Linked Server Exploitation

Identifying MSSQL Listeners

 New-NetFirewallRule -DisplayName "Allow SQL Server" -Direction Inbound -Protocol TCP -LocalPort 1433 -Action Allow

NMap can be used to identify the server on a network;

case 1 : Brute Force Attacks

SQL Server supports two types of authentication, Windows Authentication, and SQL Server authentication. This can be configured using SQL Server Management Studio;

using

crackmapexec mssql 192.168.16  -u sa -p  /usr/share/wordlists/rockyou.txt

MSSQL supports a feature called Linked Servers. Essentially the MSSQL database is configured to connect to remote databases running on other systems. This allows you to execute a query against one host, but the data to be retrieved from multiple systems.
If linked servers are configured, and attacker may be able to exploit this feature to move laterally between different database systems.
To configure a linked server, in SQL Management Studio, select SERVER1 > Linked Servers > Right click and select new Linked Server.
On the general tab, set the data source to the target SQL server hostname.

In the security tab, set the user account used to login to the remote server.

PreviousMSSQL AD Abuse NextDomain privEsc

Last updated 4 months ago