nxc-mssql

Search for valid credentials by trying out every combination in the specified lists of usernames and passwords

$ nxc mssql [192.168.178.2] [[-u|--username]] [path/to/usernames.txt] [[-p|--password]] [path/to/passwords.txt]

$ nxc mssql [192.168.178.2] [[-u|--username]] [username] [[-p|--password]] [password] [[-q|--query]] '[SELECT * FROM sys.databases;]'

$ nxc mssql [192.168.178.2] [[-u|--username]] [username] [[-p|--password]] [password] -x [whoami]

$ nxc mssql [192.168.178.2] [[-u|--username]] [username] [[-p|--password]] [password] -X [whoami] --no-output

$ nxc mssql [192.168.178.2] [[-u|--username]] [username] [[-p|--password]] [password] --get-file [C:\path\to\remote_file] [path/to/local_file]

$ nxc mssql [192.168.178.2] [[-u|--username]] [username] [[-p|--password]] [password] --put-file [path/to/local_file] [C:\path\to\remote_file]

nxc mssql target(s) [options]
nxc mssql -L target_list_file [options]
nxc mssql 192.168.1.0/24 -u user -p password --enumerate-sql

target(s)
    IP addresses, hostnames, CIDR ranges, or a file containing targets.

-L, --list
    File containing a list of targets.

-u, --username
    Username(s) or a file containing usernames.

-p, --password
    Password(s) or a file containing passwords.

-H, --hashes
    NTLM hashes (e.g., LM:NT or :NT).

--pass-the-hash
    Shorthand for using `-H` with current user context.

--port PORT
    Specify a custom SQL Server port (default 1433).

--local-auth
    Authenticate using local accounts instead of domain accounts.

--enumerate-sql
    Enumerate various SQL Server details including users, databases, and version.

--xpcmdshell
    Attempts to enable and use xp_cmdshell for command execution.

--enable-xp_cmdshell
    Enables xp_cmdshell on the target server.

--disable-xp_cmdshell
    Disables xp_cmdshell on the target server.

--mssql-query QUERY
    Executes an arbitrary SQL query on the target.

--query-exec COMMAND
    Executes a command via xp_cmdshell or sp_oacreate.

--get-info
    Retrieves SQL Server instance information.

--get-users
    Enumerates SQL database users.

--get-databases
    Enumerates SQL databases.

--get-links
    Enumerates linked servers.

nxc-mssql is a potent module within the NetExec (formerly CrackMapExec) framework, specifically engineered for auditing and exploiting Microsoft SQL Server instances. Its primary role is to assist penetration testers and security auditors in discovering and leveraging vulnerabilities. The module streamlines various reconnaissance and post-exploitation tasks, including comprehensive credential testing against SQL logins, in-depth enumeration of databases, users, and linked servers, and crucially, remote command execution on compromised SQL Server hosts. It boasts support for diverse authentication methods, such as cleartext username/password, NTLM hashes for pass-the-hash scenarios, and integrated Windows authentication. Security professionals extensively employ nxc-mssql to pinpoint common misconfigurations, weak credentials, and potential command execution flaws, often leveraging powerful features like xp_cmdshell or sp_oacreate to gain deeper access within target environments. Its capabilities make it an indispensable tool for assessing the security posture of SQL Server deployments.

nxc-mssql is a penetration testing tool and should only be used on systems you have explicit permission to test. Unauthorized use is illegal and unethical.
Using this tool can generate significant network traffic and leave forensic artifacts, potentially triggering security alerts or defensive measures.
Certain actions, like enabling xp_cmdshell, modify the target system's configuration.
Effectiveness depends on proper network connectivity, target configuration, and available credentials.

Supports various authentication methods including cleartext username/password, NTLM hash-based authentication (pass-the-hash), and integrated Windows authentication where applicable. This flexibility allows testers to leverage different types of compromised credentials.

One of its key features is the ability to enable and utilize xp_cmdshell or sp_oacreate to execute arbitrary operating system commands on the SQL Server host. This capability is crucial for gaining initial access or escalating privileges on the underlying Windows machine.

NetExec (nxc) is the successor to CrackMapExec (CME), a popular open-source post-exploitation tool. It was rebranded and rewritten to improve performance, maintainability, and expand its capabilities. The mssql module has been a core component, evolving with new features and exploitation techniques for Microsoft SQL Server, reflecting common vulnerabilities and attack paths identified in enterprise environments. Its development continues to be community-driven, adapting to new Windows and SQL Server versions.

nxc smb(1), nxc winrm(1), impacket-mssqlclient(1), sqlcmd(1)