Link Search Menu Expand Document

MSSQL Workflows

Microsoft SQL Server (MSSQL) is a relational database management system. Commonly used in conjunction with web applications and other software that need to persist data. MSSQL is a useful target for data extraction and code execution.

MySQL is frequently found on port on the following ports:

  • 1433/TCP
  • 1434/UDP

Lab Environment

Environment setup:

MSSQL Enumeration

Running queries

use auxiliary/admin/mssql/mssql_sql
run rhost= username=administrator password=p4$$w0rd sql='select auth_scheme from sys.dm_exec_connections where session_id=@@spid'

Identify if the SQL server has been configured with trusted links, which allows running queries on other MSSQL instances:

use windows/mssql/mssql_linkcrawler
run rhost= username=administrator password=p4$$w0rd

Kerberos Authentication

Details on the Kerberos specific option names are documented in Kerberos Service Authentication

Connect to a Microsoft SQL Server instance and run a query:

msf6 > use auxiliary/admin/mssql/mssql_sql
msf6 auxiliary(admin/mssql/mssql_sql) > run domaincontrollerrhost= username=administrator password=p4$$w0rd mssql::auth=kerberos mssql::rhostname=dc3.demo.local mssqldomain=demo.local sql='select auth_scheme from sys.dm_exec_connections where session_id=@@spid'
[*] Reloading module...
[*] Running module against

[*] - - Valid TGT-Response
[+] - - Valid TGS-Response
[*] - - TGS MIT Credential Cache saved to ~/.msf4/loot/20220630193907_default_192.168.123.13_windows.kerberos_556101.bin
[*] - SQL Query: select auth_scheme from sys.dm_exec_connections where session_id=@@spid
[*] - Row Count: 1 (Status: 16 Command: 193)


[*] Auxiliary module execution completed