Member-only story
Own an Active Directory Domain “Thanks” to MSSQL
Hacking MSSQL is one of my favorite topics in pentesting, largely because of my background as a former MSSQL DBA. A misconfigured MSSQL instance can serve as a gateway for malicious actors, potentially allowing them to compromise an entire domain in just minutes. In this blog, I’ll demonstrate how to leverage a misconfigured MSSQL instance to quickly perform lateral movement within a network.
Let’s start with an “assumed breach” scenario. This is one of the most common situations encountered in Active Directory (AD) pentesting. It is also the approach used in the updated OSCP+ exam for the AD portion. In an assumed breach scenario, we begin with valid credentials.
The very first step should be to identify existing MSSQL instances. This is relatively straightforward: we can scan the network for the default MSSQL port, which is 1433. DBAs sometimes change this port and use a different one. But this is a quick and easy starting point.
The following PowerShell script can be executed from a Windows box and helps us to discover MSSQL instances running on port 1433:
$ipRange = "10.10.10.0/24"
$port = 1433
foreach ($ip in (1..254)) {
$address = "10.10.10.$ip"
try {
$tcpClient = New-Object System.Net.Sockets.TcpClient
$tcpClient.Connect($address, $port)…