Microsoft SQL Server (MS-SQL) is a relational database manager created by Microsoft. Such management systems are used to engage databases with the user. And the Microsoft’s version SAQL adds on the set of propriety programming constructs.
Multiple databases are used in a large
enterprise or organisation which leads to a problem of SQL Sprawl. There are
various methods to identify these servers from both pentesting view and or to
simply discover MS-SQL servers. In this article, we will explore such various
methods in order to discover MS-SQL server in the network, both locally and
remotely.
Table of Content:
·
Metasploit
·
Nmap
·
SQLPing
·
Nessus
·
PowerUpSQL
·
Command
line
Metasploit
Using Metasploit to determine the MS-SQL
servers in the network is one of the best remotely methods one can apply. Metasploit
being a remarkable framework has an exploit to determine whether there are
MS-SQL server in your network or not. To use this exploit open Metasploit using
‘msfconsole -q’ command and then follow the following set of commands:
use auxiliary/scanner/mssql/mssql_ping
set rhosts 192.168.1.0/24
exploit
As you can observer in the above image the
Metasploit exploit has the result for you and doesn’t fail to inform you about
the MS-SQL server and its port in the network.
Nmap
Our next method to identify the MS-SQL server s
in the network is by using Nmap; the amazing network pentesting tool. This
method is a remote method as well. To imply this method, just open your console
in kali and type in the following command:
nmap -p 1433 –script ms-sql-info 192.168.1.1/24
As Nmap is one of the best tools for NSPT, it
can never fail to meet our needs. Such is proven in the image above; where you
can see that the result of the command shows us the MS-SQL servers present in
the network along with its details.
SQLPing
SQLPing is tool for windows which helps us to
discover the MS-SQL server in the network. This tool is helpful for those who
prefer testing through windows operating system. It can be downloaded from here.
Once the tool is downloaded, open the tool. In the left panel of the tool give
the IP range of the network as shown in the image below. Also, this tool helps
to brute force the username and password of the server through a dictionary.
So, if you have dictionaries for both username and password then you can give
the path of dictionaries in the bottom of left panel as shown in the image
below:
As you can see from the image above, you can
find the MS-SQL server in the network through the aforementioned tool. Also, it
helps to brute force both username and password using dictionaries.
Nessus
Nessus was developed by Renaud Deraison in 1998 in order to provide security community with
a free remote scanner. And so, this tool succeeded in its aim and made our
lives easier. When you are specifically looking for MS-SQL servers in the
network then start you Nessus scan, once the scan is complete; you can go to
vulnerabilities tab and put a filter for port 1433 as this a default port for
Ms-SQL server.
And as you can see in the image above, it will
show you all the said servers.
PowerUpSQL
Now, using PowerUpsql is a local method as this
tool shows accurate result when it is well present in the network. To use this
tool open Windows PowerShell and import the script of the tool and then type in
the commands to identify the server. To do so, type the following set of
commands:
cd .\Desktop\
powershell -ep bypass
Import-Module .\PowerUpSQL.ps1
Get-SQL-InstanceLocal -verbose
And so, as you can see in the image above that following
there above commands will produce the desired result.
Command Line
Using the command line is also a local method
but it is quite useful. This is the
easiest method to follow when you want to identify the MS-SQL servers in your
network. One of the commands for the said is:
sqlcmd -L
And the other command for the same is the
following:
osql -L
As you can observe from both of the images
above, you have you desired result.
These the most effective ways to find out the
MS-SQL database servers in the network both remotely and locally. Such methods
go long way in proving our testing to be effective.
0 comments:
Post a Comment