impacket-mssqlclient

View documentation for the original command

$ tldr mssqlclient.py

impacket-mssqlclient [options] [domain/]username[:password]@host[:port][/ database]

-h, --help
    Show this help message and exit

-debug
    Turn DEBUG output ON

-windows-auth
    Use Windows authentication instead of username/password

-hashes LMHASH:NTHASH
    NTLM hashes in LMHASH:NTHASH format

-no-pass
    Don't ask for password (useful with -k)

-k KERBEROS, --kerberos KERBEROS
    Use Kerberos auth from ccache or command-line creds

-aesKey AESKEY [AESKEY ...]
    Hex AES key for Kerberos authentication

-dc-ip DC_IP
    Domain controller IP (requires domain admin creds)

-target-ip-ip TARGET_IP
    Target IP if hostname unresolvable

Impacket-mssqlclient is a command-line tool from the Impacket collection, enabling remote connections to Microsoft SQL Server instances via the TDS protocol on TCP port 1433. It supports SQL Server authentication, Windows/NTLM, and Kerberos methods, ideal for penetration testing, security audits, and remote administration.

Once connected, it launches an interactive shell for executing Transact-SQL queries, displaying results in a tabular format. It handles authentication challenges, including pass-the-hash with NTLM hashes and Kerberos tickets from ccache. Users specify credentials in the target argument as [domain/]username[:password]@host[:port][/database].

The tool outputs query results to stdout and supports debugging for troubleshooting connections. It's Python-based, leveraging Impacket's protocol implementations for low-level network interactions without needing native SQL clients like sqlcmd. Commonly used in red teaming for database enumeration, query execution, and lateral movement in Windows environments.

Requires proper credentials or hashes; unauthorized use may violate laws. Install via Impacket suite for full functionality.

Requires Impacket library and Python 3. Firewall must allow TCP/1433. For authorized use only; misuse illegal. Interactive mode primary; pipe queries for non-interactive.

Connects to shell: impacket-mssqlclient sa:mypwd@10.0.0.1:1433/master
Type SQL queries; exit or quit to disconnect.

impacket-mssqlclient -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 domain/user@target
Executes interactively with NT hash.

impacket-mssqlclient -k -no-pass user@target.domain.com
Uses cached Kerberos ticket.

Developed by SecureAuth (now Fortra) as part of Impacket since ~2011. Evolved for pentesting with NTLM/Kerberos support in updates; widely used in tools like CrackMapExec.

sqlcmd(1)