impacket-mssqlclient
Interact with Microsoft SQL Server databases
TLDR
View documentation for the original command
SYNOPSIS
impacket-mssqlclient [options] [[domain/]username[:password]@]targetName or address
PARAMETERS
targetName or address
The IP address or hostname of the target MSSQL Server.
username[:password]
Credentials for SQL Server or Windows authentication. Password is optional if using other auth methods like -hashes or -k.
-windows-auth, -W
Forces Windows authentication (NTLM/Kerberos) instead of SQL Server authentication. Requires a domain/username.
-port port
Specifies the MSSQL port to connect to (default: 1433).
-db database
Specifies the database to connect to on the SQL Server.
-sqlquery query
Executes a single SQL query and prints the result. The query must be quoted.
-file script_file
Executes SQL commands from the specified file.
-shell
Opens an interactive SQL shell session against the target database.
-xp_cmdshell
Opens an interactive xp_cmdshell session, allowing command execution on the SQL Server host, if enabled and privileged.
-upload local_path remote_path
Uploads a file from local_path to remote_path on the server using xp_cmdshell or OLE Automation.
-download remote_path local_path
Downloads a file from remote_path on the server to local_path using xp_cmdshell or OLE Automation.
-hashes LMHASH:NTHASH
Uses NTLM hashes for authentication (pass-the-hash). LM hash can be omitted.
-aesKey key
Uses AES Kerberos key for authentication (Pass-The-Key). Only valid with -k.
-k
Use Kerberos authentication instead of NTLM. Requires -dc-ip or -kdcHost.
-kdcHost hostname
IP Address or hostname of the Kerberos KDC. If omitted, will use DNS.
-dc-ip ip_address
IP Address of the Domain Controller for NTLM/Kerberos authentication.
-debug
Enables verbose debug output.
-outputfile file
Redirects command output to the specified file.
DESCRIPTION
impacket-mssqlclient is a powerful command-line utility from the Impacket library, designed for interacting with Microsoft SQL Server instances. It implements the MSSQL (Tabular Data Stream - TDS) protocol, allowing users to connect, execute SQL queries, enumerate databases and tables, upload/download files, and even gain an interactive shell via xp_cmdshell if enabled and permissions allow. It supports various authentication methods, including SQL Server authentication, Windows authentication (NTLM and Kerberos), and pass-the-hash techniques. This tool is widely used in penetration testing, security assessments, and ethical hacking scenarios to explore and exploit SQL Server vulnerabilities, perform data exfiltration, or achieve privilege escalation.
CAVEATS
The functionality of features like xp_cmdshell, file upload/download, and OLE Automation procedures is highly dependent on the SQL Server configuration and the privileges of the authenticated user. xp_cmdshell is often disabled by default in modern SQL Server installations for security reasons. Use of this tool can be logged by security monitoring systems and firewalls.
PRIVILEGE REQUIREMENTS
Successful interaction with MSSQL Server, especially for sensitive operations like command execution via xp_cmdshell or file transfers, requires an account with sufficient privileges on the SQL Server instance. This often means an administrator-level user (e.g., sysadmin fixed server role) or a user with specific permissions granted to execute extended stored procedures.
PROTOCOL IMPLEMENTATION
The tool directly implements the Tabular Data Stream (TDS) protocol, which is the application-layer protocol used by Microsoft SQL Server for client-server communication. This low-level implementation allows impacket-mssqlclient to offer more flexibility and advanced features compared to generic database clients, particularly in security testing contexts.
HISTORY
impacket-mssqlclient is a core component of the Impacket library, an open-source collection of Python classes initially developed by SecureAuth (now maintained by Fortra's Core Security). Impacket began development around 2005, focusing on providing programmatic access to network protocols. The mssqlclient module was specifically designed to handle the nuances of the MSSQL protocol (TDS), making it a staple in network security and penetration testing toolkits for its robust implementation of authentication mechanisms (SQL, NTLM, Kerberos) and its ability to leverage advanced SQL Server features.
SEE ALSO
sqlcmd(1), isql(1), nmap(1), impacket-smbclient(1), impacket-psexec(1)