Microsoft SQL Server (MSSQL) is more than just a place where applications store their data. In a Red Team engagement, an infected MSSQL server is often a critical pivot point. It runs with its own service credentials (often highly privileged), it talks to other servers via “Linked Servers,” and it has built-in features that allow for easy Remote Code Execution (RCE).
While typical admins interact with it via SQL Management Studio (SSMS) on Windows, we are going to use the surgical precision of Impacket’s mssqlclient.py.
In this guide, we will move beyond basic SELECT * queries. We will explore how to gain RCE using multiple techniques (not just the noisy xp_cmdshell), how to steal the service account’s hash without cracking a password, and how to hop from server to server across the enterprise using Linked Server abuse.
[!NOTE] Ensure you have Impacket installed:
pipx install git+https://github.com/fortra/impacket.git
Part 1: Discovery - Finding the Target
Before you can use Impacket, you need to find the database. MSSQL typically listens on TCP port 1433. However, named instances can listen on dynamic ports.
Using Nmap for Initial Discovery
| |
The SQL Browser Service (UDP 1434)
If you see UDP port 1434 open, the SQL Browser service is active. This service acts like a DNS for SQL instances; it tells clients which TCP port a named instance is listening on. This is crucial if your standard 1433 scans come up empty.
Part 2: Authentication with mssqlclient.py
Impacket’s mssqlclient.py supports the full range of authentication protocols required for modern pivoting.
1. SQL Authentication (Database Level)
This uses a user defined inside the SQL database (like the default sa account). These users exist only in SQL, not in Active Directory.
| |
2. Windows Authentication (Domain Level)
This is more common in Active Directory environments. You must use the -windows-auth flag to tell the tool to wrap the authentication in NTLM/Kerberos.
| |
3. Pass-the-Hash (PtH)
If you’ve compromised a domain user’s NTLM hash, you don’t need the plaintext password.
| |
4. Kerberos Authentication (-k)
If you have a .ccache ticket file (stolen via Rubeus or generated via ticketer.py):
| |
Part 3: Achieving Remote Code Execution (RCE)
The holy grail. We want a shell. mssqlclient.py abstracts much of the complexity for us.
Method 1: xp_cmdshell (The Classic)
xp_cmdshell spawns a command shell process (cmd.exe) as the SQL Service account. It is the most reliable but also the most monitored method.
| |
[!WARNING] Enabling
xp_cmdshellchanges a global configuration setting (sp_configure) and generates Windows Event Log 15457. SOCs look for this.
Method 2: sp_oacreate (OLE Automation)
If xp_cmdshell is blocked or monitored, you can try OLE Automation procedures. This uses the COM object wscript.shell to execute commands. It is often less monitored than xp_cmdshell but requires the same sysadmin privileges.
| |
Method 3: CLR Assemblies (The Modern Way)
If the database has the TRUSTWORTHY property set, you can load a custom .NET assembly (DLL) into the database process memory and execute it. mssqlclient.py has a dedicated command to automate this:
| |
This effectively turns the SQL Server process into your C2 agent.
Part 4: Coerced Authentication (Stealing Hashes)
Sometimes you have access to the DB, but you are a low-privilege user and cannot run commands. However, you might still have execute permissions on xp_dirtree or xp_fileexist.
You can force the SQL Server service account (which is often SYSTEM or a high-privilege Domain User) to authenticate to a machine you control via SMB.
- Set up
Responderorsmbserver.pyon your attacker machine (10.10.14.5). - Execute the coercion on the SQL Server:
| |
- Capture the Hash: Your listener will catch the NetNTLMv2 hash of the SQL Service account. You can then crack it or relay it using
ntlmrelayx.py.
Part 5: Advanced Exploitation: Linked Servers
Linked Servers are the “trust relationships” of the database world. A DBA might link ProdDB to DevDB to make copying data easier. If you compromise DevDB, you might be able to query ProdDB.
Enumeration
| |
The Hop
If ServerA is linked to ServerB, you can execute queries on B from A using OPENQUERY.
| |
If ServerB is configured with RPC Out enabled (which is common), you can even enable xp_cmdshell on ServerB from ServerA context!
| |
Impacket doesn’t automate the crawl, but manually constructing these queries allows you to pivot deeply without ever leaving your initial connection.
Part 6: File Transfer and Exfiltration
You don’t need to get RCE and use certutil to download files. mssqlclient.py has built-in helper functions to write files to the remote server using OLE/CLR methods, bypassing the need for outbound network connections from the victim.
| |
This is incredibly stealthy compared to standard curl/wget commands on the victim, as the traffic is encapsulated within the TDS (Tabular Data Stream) protocol on port 1433.
Part 7: Finding Sensitive Data
Don’t forget the actual data! You are in a database, after all.
Listing Databases
| |
Searching for “Password” Columns
| |
Extracting SQL User Hashes
If you are sysadmin, you can dump the hashes of other SQL users:
| |
Crack these with Hashcat Mode 1731 (MSSQL 2012/2014).
Conclusion
mssqlclient.py transforms SQL injection/interaction from a data-retrieval task into a full system compromise workflow. Whether you are using xp_cmdshell for a quick win, coercing hashes via xp_dirtree to escalate, or hopping through Linked Servers to reach the Domain Controller, this tool is essential.
Remember: SQL Servers are rarely patched as often as OSs, and they are frequently configured with excessive privileges “just to make it work.” Use that to your advantage.
Happy Hacking.
References
- Impacket GitHub
- HackTricks - MSSQL Pentesting
- PowerUpSQL - The PowerShell equivalent powerhouse.