🔎 Enumeration

Microsoft SQL Server (MSSQL) can be enumerated and interacted with using mssqlclient.py from the Impacket suite. This tool allows for both basic database enumeration and advanced exploitation techniques such as command execution and hash exfiltration.

🔌 Connecting to MSSQL

To connect to an MSSQL server using mssqlclient.py, we need valid credentials and the server's IP address. If using Windows authentication, the -windows-auth flag is required.

Basic Connection

bash

mssqlclient.py qu35t:'password123!'@red.lab -windows-auth

📝 Enumeration Commands

Once connected, we can execute SQL commands to enumerate the database structure and contents.

List Databases

The default databases are :

master
model
msdb
tempdb

sql

SELECT name FROM sys.databases WHERE database_id > 4;

sql

SELECT name FROM master.dbo.sysdatabases;

sql

EXEC sp_databases;

List Tables of a Database

Replace Backup with the database name.

sql

select TABLE_NAME from Backup.INFORMATION_SCHEMA.TABLES;

sql

EXEC sp_tables;

List Columns of a Table

Replace Customers with the table name.

sql

SELECT * FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = N'Customers'

Extract Data from a Table

Replace Backup with the database name and Users with the table name.

sql

select * from Backup.dbo.Users;

🔎 Enumeration ​

🔌 Connecting to MSSQL ​

Basic Connection ​

📝 Enumeration Commands ​

List Databases ​

List Tables of a Database ​

List Columns of a Table ​

Extract Data from a Table ​