target: Windows 10 (MS SQL Server)
Nmap is a collection of Lua-based NSE scripts that conduct authentication and unauthenticated penetration testing on MS-SQL port 1433. The NSE script for MS-SQL may be identified using the instructions below.
locate *.nse | grep ms-sql
This Script will attempt to determine configuration and version information for Microsoft SQL Server instances.
nmap -p 1433 --script ms-sql-info 192.168.1.146
Credential Brute Force
Performs brute-force password auditing against Ms-SQL servers and connection timeout (default: “5s”). All we need are dictionaries for usernames and passwords, which will be passed as arguments.
nmap -p1433 --script ms-sql-brute --script-args userdb=users.txt,passdb=pass.txt 192.168.1.146
In the image you can observe that we had successfully retrieve credentials for three users:
Username: pavan and password:Password@123 Username: aarti and password:Password@123 Username: sa and password: Password@1
Execute SQL Query
Once you have retrieved the login credential use these credentials in the NMAP script to execute MS –SQL query. Given below will try to execute certain query “sp_database” against Microsoft SQL Server.
Specified query “sp_databases” is part of record Stored Procedures and dump a list of database names from an instance of the SQL Server.
nmap -p1433 --script ms-sql-query --script-args mssql.username=sa,mssql.password=Password@1,ms-sql-query.query="sp_databases" 192.168.1.146
Given below NMAP script will enumerate information from remote Microsoft SQL services with NTLM authentication enabled.
Sending an MS-TDS NTLM authentication request with an invalid domain and null credentials will cause the remote service to respond with an NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version.
nmap -p1433 --script ms-sql-ntlm-info 192.168.1.146
MS-SQL Password Hash Dump
The following command will dump the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. To do so, the user needs to have the appropriate DB privileges.
nmap -p1433 --script ms-sql-dump-hashes --script-args mssql.username=sa,mssql.password=Password@1 192.168.1.146
From the given image you can observe that it has dumped the hash value of passwords of the user: sa which we have enumerated above.
The xp_cmdshell is a function of Microsoft SQL Server that allows system administrators to execute an operating system command. By default, the xp_cmdshell option is disabled. NMAP script will attempt to run a command using the command shell of Microsoft SQL Server if found xp_cmdshell is enabled in the targeted server
nmap -p1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=Password@1,ms-sql-xp-cmdshell.cmd="net user" 192.168.1.146
From the depicted image you can perceive the output for the “net user” command.
Test Empty Password Login
If the administrator of Microsoft-SQL Server left the password blank for login, the attacker can direct login into the database server; as shown in the image below, we are investigating the property of a user’s account “sa.”
Following NMAP script will try to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.
nmap -p1433 --script ms-sql-empty-password 192.168.1.146
We had successfully logged in with user: sa and an empty password, as you can see in the screenshot below.
Enumerate Database Tables
The following command will attempt to fetch a list of tables from inside the Microsoft SQL server bypassing login credentials as an argument through Nmap script.
nmap -p1433 --script ms-sql-tables --script-args mssql.username=sa,mssql.password=Password@1 192.168.1.146
Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here