nxc-mssql

Search for valid credentials by trying out every combination in the specified lists of [u]sernames and [p]asswords

$ nxc mssql [192.168.178.2] -u [path/to/usernames.txt] -p [path/to/passwords.txt]

$ nxc mssql [192.168.178.2] -u [username] -p [password] --query '[SELECT * FROM sys.databases;]'

$ nxc mssql [192.168.178.2] -u [username] -p [password] -x [whoami]

$ nxc mssql [192.168.178.2] -u [username] -p [password] -X [whoami] --no-output

$ nxc mssql [192.168.178.2] -u [username] -p [password] --get-file [C:\path\to\remote_file] [path/to/local_file]

$ nxc mssql [192.168.178.2] -u [username] -p [password] --put-file [path/to/local_file] [C:\path\to\remote_file]

nxc mssql -u -p -d [options]

    The target MSSQL server, specified as an IP address or hostname.

-u
    The username to authenticate with on the MSSQL server.

-p
    The password to authenticate with on the MSSQL server.

-H
    NTLM hash for authentication (instead of a password).

-d
    The database to connect to.

-port
    The port to connect to MSSQL server, defaults to 1433.

-q
    SQL query to execute.

--module
    Specifies a pre-defined module to use (e.g., 'query', 'xp_cmdshell', 'hashes').

--command
    Command to execute via xp_cmdshell (requires xp_cmdshell to be enabled).

--hashes
    Dump user hashes from the MSSQL server.

--query
    Execute arbitrary SQL query

nxc-mssql is a module within the Network eXecution Console (nxc) framework designed for interacting with Microsoft SQL Server databases.

It enables penetration testers and system administrators to execute commands, retrieve data, and perform various tasks on MSSQL servers remotely. The tool leverages common MSSQL protocols to connect and authenticate, allowing for exploitation of misconfigurations or vulnerabilities. It facilitates post-exploitation activities such as privilege escalation, credential dumping, and lateral movement within a network through MSSQL server as a pivot point.

The module offers options for specifying targets, authentication credentials, and the desired actions to perform against the MSSQL server. It provides a streamlined approach to MSSQL penetration testing and management tasks, often integrated within a larger security assessment workflow. This includes things like executing operating system commands on the DB server via SQL injection or using xp_cmdshell, enumeration of databases, tables and columns, extraction of user credentials and more. Its goal is rapid security assessment with MSSQL as attack vector.

Requires valid MSSQL credentials and network connectivity to the target server. Some features may require specific permissions or configurations on the MSSQL server (e.g., xp_cmdshell enabled). The tool is for pentesting purposes and proper authorization must be granted prior to use.

Example 1: Execute a query: nxc mssql 192.168.1.10 -u sa -p Password123 -d master -q 'SELECT @@version;'

Example 2: Dump password hashes: nxc mssql 192.168.1.10 -u sa -p Password123 -d master --module hashes

Example 3: Execute OS command via xp_cmdshell: nxc mssql 192.168.1.10 -u sa -p Password123 -d master --module xp_cmdshell --command 'whoami'

Always ensure you have proper authorization before using nxc-mssql on any system. Misuse of this tool can have severe consequences, including data breaches and system compromise.

nxc-mssql is part of the larger nxc (Network eXecution Console) project, a Python-based post-exploitation framework. Its development focused on providing a unified interface for interacting with various network services, including MSSQL. The module has evolved as MSSQL security practices have changed, incorporating new techniques for exploiting vulnerabilities and extracting information. nxc-mssql is maintained for the purpose of penetration testing and security auditing.

nxc(1), sqlmap(1)