impacket-mssqlclient

View documentation for the original command

$ tldr mssqlclient.py

impacket-mssqlclient [options] [[domain/]username[:password]@]targetName or address

targetName or address
    The IP address or hostname of the target MSSQL Server.

username[:password]
    Credentials for SQL Server or Windows authentication. Password is optional if using other auth methods like -hashes or -k.

-windows-auth, -W
    Forces Windows authentication (NTLM/Kerberos) instead of SQL Server authentication. Requires a domain/username.

-port port
    Specifies the MSSQL port to connect to (default: 1433).

-db database
    Specifies the database to connect to on the SQL Server.

-sqlquery query
    Executes a single SQL query and prints the result. The query must be quoted.

-file script_file
    Executes SQL commands from the specified file.

-shell
    Opens an interactive SQL shell session against the target database.

-xp_cmdshell
    Opens an interactive xp_cmdshell session, allowing command execution on the SQL Server host, if enabled and privileged.

-upload local_path remote_path
    Uploads a file from local_path to remote_path on the server using xp_cmdshell or OLE Automation.

-download remote_path local_path
    Downloads a file from remote_path on the server to local_path using xp_cmdshell or OLE Automation.

-hashes LMHASH:NTHASH
    Uses NTLM hashes for authentication (pass-the-hash). LM hash can be omitted.

-aesKey key
    Uses AES Kerberos key for authentication (Pass-The-Key). Only valid with -k.

-k
    Use Kerberos authentication instead of NTLM. Requires -dc-ip or -kdcHost.

-kdcHost hostname
    IP Address or hostname of the Kerberos KDC. If omitted, will use DNS.

-dc-ip ip_address
    IP Address of the Domain Controller for NTLM/Kerberos authentication.

-debug
    Enables verbose debug output.

-outputfile file
    Redirects command output to the specified file.

impacket-mssqlclient is a powerful command-line utility from the Impacket library, designed for interacting with Microsoft SQL Server instances. It implements the MSSQL (Tabular Data Stream - TDS) protocol, allowing users to connect, execute SQL queries, enumerate databases and tables, upload/download files, and even gain an interactive shell via xp_cmdshell if enabled and permissions allow. It supports various authentication methods, including SQL Server authentication, Windows authentication (NTLM and Kerberos), and pass-the-hash techniques. This tool is widely used in penetration testing, security assessments, and ethical hacking scenarios to explore and exploit SQL Server vulnerabilities, perform data exfiltration, or achieve privilege escalation.

The functionality of features like xp_cmdshell, file upload/download, and OLE Automation procedures is highly dependent on the SQL Server configuration and the privileges of the authenticated user. xp_cmdshell is often disabled by default in modern SQL Server installations for security reasons. Use of this tool can be logged by security monitoring systems and firewalls.

Successful interaction with MSSQL Server, especially for sensitive operations like command execution via xp_cmdshell or file transfers, requires an account with sufficient privileges on the SQL Server instance. This often means an administrator-level user (e.g., sysadmin fixed server role) or a user with specific permissions granted to execute extended stored procedures.

The tool directly implements the Tabular Data Stream (TDS) protocol, which is the application-layer protocol used by Microsoft SQL Server for client-server communication. This low-level implementation allows impacket-mssqlclient to offer more flexibility and advanced features compared to generic database clients, particularly in security testing contexts.

impacket-mssqlclient is a core component of the Impacket library, an open-source collection of Python classes initially developed by SecureAuth (now maintained by Fortra's Core Security). Impacket began development around 2005, focusing on providing programmatic access to network protocols. The mssqlclient module was specifically designed to handle the nuances of the MSSQL protocol (TDS), making it a staple in network security and penetration testing toolkits for its robust implementation of authentication mechanisms (SQL, NTLM, Kerberos) and its ability to leverage advanced SQL Server features.

sqlcmd(1), isql(1), nmap(1), impacket-smbclient(1), impacket-psexec(1)