Database Assessmentmssqlpentestingimpacketxp_cmdshellkerberosntlmlinked-servers

MSSqlPwner

MSSqlPwner is an advanced pentesting tool for interacting with and compromising MSSQL servers. It supports authentication via clear-text passwords, NTLM hashes, and Kerberos tickets, enabling execution of custom commands through methods like custom assembly, xp_cmdshell, and sp_oacreate.

Description

MSSqlPwner is designed to seamlessly interact and pwn MSSQL servers, providing pentesters with versatile capabilities for database assessment and exploitation. It leverages impacket for authentication using clear-text passwords, NTLM hashes, and Kerberos tickets, allowing attackers to gain access to databases in various environments.

Use cases include executing custom commands via xp_cmdshell, Ole Automation Procedures (sp_oacreate), custom assembly injection, and more. The tool supports modules for enumeration, linked server manipulation, NTLM relay, direct queries, password retrieval, and interactive sessions, making it suitable for advanced post-authentication exploitation scenarios.

It is particularly useful in Windows domain environments where MSSQL servers are linked or chained, enabling recursive depth in impersonation and link traversal for broader network compromise.

How It Works

MSSqlPwner uses a TDS client implementation (SSL supported) based on impacket to connect to MSSQL servers on port 1433 by default. It authenticates with credentials, hashes (-hashes LMHASH:NTHASH), Kerberos (-k, -aesKey), or Windows auth (-windows-auth). Once connected, it executes modules like enumerate for server discovery, exec for command execution via xp_cmdshell or sp_oacreate, custom-asm and inject-custom-asm for assembly-based payloads, ntlm-relay for relay attacks, and linked server operations (get-link-server-list, set-link-server) with configurable max-link-depth and max-impersonation-depth for chaining exploits across servers.

Installation

bash

sudo apt install mssqlpwner

Flags

-port PORTtarget MSSQL port (default 1433)

-timeout TIMEOUTtimeout in seconds (default 30)

-db DBMSSQL database instance (default None)

-windows-authwhether or not to use Windows Authentication (default False)

-no-statewhether or not to load existing state

-debugTurn DEBUG output ON

-hashes LMHASH:NTHASHNTLM hashes, format is LMHASH:NTHASH

-no-passdon't ask for password (useful for -k)

-kUse Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line

-aesKey hex keyAES key to use for Kerberos Authentication (128 or 256 bits)

-dc-ip ip addressdc-ip ip address

-link-name LINK_NAMELinked server to launch queries

-max-link-depth MAX_LINK_DEPTHMaximum links you want to depth recursively

-max-impersonation-depth MAX_IMPERSONATION_DEPTHMaximum impersonation you want to depth in each link

-chain-id CHAIN_IDChain ID to use

-auto-yesAuto answer yes to all questions

Examples

Show the help message and usage information

mssqlpwner -h

Enumerate MSSQL server

mssqlpwner target enumerate

Get linked server list from the MSSQL server

mssqlpwner target get-link-server-list

Execute commands, such as via xp_cmdshell or sp_oacreate

mssqlpwner target exec

Execute custom assembly on the target MSSQL server

mssqlpwner target custom-asm

Perform NTLM relay attack via the MSSQL server

mssqlpwner target ntlm-relay

Enter interactive mode for ongoing MSSQL interaction

mssqlpwner target interactive

Authenticate to target using NTLM hashes and run default module

mssqlpwner target -hashes LMHASH:NTHASH@target

Updated 2026-04-16kali.org ↗