Port: 1433

Administered with SQL Server Management Studio (SSMS)

Default service: NT SERVICE\MSSQLSERVER

Query format: T-SQL (Transact SQL)

Dangerous Settings

• MSSQL clients not using encryption to connect to the MSSQL server
• The use of self-signed certificates when encryption is being used. It is possible to spoof self-signed certificates
• The use of named pipes
• Weak & default sa credentials. Admins may forget to disable this account

Nmap:

nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 $HOST

Or mssql_ping on MSF

Client: mssqlclient.py

WriteUp:

Enumerate the target using the concepts taught in this section. List the hostname of MSSQL server.

In Nmap scan from above

Connect to the MSSQL instance running on the target using the account (backdoor:Password1), then list the non-default database present on the server