Brute-forcing MSSQL passwords

Metasploit also offers brute-force modules. A successful brute-force does exploit low entropy vulnerabilities; if it produces results in a reasonable amount of time it is considered a valid finding. Hence, we will cover brute-forcing in this phase of the penetration test itself. Metasploit has a built-in module named mssql_login, which we can use as an authentication tester for brute-forcing the username and password of an MSSQL server database.

Let us load the module and analyze the results:

As soon as we ran this module, it tested for the default credentials at the very first step, that is, with the USERNAME sa and PASSWORD as blank, and found that the login was successful. Therefore, we can conclude that default credentials are still being used. Additionally, we must try testing for more credentials if in case the sa account is not immediately found. To achieve this, we will set the USER_FILE and PASS_FILE parameters with the name of the files that contain dictionaries to brute-force the username and the password of the DBMS:

Let us set the required parameters; these are the USER_FILE list, the PASS_FILE list, and RHOSTS for running this module successfully as follows:

Running this module against the target database server, we will have output similar to the following:

As we can see from the preceding result, we have two entries that correspond to the successful login of the user in the database. We found a default user sa with a blank password and another user nipun having a password as 12345.

For more information on testing databases, refer to Chapter 5, from Mastering Metasploit First/Second Edition.