Enumerate MSSQL servers with CrackMap & Impacket

PreviousEnumerate MSSQL servers with GetUserSPNs & NMAP Nextimpersonate - execute as login

Last updated 2 years ago

Enumerate MSSQL servers with CrackMap & Impacket

CrackMapExec

Let’s try with crackmapexec

crackmapexec mssql 192.168.56.22-23

Now we could try with the user miguel.ortiz

crackmapexec mssql 192.168.56.22 -u miguel.cabrera -p ilovebaseball -d north.newyork.local

As we can see we got an access to the database

Impacket

To enumerate and use impacket mssql, i made a modified version of the example mssqlclient.py.
The install is just like what we done in part5 merge the PR on your local impacket project and relaunch install:

cd /opt/tools
git clone https://github.com/SecureAuthCorp/impacket myimpacket
cd myimpacket
python3 -m virtualenv myimpacket
source myimpacket/bin/activate
git fetch origin pull/1397/head:1397
git merge 1397
python3 -m pip install .

We connect to the mssql server with the following command :

mssqlclient.py -windows-auth north.newyork.local/miguel.cabrera:ilovebaseball@yonkers.north.newyork.local

And type help:

   lcd {path}                 - changes the current local directory to {path}
   exit                       - terminates the server process (and this session)
   enable_xp_cmdshell         - you know what it means
   disable_xp_cmdshell        - you know what it means
   enum_db                    - enum databases
   enum_links                 - enum linked servers
   enum_impersonate           - check logins that can be impersonate
   enum_logins                - enum login users
   enum_users                 - enum current db users
   enum_owner                 - enum db owner
   exec_as_user {user}        - impersonate with execute as user
   exec_as_login {login}      - impersonate with execute as login
   xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
   xp_dirtree {path}          - executes xp_dirtree on the path
   sp_start_job {cmd}         - executes cmd using the sql server agent (blind)
   use_link {link}            - linked server to use (set use_link localhost to go back to local or use_link .. to get back one step)
   ! {cmd}                    - executes a local shell cmd
   show_query                 - show query
   mask_query                 - mask query

I added some new entries to the database : enum_db/enum_links/enum_impersonate/enum_login/enum_owner/exec_as_user/exec_as_login/use_link/show_query/mask_query
Let’s start the enumeration :

enum_logins

select r.name,r.type_desc,r.is_disabled, sl.sysadmin, sl.securityadmin, 
sl.serveradmin, sl.setupadmin, sl.processadmin, sl.diskadmin, sl.dbcreator, sl.bulkadmin 
from  master.sys.server_principals r 
left join master.sys.syslogins sl on sl.sid = r.sid 
where r.type in ('S','E','X','U','G')

We see only a basic view as we are a simple user

PreviousEnumerate MSSQL servers with GetUserSPNs & NMAP Nextimpersonate - execute as login

Last updated 2 years ago

CrackMapExec

Let’s try with crackmapexec

crackmapexec mssql 192.168.56.22-23

Now we could try with the user miguel.ortiz

crackmapexec mssql 192.168.56.22 -u miguel.cabrera -p ilovebaseball -d north.newyork.local

As we can see we got an access to the database

Impacket

To enumerate and use impacket mssql, i made a modified version of the example mssqlclient.py.
You can find the version
The install is just like what we done in part5 merge the PR on your local impacket project and relaunch install:

cd /opt/tools
git clone https://github.com/SecureAuthCorp/impacket myimpacket
cd myimpacket
python3 -m virtualenv myimpacket
source myimpacket/bin/activate
git fetch origin pull/1397/head:1397
git merge 1397
python3 -m pip install .

We connect to the mssql server with the following command :

mssqlclient.py -windows-auth north.newyork.local/miguel.cabrera:ilovebaseball@yonkers.north.newyork.local

And type help:

   lcd {path}                 - changes the current local directory to {path}
   exit                       - terminates the server process (and this session)
   enable_xp_cmdshell         - you know what it means
   disable_xp_cmdshell        - you know what it means
   enum_db                    - enum databases
   enum_links                 - enum linked servers
   enum_impersonate           - check logins that can be impersonate
   enum_logins                - enum login users
   enum_users                 - enum current db users
   enum_owner                 - enum db owner
   exec_as_user {user}        - impersonate with execute as user
   exec_as_login {login}      - impersonate with execute as login
   xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
   xp_dirtree {path}          - executes xp_dirtree on the path
   sp_start_job {cmd}         - executes cmd using the sql server agent (blind)
   use_link {link}            - linked server to use (set use_link localhost to go back to local or use_link .. to get back one step)
   ! {cmd}                    - executes a local shell cmd
   show_query                 - show query
   mask_query                 - mask query

I added some new entries to the database : enum_db/enum_links/enum_impersonate/enum_login/enum_owner/exec_as_user/exec_as_login/use_link/show_query/mask_query
Let’s start the enumeration :

enum_logins

This launch the following query (roles value meaning can be show )

select r.name,r.type_desc,r.is_disabled, sl.sysadmin, sl.securityadmin, 
sl.serveradmin, sl.setupadmin, sl.processadmin, sl.diskadmin, sl.dbcreator, sl.bulkadmin 
from  master.sys.server_principals r 
left join master.sys.syslogins sl on sl.sid = r.sid 
where r.type in ('S','E','X','U','G')

We see only a basic view as we are a simple user