module
Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration
| Disclosed | Created |
|---|---|
| N/A | 2018-05-30 |
Disclosed
N/A
Created
2018-05-30
Description
This module can be used to obtain a list of all logins from a SQL Server with any login.
Selecting all of the logins from the master..syslogins table is restricted to sysadmins.
However, logins with the PUBLIC role (everyone) can quickly enumerate all SQL Server
logins using the SUSER_SNAME function by fuzzing the principal_id parameter. This is
pretty simple, because the principal IDs assigned to logins are incremental. Once logins
have been enumerated they can be verified via sp_defaultdb error analysis. This is
important, because not all of the principal IDs resolve to SQL logins (some resolve to
roles instead). Once logins have been enumerated, they can be used in dictionary attacks.
Selecting all of the logins from the master..syslogins table is restricted to sysadmins.
However, logins with the PUBLIC role (everyone) can quickly enumerate all SQL Server
logins using the SUSER_SNAME function by fuzzing the principal_id parameter. This is
pretty simple, because the principal IDs assigned to logins are incremental. Once logins
have been enumerated they can be verified via sp_defaultdb error analysis. This is
important, because not all of the principal IDs resolve to SQL logins (some resolve to
roles instead). Once logins have been enumerated, they can be used in dictionary attacks.
Author
nullbind scott.sutherland@netspi.com
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.