TCP 1433, 4022, 135, 1434, UDP 1434 - MSSQL

Kali Linux includes Impacket,6 a Python framework that enables network protocol interactions. Among many other protocols, it supports Tabular Data Stream (TDS),7 the protocol adopted by MSSQL that is implemented in the impacket-mssqlclient tool.

We can run impacket-mssqlclient to connect to the remote Windows machine running MSSQL by providing a username, a password, and the remote IP, together with the -windows-auth keyword. This forces NTLM authentication (as opposed to Kerberos). We'll explore Windows authentication in more depth in upcoming Modules.

kali@kali:~$ impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth 
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

To begin, let's inspect the current version of the underlying operating system by selecting the @@version.

Every database management system has its own syntax that we should take into consideration when enumerating a target during a penetration test.

SQL>SELECT @@version;
...

Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
	Sep 24 2019 13:48:23
	Copyright (C) 2019 Microsoft Corporation
	Express Edition (64-bit) on Windows Server 2022 Standard 10.0 <X64> (Build 20348: ) (Hypervisor)

Our query returned valuable information about the running version of the MSSQL server along with the Windows Server version, including its build number.

When using a SQL Server command line tool like sqlcmd, we must submit our SQL statement ending with a semicolon followed by GO on a separate line. However, when running the command remotely, we can omit the GO statement since it's not part of the MSSQL TDS protocol.

To list all the available databases, we can select all names from the system catalog.

SQL>SELECT name FROM sys.databases; 
name ... master
tempdb
model
msdb
offsec
SQL>

Since master, tempdb, model, and msdb are default databases, we want to explore the custom offsec database because it might contain data belonging to our target. We can review this database by querying the tables table in the corresponding information_schema.

SQL>SELECT * FROM offsec.information_schema.tables; 

TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE

offsec dbo users b'BASE TABLE'

Our query returned the users table as the only one available in the database, so let's inspect it by selecting all of its records. We'll need to specify the dbo table schema between the database and the table names.

SQL>select * from offsec.dbo.users; 
username password

admin lab
guest guest

The users table contains two columns, user and password, and two rows. Our query returned the clear text password for both usernames.

PreviousPasword CrackingNext4555 - James-Remote-Admin

Last updated