# MSSQL Introduction - Microsoft's SQL-based rdbms and runs on the .NET framework - `locate mssqlclient` shows options for MSSQL clients - typically an sa account is used to login with Administrator access - look for reuse of password between user_name=SA and user_name=Administrator ## Footprinting MSSQL ```bash sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <ip_addr> #run multiple MSSQL-rfelated NSE scripts with arguments mssqlclient.py Administrator@<ip_addr> -windows-auth #impacket tool to connect to an MSSQL server /usr/bin/impacket-mssqlclient Administrator@<ip_addr> -windows-auth #alternative command with full path #try mssql_ping with metasploit ``` ## Default MSSQL Databases | Default System DB | Description | | ----------------- | --------------------------------------------------------------- | | master | tracks all system info for an SQL server instance | | model | template db that acts as a structure for every new db created | | msdb | SQL server agent uses this db to schedule jobs and alerts | | tempdb | stores temporary objects | | resource | read-only db containing system objects included with SQL server | ## Dangerous Settings - MSSQL clients not using encryption to connected to the MSSQL server - use of self-signed certs - use of named pipes - weak and default SA creds