SQLRecon: C# MS-SQL toolkit designed for offensive reconnaissance and post-exploitation
SQLRecon
Description
A C# MS-SQL toolkit designed for offensive reconnaissance and post-exploitation.
Mandatory Arguments
The mandatory arguments consist of an authentication type (either Windows, Local or Azure), connection parameters and a module.
- -a – Authentication Type
- -a Windows – Use Windows authentication. This uses the current users token.
- -a Local – Use local authentication. This requires the credentials for a local database user.
- -a Azure – Use Azure AD domain username and password authentication. This requires the credentials for a domain user.
If the authentication type is Windows, then you will need to supply the following parameters.
- -s SERVERNAME – SQL server hostname
- -d DATABASE – SQL server database name
- -m MODULE – The module you want to use
If the authentication type is Local, then you will need to supply the following parameters.
- -d DATABASE – SQL server database name
- -u USERNAME – Username of local SQL user
- -p PASSWORD – Password of local SQL user
- -m MODULE – The module you want to use
If the authentication type is Azure, then you will need to supply the following parameters.
- -d DATABASE – SQL server database name
- -r DOMAIN.COM – FQDN of Domain
- -u USERNAME – Username of domain user
- -p PASSWORD – Password of domain user
- -m MODULE – The module you want to use
Standard Modules
Standard modules are used to interact against a single MS SQL server.
- query -o QUERY – Execute an arbitrary SQL query
- whoami – See what user you are logged in as
- mapped – See what user you are mapped to
- roles – Enumerate if the user has public and/or sysadmin roles mapped
- databases – Show all databases present on the SQL server
- tables – Show all tables in the database you are connected to
- search -o KEYWORD – Search column names within tables of the database you are connected to.
- smb -o SHARE – Capture NetNTLMv2 hash
- enablexp – Enable xp_cmdshell (requires sysadmin role or similar)
- disablexp – Disable xp_cmdshell (requires sysadmin role or similar)
- xpcmd -o COMMAND – Execute an arbitrary system command (requires sysadmin role or similar)
- enableole – Enable OLE Automation Procedures (requires sysadmin role or similar)
- disableole – Disable OLE Automation Procedures (requires sysadmin role or similar)
- olecmd -o COMMAND – Execute an arbitrary system command (requires sysadmin role or similar)
- enableclr – Enable Custom CLR Assemblies (requires sysadmin role or similar)
- disableclr – Disable Custom CLR Assemblies (requires sysadmin role or similar)
- impersonate – Enumerate any user accounts that can be impersonated
- links – Enumerate any linked SQL servers
Impersonation Modules
Impersonation modules are used to interact against a single MS SQL server, under the context of an impersonated SQL user.
- iquery -i IMPERSONATEUSER -o QUERY – Execute an arbitrary SQL query as an impersonated user
- ienablexp -i IMPERSONATEUSER – Enable xp_cmdshell (requires sysadmin role or similar)
- idisablexp -i IMPERSONATEUSER– Disable xp_cmdshell (requires sysadmin role or similar)
- ixpcmd -i IMPERSONATEUSER -o COMMAND – Execute an arbitrary system command (requires sysadmin role or similar)
- ienableole -i IMPERSONATEUSER – Enable OLE Automation Procedures (requires sysadmin role or similar)
- idisableole -i IMPERSONATEUSER – Disable OLE Automation Procedures (requires sysadmin role or similar)
- iolecmd -i IMPERSONATEUSER -o COMMAND – Execute an arbitrary system command (requires sysadmin role or similar)
Linked SQL Server Modules
Linked SQL Server modules are effective when you are able to interact with a linked SQL server via an established connection.
- ldatabases -l LINKEDSERVERNAME – Show all databases present on the Linked SQL server
- ltables -l LINKEDSERVERNAME – Show all tables in the database you are connected to on the Linked SQL server
- lquery -l LINKEDSERVERNAME -o QUERY – Execute an arbitrary SQL query on a linked SQL server
