Skip to content

MSSql - 1433

  • PORT 1433
  • Microsofts sql. Closed Source
  • Used with .NET frameworks, mostly seen in windows
  • SQL Server Management Studio SSMS is a client side app that allows you to manage the DB from the client.
  • If we have a target with SSMS creds, we can query the db.
  • MSSQL Clients:
  • mssql-cli
  • SQL Server PowerShell
  • HeidiSQL
  • SQLPro

  • Impacket's mssqlclient.py *

Commands:

  • locate mssqlclient - find the impacket's mssql client
  • sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248
  • In msfconsole use the scanner/mssql/mssql_ping
  • Using impacket
  • python3 mssqlclient.py Administrator@10.129.201.248 -windows-auth

Default Configuration:

  • The service runs as NT SERVICE\MSSQLSERVER
  • Windows auth needed (using local SAM DB or AD) and does not encrypt by default

Dangerous Settings:

  • Think like an IT admin who wants to configure the settings
  • Named Pipes: used for interprocess commz.
  • windows network protocol that allows communication between f.ex. MSSQL
  • EG: a named pipe on the client \\<ServerName>\pipe\sql\query
    • we can connect to it using SSMS or a connection string