Service and Version Detection¶
Description:¶
Detects whether the MSSQL service is running and extracts its version.
Example:
Gather SQL Server Instance Information¶
Script: ms-sql-info¶
Description: Collects detailed information about MSSQL instance such as version, domain, authentication type, cluster info.
Example Findings:
-
Database version
-
Hostname
-
Supported authentication mechanisms
NTLM Authentication Information¶
Script: ms-sql-ntlm-info¶
Description: Retrieves NTLM-related information to evaluate risks like NTLM relay attacks.
Useful for assessing security of Windows-domain integrated MSSQL servers.
Dictionary Attack Against MSSQL Login¶
Script: ms-sql-brute¶
Description: Tries common username and password combinations to discover weak credentials.
nmap <IP Address> -p 1433 --script ms-sql-brute \
--script-args userdb=/path/to/usernames.txt,passdb=/path/to/passwords.txt
Example Output:
Check for Accounts with Blank Password¶
Script: ms-sql-empty-password¶
Description: Checks whether any user account has no password configured.
Weak default installations sometimes allow login without a password.
Execute SQL Queries Remotely¶
Script: ms-sql-query¶
Description: Runs custom SQL commands when valid credentials are available. Useful for enumerating users, privileges, and database structure.
nmap <IP Address> -p 1433 --script ms-sql-query \
--script-args mssql.username=<Username>,password=<Password>,\
ms-sql-query.query="select * from master..syslogins" -oN output.txt
Example Usage:
-
Dump login accounts
-
Find schema info
-
View privilege details
Dump SQL Server Password Hashes¶
Script: ms-sql-dump-hashes¶
Description: Extracts password hashes from SQL Server accounts. Hashes can be cracked offline for password recovery or strength testing.
nmap <IP Address> -p 1433 --script ms-sql-dump-hashes \
--script-args mssql.username=<Username>,mssql.password=<Password>
Example Output:
Execute System Commands (xp_cmdshell)¶
Script: ms-sql-xp-cmdshell¶
Description: Executes OS-level commands through SQL Server xp_cmdshell feature if enabled. Can be used to escalate attacks or gather system information.
Run a command:
nmap <IP Address> -p 1433 --script ms-sql-xp-cmdshell \
--script-args mssql.username=<Username>,mssql.password=<Password>,\
ms-sql-xp-cmdshell.cmd="ipconfig"
Read a file:
nmap <IP Address> -p 1433 --script ms-sql-xp-cmdshell \
--script-args mssql.username=<Username>,mssql.password=<Password>,\
ms-sql-xp-cmdshell.cmd="type c:\flag.txt"
Example Output:
Script Usage Summary Table¶
| Script | Purpose | Privileges Required |
|---|---|---|
| ms-sql-info | Basic instance enumeration | None |
| ms-sql-ntlm-info | NTLM authentication details | None |
| ms-sql-brute | Password cracking | None |
| ms-sql-empty-password | Check weak credentials | None |
| ms-sql-query | Run SQL commands | Valid SQL login |
| ms-sql-dump-hashes | Extract hashes for cracking | Elevated SQL permissions |
| ms-sql-xp-cmdshell | OS command execution | High privileges (sysadmin) |
Security Hardening Recommendations¶
To protect MSSQL servers against these assessments:
-
Disable or restrict
sa -
Enforce strong passwords and MFA
-
Disable
xp_cmdshell -
Restrict incoming SQL connections with firewall rules
-
Enable encryption for SQL traffic
-
Regularly patch SQL Server and OS
MSSQL Penetration Testing Checklist¶
A structured checklist for real-world MSSQL security assessments.
Recon and Enumeration¶
-
Identify MSSQL instance using Nmap
-
Check authentication method (Windows/SQL authentication)
-
Enumerate SQL Server version and editions
-
Identify exposed ports beyond 1433 (Named Instances)
-
Check network restrictions and firewall filters
Authentication Testing¶
-
Test default accounts (sa)
-
Attempt weak password authentication
-
Perform dictionary and brute-force attacks
-
Check for blank passwords
Privilege Enumeration¶
-
Identify logged-in user role
-
Extract server roles and permissions
-
Enumerate linked servers
-
Check xp_cmdshell status (enabled/disabled)
Data and Access Enumeration¶
-
List all databases, tables, schema
-
Identify sensitive tables (users, finance, HR)
-
Dump user hashes if permissible
-
Extract configuration information
Post-Exploitation & Escalation¶
-
Enable and abuse xp_cmdshell if possible
-
Execute OS commands for privilege escalation
-
Extract flags and sensitive data
-
Maintain persistence (if permitted)
Evidence & Cleanup¶
-
Save all outputs to file
-
Restore any altered services or features
-
Document findings for reporting
MSSQL Hash Cracking Guide (Hashcat & John)¶
MSSQL hashes typically appear in SHA1 or mixed format.
Example MSSQL hash:
Hashcat¶
-
-m 132→ MSSQL (SHA-1) -
-a 0→ Straight attack mode
John the Ripper¶
Convert hash format first:
python /usr/share/john/run/mssql2john.py hashes.txt > hash_john.txt
john hash_john.txt --wordlist=rockyou.txt
After cracking, show password:
Database Security Report Template (Professional Format)¶
You can use this in security assessments:
Database Security Assessment Report¶
Target: Microsoft SQL Server¶
Engagement Date:
Tester:
Environment: Internal / External
1. Executive Summary¶
A brief non-technical summary of database security risks and business impact.
2. Scope¶
-
Target IP and hostname
-
MSSQL version details
-
Allowed authentication mechanisms
3. Findings Summary¶
| Issue | Severity | Description | Evidence | Recommendation |
|---|---|---|---|---|
Weak password for sa |
High | Attackers can gain admin access | Screenshot of brute-force success | Enforce strong password policy |
| xp_cmdshell enabled | Critical | OS-level code execution | Output of ipconfig command | Disable xp_cmdshell |
| Outdated SQL Server version | Medium | Vulnerable to exploits | Version result from Nmap scan | Apply security patches |
4. Technical Findings & Proof of Concept¶
4.1 Weak Passwords Found¶
Command Used:
Evidence:
Successful login using credentials.
4.2 OS Command Execution via xp_cmdshell¶
Command Used:
Impact:
Full remote system compromise.
5. Recommendations¶
-
Password policy enforcement
-
Disable unneeded features
-
Implement least-privilege access control
-
Enable logging and monitoring