MSSQL Pentesting Notes

Protocol Overview

Basic Information

Port: TCP 1433 (default)
Protocol Type: Relational Database Management System
Purpose: Efficient storage and retrieval of structured data
Security: Varies based on configuration and version

MSSQL Characteristics

Closed-source, primarily designed for Windows
Strong native support for .NET framework
Cross-platform versions available (Windows, Linux, macOS)
Commonly used in enterprise environments

Enumeration and Access

Port Scanning

# Basic port scan
nmap -p1433 -sV <target>

# Aggressive scan with scripts
nmap -p1433 -sV -sC -A <target>

# All MSSQL scripts
nmap -p1433 --script ms-sql-* <target>

Version Detection

# Using mssqlclient.py
python3 mssqlclient.py DOMAIN/USER@<target> -windows-auth

# Running SQL query
SELECT @@VERSION;

Authentication Attempts

# Windows authentication
python3 mssqlclient.py DOMAIN/USER@<target> -windows-auth

# SQL Server authentication
python3 mssqlclient.py USER:PASSWORD@<target>

# Brute force
hydra -L users.txt -P passwords.txt mssql://<target>

Database Discovery

-- List all databases
SELECT name FROM sys.databases;

-- Enumerate database users
SELECT name, type_desc, is_disabled, create_date, modify_date 
FROM sys.database_principals;

-- Check database permissions
SELECT * FROM sys.database_permissions;

Common Vulnerabilities

Weak Authentication:
- Default/guessable sa (sysadmin) credentials
- Lack of password complexity requirements
- Brute-forceable passwords
Misconfigurations:
- Unnecessary services/features enabled
- Excessive permissions granted to users
- Unprotected database backups
Version-specific:
- Remote code execution (e.g., CVE-2020-0796)
- Information disclosure (e.g., CVE-2016-7255)
- Denial of Service (e.g., CVE-2018-8356)

Post-Exploitation

Data Extraction

Dump database contents
Retrieve sensitive information
Identify high-value data

Privilege Escalation

Exploit weak permissions
Abuse excessive privileges
Pivot to other systems

Persistence

Create backdoor accounts
Modify startup scripts
Establish remote access

Mitigation Recommendations

Secure Configuration:
- Use strong, complex passwords for sa and other accounts
- Restrict MSSQL access to trusted hosts and networks
- Implement the principle of least privilege
- Keep MSSQL software up-to-date
Monitoring and Logging:
- Enable SQL Server Audit logging
- Monitor for suspicious activity
- Review logs regularly
Network Segmentation:
- Isolate MSSQL servers from the internet
- Use bastion hosts for remote administration
- Implement firewall rules to limit access
Data Protection:
- Encrypt sensitive data at rest and in transit
- Implement backup and recovery strategies
- Regularly test incident response and disaster recovery plans
Staff Training:
- Educate developers on secure coding practices
- Train administrators on best practices for MSSQL security
- Promote a security-conscious culture within the organization

Best Practices for Pentesting

Initial Reconnaissance:
- Identify MSSQL version and configuration
- Test default/common credentials
- Enumerate running services and open ports
- Gather information about the hosting environment
Enumeration and Discovery:
- List available databases and their contents
- Identify users, roles, and their permissions
- Search for sensitive data stored in the databases
- Uncover potentially exposed backup files or configuration details
Exploitation and Post-Exploitation:
- Attempt SQL injection attacks
- Abuse excessive permissions and privileges
- Dump database contents for further analysis
- Establish persistence through backdoors or malicious functions
Documentation and Reporting:
- Record all findings, vulnerabilities, and exploitation details
- Categorize issues by severity and provide recommendations
- Include evidence such as SQL statements, screenshots, and exported data
- Suggest remediation steps to improve MSSQL security posture
Ethical Considerations:
- Obtain explicit permission before testing
- Avoid disrupting production systems whenever possible
- Limit the scope of testing to authorized targets and activities
- Respect data privacy and comply with relevant regulations

PreviousOracle TNS Pentesting Notes NextMySQL Pentesting Notes

MSSQL Pentesting Notes

Protocol Overview

Basic Information

Port: TCP 1433 (default)
Protocol Type: Relational Database Management System
Purpose: Efficient storage and retrieval of structured data
Security: Varies based on configuration and version

MSSQL Characteristics

Closed-source, primarily designed for Windows
Strong native support for .NET framework
Cross-platform versions available (Windows, Linux, macOS)
Commonly used in enterprise environments

Enumeration and Access

Port Scanning

# Basic port scan
nmap -p1433 -sV <target>

# Aggressive scan with scripts
nmap -p1433 -sV -sC -A <target>

# All MSSQL scripts
nmap -p1433 --script ms-sql-* <target>

Version Detection

# Using mssqlclient.py
python3 mssqlclient.py DOMAIN/USER@<target> -windows-auth

# Running SQL query
SELECT @@VERSION;

Authentication Attempts

# Windows authentication
python3 mssqlclient.py DOMAIN/USER@<target> -windows-auth

# SQL Server authentication
python3 mssqlclient.py USER:PASSWORD@<target>

# Brute force
hydra -L users.txt -P passwords.txt mssql://<target>

Database Discovery

-- List all databases
SELECT name FROM sys.databases;

-- Enumerate database users
SELECT name, type_desc, is_disabled, create_date, modify_date 
FROM sys.database_principals;

-- Check database permissions
SELECT * FROM sys.database_permissions;

Common Vulnerabilities

Weak Authentication:
- Default/guessable sa (sysadmin) credentials
- Lack of password complexity requirements
- Brute-forceable passwords
Misconfigurations:
- Unnecessary services/features enabled
- Excessive permissions granted to users
- Unprotected database backups
Version-specific:
- Remote code execution (e.g., CVE-2020-0796)
- Information disclosure (e.g., CVE-2016-7255)
- Denial of Service (e.g., CVE-2018-8356)

Post-Exploitation

Data Extraction

Dump database contents
Retrieve sensitive information
Identify high-value data

Privilege Escalation

Exploit weak permissions
Abuse excessive privileges
Pivot to other systems

Persistence

Create backdoor accounts
Modify startup scripts
Establish remote access

Mitigation Recommendations

Secure Configuration:
- Use strong, complex passwords for sa and other accounts
- Restrict MSSQL access to trusted hosts and networks
- Implement the principle of least privilege
- Keep MSSQL software up-to-date
Monitoring and Logging:
- Enable SQL Server Audit logging
- Monitor for suspicious activity
- Review logs regularly
Network Segmentation:
- Isolate MSSQL servers from the internet
- Use bastion hosts for remote administration
- Implement firewall rules to limit access
Data Protection:
- Encrypt sensitive data at rest and in transit
- Implement backup and recovery strategies
- Regularly test incident response and disaster recovery plans
Staff Training:
- Educate developers on secure coding practices
- Train administrators on best practices for MSSQL security
- Promote a security-conscious culture within the organization

Best Practices for Pentesting

Initial Reconnaissance:
- Identify MSSQL version and configuration
- Test default/common credentials
- Enumerate running services and open ports
- Gather information about the hosting environment
Enumeration and Discovery:
- List available databases and their contents
- Identify users, roles, and their permissions
- Search for sensitive data stored in the databases
- Uncover potentially exposed backup files or configuration details
Exploitation and Post-Exploitation:
- Attempt SQL injection attacks
- Abuse excessive permissions and privileges
- Dump database contents for further analysis
- Establish persistence through backdoors or malicious functions
Documentation and Reporting:
- Record all findings, vulnerabilities, and exploitation details
- Categorize issues by severity and provide recommendations
- Include evidence such as SQL statements, screenshots, and exported data
- Suggest remediation steps to improve MSSQL security posture
Ethical Considerations:
- Obtain explicit permission before testing
- Avoid disrupting production systems whenever possible
- Limit the scope of testing to authorized targets and activities
- Respect data privacy and comply with relevant regulations

PreviousOracle TNS Pentesting Notes NextMySQL Pentesting Notes