nxc-mssql

Test Microsoft SQL Server credentials and execute queries via NetExec

TLDR

Test MSSQL credentials against a target

$ nxc mssql [192.168.1.100] -u [user] -p [password]

Authenticate using local authentication instead of Windows auth

$ nxc mssql [target] -u [sa] -p [password] --local-auth

Execute a SQL query

$ nxc mssql [target] -u [sa] -p [password] -q "[SELECT @@version]"

Execute an OS command via xp_cmdshell

$ nxc mssql [target] -u [sa] -p [password] -x "[whoami]"

Check for privilege escalation paths

$ nxc mssql [target] -u [user] -p [password] -M mssql_priv

Attempt privilege escalation to sysadmin

$ nxc mssql [target] -u [user] -p [password] -M mssql_priv -o ACTION=privesc

SYNOPSIS

nxc mssql target [-u user] [-p pass] [options]

nxc mssql is the Microsoft SQL Server protocol module of NetExec (formerly CrackMapExec). It tests credentials, executes SQL queries, runs OS commands, and supports privilege escalation against MSSQL targets.The tool supports Windows (NTLM/Kerberos) and local SQL Server authentication. It can spray credentials across multiple targets, execute queries, and use modules like mssql_priv to check for and exploit privilege escalation paths.

PARAMETERS

-u user

Username for authentication.

-p pass

Password for authentication.

-q query

Execute a SQL query on the target.

-x cmd

Execute an OS command via xp_cmdshell.

--local-auth

Use local authentication instead of Windows domain authentication.

--port port

MSSQL port (default: 1433).

-M module

Run a specific module (e.g., mssql_priv).

-o KEY=VALUE

Module options (e.g., ACTION=privesc).

--put-file src dst

Upload a file to the target system.

--get-file src dst

Download a file from the target system.

CAVEATS

For authorized security assessments only. Requires proper authorization before use. OS command execution requires xp_cmdshell to be enabled on the target.