msdat v2.4 releases: Microsoft SQL Database Attacking Tool

by do son · Published July 6, 2019 · Updated December 28, 2022

MSDAT

MSDAT (Microsoft SQL Database Attacking Tool) is an open-source penetration testing tool that tests the security of Microsoft SQL Databases remotely.

Usage examples of MSDAT:

You have a Microsoft database listening remotely and you want to find valid credentials in order to connect to the database
You have a valid Microsoft SQL account on a database and you want to escalate your privileges
You have a valid Microsoft SQL account and you want to execute commands on the operating system hosting this DB (xp_cmdshell)

Tested on Microsoft SQL database 2008 and 2012.

Features

Thanks to MSDAT (Microsoft SQL Database Attacking Tool), you can:

get technical information (ex: database version) of an MSSQL database without to be authenticated
search MSSQL accounts with a dictionnary attack
test each login as password (authentication required)
get a windows shell on the database server with
- xp_cmdshell
download files remotely with:
- OLE Automation
- bulkinsert
- openrowset
upload files on the server with:
- OLE Automation
- openrowset
capture a SMB authentication thanks to:
- bulkinsert
- openrowset
- xp_dirtree
- xp_fileexist
- xp-getfiledetails
steal MSSQL hashed password, on an any MSSQL version
scan ports through the database:
- openrowset
execute SQL requests on a remote MSSQL server through the database (target) with:
- bulkinsert
- openrowset
list files/directories with:
- xp_subdirs
- xp_dirtree
list drives/medias with:
- xp_fixeddrives
- xp_availablemedia
create folder with:
- xp_create_subdir

Changelog v2.4

2 new options in search module: –privs and –privs-full for getting current user roles and privileges (e.g. login and database privileges)
1 new option in search module: –config for getting database configurations & information (version, databases, users, disable users, stored procecdures, etc)

Installation

Some dependencies must be installed in order to run MSDAT.

In Ubuntu:

sudo apt-get install freetds-dev

sudo pip install cython colorlog termcolor pymssql argparse
sudo pip install argcomplete && sudo activate-global-python-argcomplete

Add “use ntlmv2 = yes” in your freetds configuration file (ex: /etc/freetds/freetds.conf or /usr/local/etc/freetds.conf). Example:

[global]

        # TDS protocol version

        tds version = 8.0

        use ntlmv2 = yes

Clone the repo

git clone https://github.com/quentinhardy/msdat.git

Modules

You can list all modules:

./msdat.py -h

When you have chosen a module (example: all), you can use it and you can list all features and options of the module:

./msdat.py all -h

You can know if a specific module can be used on an MSSQL server thanks to the –test-module option. This option is implemented in each mdat module.

Source: https://github.com/quentinhardy

msdat v2.4 releases: Microsoft SQL Database Attacking Tool

Search

Brilliantly

Content & Links