🗄️MySQL & MSSQL Enumeration
SQL (Structured Query Language) is a programming language used to manage and manipulate databases. It enables tasks like inserting, updating, querying, and deleting data. SQL databases use port 1433 (Microsoft SQL Server), 3306 (MySQL), and 5432 (PostgreSQL) for communication, allowing applications to interact with and retrieve information from structured data repositories.
MySQL - Basic Enumeration
Mysql command-line tool
The "mysql" command-line tool is used to access and manage MySQL databases, connecting to a server with specified credentials and options.
Connecting to a MySQL Database Server: This command is used to connect to a MySQL database server hosted at the specified
<target>
IP address or hostname using the specified<user>
username.
mysql -h <target> -u <user>
Common MySQL Command-Line Commands:
Connect to the Database: The
;
symbol is used to terminate commands, but it is not a standalone command for connecting. To connect to a database, you typically use:
MySQL [(none)]> use <database>;
Count the Records in a Table: Counts the number of records in the
authors
table.
MySQL [books]> select count(*) from authors;
Retrieve All Records from a Table: Retrieves all records from the
authors
table.
MySQL [books]> select * from authors;
Attempt to Read a File: Attempts to read the contents of the
/etc/shadow
file, which is a potential security vulnerability if file read access is granted.
MySQL [(none)]> select load_file("/etc/shadow");
MySQL & MSSQL: Nmap Enumeration Scripts
Gather Basic Information: This command is used with Nmap to gather basic information about Microsoft SQL Server instances during network scanning.
nmap --script ms-sql-info <target>
Gather NTLM Authentication Information: This command is employed with Nmap to gather NTLM authentication information from Microsoft SQL Server instances running on port 1443.
nmap --script ms-sql-ntlm-info --script-args mssql.instance-port=1443 192.168.1.10
Perform Brute-Force Attacks: This command is used to perform brute-force attacks on Microsoft SQL Server instances using username and password lists located in the specified directory paths.
nmap --script ms-sql-brute --script-args userdb=<dir_path>,passdb=<dir_path> <target>
Detect Empty (Blank) Passwords: This command is used with Nmap to detect Microsoft SQL Server instances with empty (blank) passwords.
nmap --script ms-sql-empty-password <target>
Execute SQL Queries: This command is used with Nmap to execute a specific SQL query on a Microsoft SQL Server instance using provided credentials and save the output to
output.txt
.
nmap --script ms-sql-query --script-args mssql.username=<username>,mssql.password=<password>,ms-sql-query.query="SELECT * FROM master..syslogins" -oN output.txt <target>
Dump Password Hashes: This command is used with Nmap to attempt dumping password hashes from a Microsoft SQL Server instance using provided credentials.
nmap --script ms-sql-dump-hashes --script-args mssql.username=<username>,mssql.password=<password> <target>
Execute Commands via
xp_cmdshell
: This command is used with Nmap to execute the specified command (ifconfig
in this case) using thexp_cmdshell
extended stored procedure on a Microsoft SQL Server instance.
nmap --script ms-sql-xp-cmdshell --script-args mssql.username=admin,mssql.password=pass,ms-sql-xp-cmdshell.cmd="ifconfig" 192.168.1.10
Detect Empty (Blank) Passwords: This command is used with Nmap to detect MySQL servers with empty (blank) passwords.
nmap --script mysql-empty-password <target>
Determine if MySQL Servers Provide Empty Password Information: This command is used with Nmap to determine if MySQL servers provide empty (blank) password information.
nmap --script mysql-empty-info <target>
Identify MySQL Users: This command is used with Nmap to identify MySQL users on the target server, attempting to authenticate using the username
root
and an empty password.
nmap --script mysql-users --script-args="mysqluser='root',mysqlpass=''" <target>
Enumerate MySQL Databases: This command is used with Nmap to enumerate MySQL databases on the target server, trying to authenticate using the username
root
and an empty password.
nmap --script mysql-databases --script-args="mysqluser='root',mysqlpass=''" <target>
Retrieve MySQL Server Variables: This command is used with Nmap to retrieve MySQL server variables from the target, attempting to authenticate with the username
root
and an empty password.
nmap --script mysql-variables --script-args="mysqluser='root',mysqlpass=''" <target>
Perform a Basic MySQL Security Audit: This command is employed with Nmap to perform a basic MySQL security audit on the target server.
nmap --script mysql-audit --script-args="mysqluser='root',mysqlpass=''" <target>
Dump MySQL Password Hashes: This command is used with Nmap to attempt dumping password hashes from a MySQL server using the username
root
and an empty password.
nmap --script mysql-dump-hashes --script-args="mysqluser='root',mysqlpass=''" <target>
Execute a Specific SQL Query: This command is used with Nmap to execute a specific SQL query on a MySQL server, using the query
"select count(*) from books.authors;"
, and attempting authentication with the usernameroot
and an empty password.
nmap --script mysql-query --script-args="query='select count(*) from books.authors;',username='root',password=''" <target>
Perform a MySQL Security Audit with a Specified Audit File: This command is used with Nmap to perform a MySQL security audit using a specified audit file.
nmap --script mysql-audit --script-args="mysql-audit.username='root',mysql-audit.password='',mysql-audit.filename='/usr/share/nmap/nselib/data/mysql-cis.audit'" <target>
MySQL & MSSQL: Metasploit Enumeration Scripts
Microsoft SQL Server Commands: In
msfconsole
, the commanduse auxiliary/scanner/mssql/mssql_login
is used to perform login attempts on Microsoft SQL Server instances for credential testing during security assessments.
use auxiliary/scanner/mssql/mssql_login
Enumerate SQL Server Logins: In
msfconsole
, the commanduse auxiliary/admin/mssql/mssql_enum_sql_logins
is used to enumerate SQL Server logins on a Microsoft SQL Server instance during security assessments.
use auxiliary/admin/mssql/mssql_enum_sql_logins
Execute Arbitrary SQL Commands: In
msfconsole
, the commanduse auxiliary/admin/mssql/mssql_exec
is used to execute arbitrary SQL commands on a Microsoft SQL Server instance during security assessments.
use auxiliary/admin/mssql/mssql_exec
Enumerate Domain Accounts: In
msfconsole
, the commanduse auxiliary/admin/mssql/mssql_enum_domain_accounts
is used to enumerate domain accounts on a Microsoft SQL Server instance during security assessments.
use auxiliary/admin/mssql/mssql_enum_domain_accounts
Scan for Writable Directories: In
msfconsole
, the commanduse auxiliary/scanner/mysql/mysql_writable_dirs
is used to scan for MySQL databases with writable directories for security assessment.
use auxiliary/scanner/mysql/mysql_writable_dirs
Retrieve MySQL Password Hashes: In
msfconsole
, the commanduse auxiliary/scanner/mysql/mysql_hashdump
is used to retrieve password hashes from a MySQL database for security assessment.
use auxiliary/scanner/mysql/mysql_hashdump
MySQL: Dictionary Attack
In
msfconsole,
the commanduse auxiliary/scanner/mysql/mysql_login
is used to perform login attempts on MySQL servers for credential testing during security assessments.
use auxiliary/scanner/mysql/mysql_login
This command uses Hydra to perform a brute-force attack on a MySQL server located at the specified target. It attempts to guess the password for the "root" username using the "unix_passwords.txt" wordlist.
hydra -l root -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <target> mysql
Hacker's Mantra:
Garbage can provide important details for hackers: names, telephone numbers, a company’s internal jargon. - Kevin Mitnick
Last updated
Was this helpful?