{"id":2135,"date":"2021-01-09T14:47:26","date_gmt":"2021-01-09T13:47:26","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=2135"},"modified":"2021-07-22T14:04:46","modified_gmt":"2021-07-22T12:04:46","slug":"1433-mssql","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=2135","title":{"rendered":"1433 <span class=\"caps\">MSSQL<\/span>"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Enumeration<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Mandatory<\/h3>\n\n\n\n<ol class=\"wp-block-list\"><li>Deter\u00admine ver\u00adsion:<br><code>nmap -p 445 --script ms-sql-info $target<\/code><\/li><li>If cre\u00adden\u00adtials are&nbsp;known:<ol><li>Try to con\u00adnect to the <span class=\"caps\">DB<\/span> (alter\u00adna\u00adtive: Intel\u00adliJ, \u2026):<br><code>sqsh -U sa -P $password -S $target:1433<\/code><\/li><li>Try to exe\u00adcute com\u00admands:<br><code>msf&gt; use auxiliary\/admin\/mssql\/mssql_exec<br>msf&gt; use windows\/mssql\/mssql_payload<\/code><ol><li>If mssql_exec does\u00adn\u2019t work, take care of domain\/username and powershell.exe \u2011com\u00admand type system.<\/li><\/ol><\/li><\/ol><\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Optional<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>Brute-force login (e.g. with <code>msf&gt; use scanner\/mssql\/mssql_login<\/code>).<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Enu\u00admer\u00ada\u00adtion Manda\u00adto\u00adry Deter\u00admine ver\u00adsion:nmap \u2011p 445 \u2013script ms-sql-info $tar\u00adget If cre\u00adden\u00adtials are&nbsp;known:&nbsp; Try to con\u00adnect to the <span class=\"caps\">DB<\/span> (alter\u00adna\u00adtive: Intel\u00adliJ, \u2026):sqsh \u2011U sa \u2011P $pass\u00adword \u2011S $target:1433 Try to exe\u00adcute com\u00admands:msf&gt; use auxiliary\/admin\/mssql\/mssql_execmsf&gt; use windows\/mssql\/mssql_payload If mssql_exec does\u00adn\u2019t work, take care of domain\/username and powershell.exe \u2011com\u00admand type sys\u00adtem. Option\u00adal Brute-force login (e.g. with msf&gt;&nbsp;use&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[36],"tags":[37,326],"class_list":["post-2135","post","type-post","status-publish","format-standard","hentry","category-port","tag-checklist","tag-mssql"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2135","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2135"}],"version-history":[{"count":3,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2135\/revisions"}],"predecessor-version":[{"id":3297,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2135\/revisions\/3297"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2135"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2135"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2135"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}