MSSqlPwner: pentesting tool designed to seamlessly interact and pwn MSSQL servers

by do son · Published · Updated

pwn MSSQL servers

MSSqlPwner

MSSqlPwner is an advanced and versatile pentesting tool designed to seamlessly interact and pwn MSSQL servers. That tool is based on impacket, which allows attackers to authenticate to databases using clear-text passwords NTLM Hashes, and Kerberos tickets. With MSSqlPwner, users can execute custom commands through various methods, including custom assembly, `xp_cmdshell`, and `sp_oacreate(Ole Automation Procedures)` and much more.

The tool starts with recursive enumeration on linked servers and possible impersonations in order to gather all the possible chains for command execution.

Also, the MSSqlPwner tool can be used for NTLM relay capabilities, utilizing functions such as xp_dirtree, xp_subdirs, and xp_fileexist.

This tool can be used for lateral movement assessments and exploration of linked servers.

If the authenticated MSSQL user does not have permission to execute certain operations, the tool can find the right chain that will allow command execution. For example, if your user can’t execute commands in the current context, the tool will build a chain that will use a link server and connect back to our server with escalated privileges.

Functionalities:

  1. Utilities:
  • interactive: allow to use the tool interactively with live execution.
  • enumerate: enumerate the linked servers and the chains.
  • “ get the list of the chains:
    • Optional arguments:
      • “ – Get filtered results with specific hostname.
  • get-link-server-list get the list of the linked servers.
  • set-chain Set chain ID (For interactive-mode only!)
    • Required arguments:
      • CHAIN – The chain ID to set.
  • set-link-server Set link server (For interactive-mode only!)
    • Required arguments:
      • LINK – The link server to set.
  • get-rev2self-queries retrieve queries to revert to SELF (For interactive-mode only!).
  • get-adsi-provider-list retrieve ADSI provider list.
  • rev2self revert to SELF (For interactive-mode only!).
  1. Command Execution: Execute commands using the following functions:
  • exec Execute commands using exec on local server or on linked servers
    • Required arguments:
      • COMMAND – The command to execute.
    • Optional arguments:
      • -command_execution_method – The command execution method to use.
        • Supported methods:
          • xp_cmdshell – Execute commands using xp_cmdshell procedure (Default).
          • sp_oacreate – Execute commands using Ole Automation Procedure procedure (Should be used like “cmd /c something”).
  1. Password Retrieval:
  • retrieve-password Password retrieval from ADSI providers.
    • Optional arguments:
      • -listen-port – The port to listen on (Default: 1389).
      • -adsi-provider – ADSI Provider to use (if not defined, it will choose automatically).
      • -arch – The architecture to use (if not defined, it will choose automatically).
        • Supported architectures:
          • x86 – Use x86 architecture.
          • x64 – Use x64 architecture.
  1. NTLM Hash Stealing and Relay: Issue NTLM relay or steal NTLM hashes using the following functions:
  • ntlm-relay – Force NTLM relay to a server.
    • Required arguments:
      • SMB_SERVER – The SMB server to relay to.
    • Optional arguments:
      • -relay-method – The relay method to use.
        • Supported methods:
          • xp_dirtree – Use xp_dirtree procedure (Default).
          • xp_subdirs – Use xp_subdirs procedure.
          • xp_fileexist – Use xp_fileexist procedure (In some situations this module should be executed from privileged chain).
  1. Procedure execution using custom assembly:
  • custom-asm – Execute procedures using custom assembly
    • Required arguments:
      • COMMAND – The command/path or query to use.
    • Optional arguments:
      • -procedure-name – The procedure name to use (Default: execute_command).
        • Supported procedures:
        • execute_command – Execute commands using custom assembly (Default).
        • run_query – Execute queries using custom assembly.
        • run_query_system_service – Execute queries using custom assembly as system user (Like SqlSVC).
  • inject-custom-asm Inject code using custom assembly.
    • Required arguments:
      • file_location – The file location to inject.
    • Optional arguments:
    • -procedure-name – The procedure name to use (Default: Inject).
  1. Direct Queries
  • direct-query Execute direct queries
  • Required arguments:
    • QUERY – The query to execute.
  • Optional arguments:
  • -query-method – The query method to use.
    • Supported methods:
      • OpenQuery – Use OpenQuery procedure (Default).
      • exec_at – Use exec AT procedure.
  1. Bruteforce
  • brute Launch bruteforce (Can receives tickets, hashes and passwords)
  • Required arguments:
    • TARGETS_FILE – a file contains hosts and ips to brute.
    • -ul – a file contains users to brute.
  • Optional arguments:
    • -pl – a file contains passwords to brute.
    • -tl – a file contains tickets to brute.
    • -hl – a file contains hashes to brute.
  • Notes:
  • If you want to use tickets, you should use Service Principal Name (SPN) format (Like MSSQLSvc/hostname.domain.com:1433).
  • If you use tickets, you not required to set passwords or hashes.
  • If you DONT use tickets, you should provide at least password file or hash file.

General optional arguments (Should be BEFORE the chosen function):

  • -link-name – The link server name to use
  • -chain-id – The chain ID to use
  • -max-link-depth – The maximum link depth to use (Default: 10)
  • -max-impersonation-depth – The maximum impersonation depth to use (Default: 10)
  • -auto-yes – Automatically answer yes to all questions (Default: False)
  • -timeout – The timeout to use (Default: 30)

Lateral Movement and Chain Exploration:

MSSqlPwner provides opportunities for lateral movement assessments and exploration of linked servers. In scenarios where the current session lacks administrative privileges, the tool attempts to find a chain that escalates its own privileges via linked servers. If a session on a linked server has higher privileges, the tool can interact with the linked server and perform a linked query back to the host with elevated privileges, enabling lateral movement with the target server.

Authentication Methods:

Supported by multiple authentication methods, including:

  • Windows credentials
  • MSSQL credentials
  • Kerberos authentication
  • Kerberos tickets
  • NTLM Hashes

The tool adapts to various scenarios and environments, verifying the effectiveness of authentication mechanisms.

Take your MSSQL environment assessments to the next level with the power and versatility of MSSqlPwner. Discover new possibilities for lateral movement, stealthy querying, and precise security evaluations with this MSSqlPwner tool.

Install & Use

Tags: pwn MSSQL servers