Enumerate MSSQL servers with GetUserSPNs & NMAP

Enumerate the MSSQL servers

Impacket GetUserSPNs.py

First let’s try to figure out the users with an SPN on an MSSQL server.
A Service Principal Name (SPN) is a name in Active Directory that a client uses to uniquely identify an instance of a service. An SPN combines a service name with a computer and user account to form a type of service ID.Nov 13, 2021

GetUserSPNs.py north.newyork.local/claudio.ortiz:babyboy

And on Maryland.local domain

GetUserSPNs.py -target-domain maryland.local north.newyork.local/claudio.ortiz:babyboy

Nmap

Two servers answer :

nmap -p 1433 -sV -sC 192.168.56.10-23

Yonkers.north.newyork.local

Nmap scan report for yonkers.north.newyork.local (192.168.56.22)
Host is up (0.00048s latency).
Scanned at 2023-02-27 20:16:02 EST for 12s

PORT     STATE SERVICE  VERSION
1433/tcp open  ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2023-02-28T01:16:14+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-02-22T20:07:08
| Not valid after:  2053-02-22T20:07:08
| MD5:   15c6 3b48 4af9 3ee5 3002 fe2b c006 09cb
| SHA-1: abcc 8fff ac8c 8907 c2c4 8f2a af0b 5ff1 b6da 3e4d
| -----BEGIN CERTIFICATE-----
| MIIDADCCAeigAwIBAgIQFvILH8b8eZpGxpjwNfUPTDANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjMwMjIyMjAwNzA4WhgPMjA1MzAyMjIyMDA3MDhaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMU+2Yw4
| /xY2a+zQ6VoXrwh/razw3axC+KVwEilwsjHx9ZDaVPNal88wpgt1V2elhAExlWTa
| /2QNBMrS2r2cjECyPSloAvapnEpa/PPEjtmXEg953zrgMrZIeGiaC2CSgSssgSic
| F5CM9H/plumoCGiewp6ZlzR0g5sYKIaTtu6rXUYe+PFVGZX97oDKPPMeNgT/ipXK
| TIBObq4xCN0W4JFFfAh3GSyY1Y4xhuMXRH29UpBJk5XdzN4qnuqGP6GzD75YoXQZ
| Tl5UqrBDoteE7fWnL6kf8KftLUagadFZ2l3ImBJTpqt22HbSPJdxL+5csJLHityg
| QeOgJIVZOWFAHYUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcJ+rk3zKNnV1CcCL
| X+z+wS7E2NEjCJ9TEhDSDLERp13mudEDatswYTHtNhFCT7cmMXDFJAeFWW1ffUek
| 7X9Wh7HireKrxoBXjSMO1Zb9KLPw8SyHWU07HmrxrTeSdpKTLyJFPM82R0zeSfOU
| xuPjQYGTDfZTYz9SVRI4wt3k1kwQ2bq0DhHkdIP5MJm3JeUzEiigrC3dwqH4SMgm
| 3D7Zfe3tUPb3uMMZ8li1l3N7BjrLUHY/wGeuumwpH/VCjpYt47zl6EjNeiO6walu
| lKUMPkj1ViXB0UawyWMGpKYIZRR60JoX3YUr9rHGyT81RNhh9VJ5gZ1IFvH4Y9up
| 4pe6Vw==
|_-----END CERTIFICATE-----
| ms-sql-ntlm-info: 
|   Target_Name: NORTH
|   NetBIOS_Domain_Name: NORTH
|   NetBIOS_Computer_Name: YONKERS
|   DNS_Domain_Name: north.newyork.local
|   DNS_Computer_Name: Yonkers.north.newyork.local
|   DNS_Tree_Name: newyork.local
|_  Product_Version: 10.0.17763

Host script results:
| ms-sql-info: 
|   192.168.56.22:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_clock-skew: mean: 0s, deviation: 0s, median: 0s



Nmap scan report for salisbury.maryland.local (192.168.56.23)
Host is up (0.00040s latency).
Scanned at 2023-02-27 20:16:02 EST for 12s

PORT     STATE SERVICE  VERSION
1433/tcp open  ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: maryland
|   NetBIOS_Domain_Name: maryland
|   NetBIOS_Computer_Name: SALISBURY
|   DNS_Domain_Name: maryland.local
|   DNS_Computer_Name: Salisbury.maryland.local
|   DNS_Tree_Name: maryland.local
|_  Product_Version: 10.0.14393
|_ssl-date: 2023-02-28T01:16:07+00:00; -7s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-02-22T20:07:10
| Not valid after:  2053-02-22T20:07:10
| MD5:   d765 e745 3ddc 0c7f 4fcb b26b 744b 35a7
| SHA-1: 28a8 5b18 8adb f162 6ac2 d136 6c16 1f08 1ef2 6804
| -----BEGIN CERTIFICATE-----
| MIIDADCCAeigAwIBAgIQVHR7vo2ccIZCblioBxQemTANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjMwMjIyMjAwNzEwWhgPMjA1MzAyMjIyMDA3MTBaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL8O3rya
| nMuF/Q4if1Nb7T15Un2/AXCFy5KgNAVbn/XgEqznkqEd6y1iVF2iPwuHU3dcsU1K
| oU5yfSAkEqyrDWltE1LvkpOZzhvlXLyc13Epp+GO4xtcXyqiRhu9L8HbtkctvGI+
| NyAtbKAcdeg9gOorhWiwcIMJoZ7ofYTLaBz+K0GGfqL18y8egYkVonH78/pTq2VV
| Zmxkyrd8lGTXMhGW6fyfnbE0zHg9QNrLf3jgaFHYPPT5n1svbPyxEDXCVk+i6Z5G
| 7Kfr2gCF9DLaqSIZ/ibltdSK+CFsRLGBpl22WSlDcj5lgULOHlt8z47Jx8xqyi5K
| Dt6VxDoKZ85ew10CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAVh1hgxEPIq4dxOTa
| DYYFqLFIX/9HAONYfK6Ir0h/hGvkXOWl43m/HFm+ZcFz49XzgsEDF++bP/+LXnyC
| 5pvjbnahXeoCgu+sXKnMAvt5sU2t0rUPX0/OXs8tEhG/QgvcAke3bf3UgZSowbw2
| AutbfQ6u36ywOhhfJrvBmlxJ7Np8U3ojG5c+oyl2Vijv2jrYN6kKc4FVnuO9N5bT
| NFqYXZ1K8500BXrYsuSiaN6+RRQbx3q6Aty1DaEMBqfccJW57e1+uHZ7L0ebKodL
| Hy3AVI5ijArVRhw83aH9UPQ7fVXXhyB0N2GuTKIIIJoEuGUvaf1U2FfNjQ5t/qZG
| i0uPIQ==
|_-----END CERTIFICATE-----

Host script results:
| ms-sql-info: 
|   192.168.56.23:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_clock-skew: mean: -7s, deviation: 0s, median: -7s

PreviousEnumerate the MSSQL servers NextEnumerate MSSQL servers with CrackMap & Impacket

Last updated 2 years ago

hashtagEnumerate the MSSQL servers

hashtagImpacket GetUserSPNs.py

hashtagNmap

Enumerate the MSSQL servers

Impacket GetUserSPNs.py

Nmap