💥Cyb3rBook

Search

SearchSearch

1433 - MSSQL

Apr 10, 20253 min read

PRIMARY CATEGORY → PROTOCOLS AND SERVICES

MSSQL → Microsoft SQL Server

It is a Microsoft’s SQL-based relational database management system

Ports

TCP

  • 1433

This port is used to manage communications between the MSSQL Clients and the Microsoft SQL Server

Connection

MSSQLClient.py (Impacket)

Reference

SQL Server Authentication
mssqlclient.py -port <PORT> -target-ip <TARGET_IP_ADDRESS> <DOMAIN>/<USERNAME>:<PASSWORD>@<TARGET>

Use -db <DATABASE> to connect to a specific database (MSSQL Instance)

mssqlclient.py -port <PORT> -target-ip <TARGET_IP_ADDRESS> -db <DATABASE> <DOMAIN>/<USERNAME>:<PASSWORD>@<TARGET>
Windows Authentication
mssqlclient.py -port <PORT> -target-ip <TARGET_IP_ADDRESS> [-db <DATABASE>] -windows-auth <DOMAIN>/<USERNAME>:<PASSWORD>@<TARGET>
Sqsh
SQL Server Authentication
sqsh -S <TARGET> -U <USERNAME> -P <PASSWORD>

Use -D <DATABASE> to connect to a specific database (MSSQL Instance)

sqsh -S <TARGET> -U <USERNAME> -P <PASSWORD> -D <DATABASE>
Windows Authentication
sqsh -S <TARGET> -U .\\<USERNAME> -P <PASSWORD> [-D <DATABASE>]

Enumeration

Nmap
nmap -p1433 -sC -sV -n -Pn --disable-arp-ping <TARGET>
nmap -p1433 -sV --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -n -Pn --disable-arp-ping <TARGET>

MSSQL Commands

Check the MSSQL Server Version
> select @@version;
Check the Current Database User
> select user_name();
List all Existing Database Users
> select * from sys.database_principals;
> exec sp_helpuser;
> select * FROM sysusers;
> select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;
List all Existing Databases
> select name from sys.databases;
> select * from master.dbo.sysdatabases;
Use a Specific Database
> use <DB_NAME>;
List all the Tables in a Database
> select name from <DB_NAME>.sys.tables;
> select table_name from <DB_NAME>.information_schema.tables where table_type='base table';
> select table_name from information_schema.tables where table_type='base table' and table_catalog='<DB_NAME>';

MSSQL Command Execution

xp_cmdshell

It is possible to run OS Commands from the SQL Server context through xp_cmdshell

It is an extended procedure provided by Microsoft and stored in the Master database

The commands will be executed using the MSSQL’s service account privileges

Check if xp_cmdshell is Enabled
> select * from sys.configurations where name = 'xp_cmdshell';
Enable xp_cmdshell
  • Enable Advanced Options

The xp_cmdshell is considered an advanced feature due to its security risks

Therefore, in order to be able to enable it, It is necessary to first enable the advanced options to access the configuration that can activate xp_cmdshell

> exec sp_configure 'show advanced options', 1;
> RECONFIGURE;
  • Enable XP_CMDSHELL

Once advanced options are enabled, just proceed as follows to enable the xp_cmdshell extended procedure

> exec sp_configure 'xp_cmdshell', 1;
> RECONFIGURE;
Check Execution Permissions on xp_cmdshell

Note that, in addition to having enabled the above procedure, It is necessary to have the EXECUTE Permission on the xp_cmdshell extended procedure in order to be able to execute OS Commands

To check which users can run xp_cmdshell

> user master;
> exec sp_helprotect 'xp_cmdshell';

If the current database user is part of the SYSADMIN role and xp_cmdshell is enabled, it can be executed directly

Execute OS Commands via xp_cmdshell
> exec xp_cmdshell '<COMMAND>'
Check which Service Account is running xp_cmdshell
> exec xp_cmdshell 'whoami'

Graph View

Backlinks