MSSqlPwner is an open-source pentesting tool tailored to interact with and exploit MSSQL servers. Built on Impacket, it enables users to authenticate with databases using various credentials, including clear-text passwords, NTLM hashes, and Kerberos tickets.
The tool offers multiple methods for executing custom commands on targeted servers, such as leveraging custom assemblies, utilizing xp_cmdshell, or exploiting sp_oacreate (Ole Automation Procedures). Its flexibility and range of features make it a valuable resource for penetration testers assessing the security of MSSQL environments.
MSSqlPwner begins its operations with recursive enumeration, analyzing linked servers and potential impersonation paths to uncover possible command-execution chains. It also supports NTLM relay attacks by leveraging MSSQL functions such as xp_dirtree, xp_subdirs, and xp_fileexist, making it versatile in penetration testing scenarios.
A key strength of MSSqlPwner lies in its ability to facilitate lateral movement and assess linked servers. Even when the authenticated MSSQL user lacks the necessary permissions for specific operations, the tool can identify and construct a viable execution chain. For instance, if the user’s current context prohibits direct command execution, MSSqlPwner can leverage linked servers to escalate privileges and establish a connection back to the attacker’s server, enabling successful command execution.
MSSqlPwner is available for free on GitHub.
Must read:
