MSSQL
Microsoft SQL is similar to other SQL databases and it can be accessed using a 'sqsh' tool.
Remote Shell - XP_Cmdshell
Remote commands can be executed on the MSSQL hosting system through the sqsh tool.
The following command can be used to enable xp_cmdshell,
The following command can be used to execute commands on the remote system,
If there is trouble in enabling the xp_cmdshell, then you can try to disable and re-enable it using the following commands,
XP_Dirtree
This is another undocumented stored procedure within MSSQL that can be used for listing out the files and directories. This command lists the following three parameters,
Files - This will display the files present in the folder
Directory - This is the directory that you pass to the command
Depth - This displays the number of sub level folders
This command comes in handy when you want to trigger an SMB connection through it to a locally hosted SMB server (Impacket-smbserver/NTLMrelayx) and catch the user hash or relay it.
Master Database File
The master.mdf file records all system level information for a SQL Database. It also contains instance wide meta data such as logon info, endpoints, linked servers and system configuration settings. It also records the existences of all databases and the location of all files.
However, this file cannot be accessed while the database is running as MSSQL processes creates a lock on it. But if you do have access to it, then the login credentials can be extracted from it.
The passwords are hashed and stored in the file, however they can be extracted using the following method and the hash can be cracked using hashcat.
The above script can be used for extracting the hashes. If you are on a Linux system, then you can use Pwsh to run the powershell script.
The has can be cracked as follows,
Last updated