Hello friends! Today we are going to perform Microsoft SQL penetration testing using NMAP scripts in order to retrieve basic information such as database name, usernames, tables name and etc from inside SQL server running on Windows operating system. In our previous article we had setup Microsoft SQL server in Windows 10.

Requirement

Attacker: kali Linux (NMAP)

Target: Windows 10 (MS SQL Server)

Lets start!!

Scan port 1433

Open the terminal in kali linux and scan target IP for port 1433 using nmap command.

nmap -p 1433 192.168.1.104

From given below image you can observe that port 1433 is open for MS-SQL service.

Enumerating version information

Given below command will attempt to determine configuration and version information for Microsoft SQL Server instances.

nmap -p 1433 –script ms-sql-info 192.168.1.104

In specified below image you can observe the install version and details of MS-SQL server.

Brute Force Attacker

Given below command will attempt to determine username and password through brute force attack against MS-SQL by means of username and password dictionary.

nmap -p 1433 –script ms-sql-brute –script-args userdb=/root/Desktop/user.txt,passdb=/root/Desktop/pass.txt 192.168.1.104

In specfied image you can observe that we had successfully retrieve credential for two users:

• Username: ignite and password:12345
• Username: sa and password:123

Execute MS-SQL Query

Once you have retrieved the login credential use these credential in NMAP script to execute MS –SQL query. Given below will try to execute certain query “sp_database” against Microsoft SQL server.

Specified query “sp_databases” is part of record Stored Procedures and dump a list of database names from an instance of the SQL Server.

nmap -p 1433 –script ms-sql-query –script-args mssql.username=sa,mssql.password=admin123,ms-sql-query.query=“sp_databases” 192.168.1.104

Hence as result it has dumped two database names “ignite & master” whereas master is the default database name of MS_SQL server.

Check Microsoft SQL server configuration

 Following command will attempt to describe Microsoft SQL server configuration setting by passing login credential as argument through nmap script.

nmap -p 1433 –script ms-sql-config –script-args mssql.username=sa,mssql.password=admin123 192.168.1.104

Hence you can check configuration setting from given below image.

Obtain list of tables

Following command will attempt to fetch list of tables from inside Microsoft SQL server by passing login credential as argument through nmap script.

nmap -p 1433 –script ms-sql-tables –script-args mssql.username=sa,mssql.password=admin123

192.168.1.104

Hence you can check list of tables from given below image.

Enumerate NetBIOS information

Given below NMAP script will enumerate information from remote Microsoft SQL services with NTLM authentication enabled.

Sending a MS-TDS NTLM authentication request with an invalid domain and null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version.

 nmap -p 1433 –script ms-sql-ntlm-info 192.168.1.104

Hence from given below image you can read the NETBIOS information remote Microsoft SQL server.

Dump password hashes

Following command will dump the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so the user needs to have the appropriate DB privileges.

nmap -p 1433 –script ms-sql-dump-hashes –script-args mssql.username=sa,mssql.password=admin123 192.168.1.104

From given image you can observe that it has dumped the hash value of passwords of user: sa which we have enumerated above.

Identify database owner

Following command will execute a query against Microsoft SQL Server instances for a list of databases a user has access to. In order to do so the user needs to have the appropriate DB privileges. Therefore we have passes username and password as argument through NMAP script.

nmap -p 1433 –script ms-sql-hashdbaccess –script-args mssql.username=sa,mssql.password=admin123 192.168.1.104

In specified image you can observe that it showing user sa is owner the database “ignite”.

Ms-SQL Allows XP_cmdshell option

The xp_cmdshell is a function of Microsoft SQL Server that allows system administrators to execute operating system command. By default, the xp_cmdshell option is disabled.

From given below image you can see we had enable the xp_cmdshell function by executing following statement inside master database.

EXEC sp_configure ‘xp_cmdshell’;

Now save above configuration setting through following statement:

 RECONFIGURE;

Exploit XP_cmdshell Function

Now following NMAP script will attempt to run a command using the command shell of Microsoft SQL Server if found xp_cmdshell is enabled in targeted server.

nmap -p 1433 –script ms-sql-xp-cmdshell –script-args mssql.username=sa,mssql.password=admin123 192.168.1.104

From given image you can confirm that we have executed OS command: net user as retrieve user account.

Blank password lead to unauthorized access

If the admin of Microsoft-SQL Server left the password Blank for login then attacker can director login into database server, from  given below image you can see we are exploring the property of a user’s account “sa”.

Here kept “blank space” as password for user “sa”. As we know by default sa is admin of MS-SQL server and now its password is blank space therefore chances of making unauthorized access into server by attacker will get increases.

Make unauthorized access into SQL server

Following  NMAP script will try to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.

nmap -p 1433 –script ms-sql-empty 192.168.1.104

From given below image you can perceive we had made successfully login with user: sa and empty password.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here