SQLRecon: C# MS-SQL toolkit designed for offensive reconnaissance and post-exploitation

SQLRecon

Description

A C# MS-SQL toolkit designed for offensive reconnaissance and post-exploitation.

SQLRecon

Mandatory Arguments

The mandatory arguments consist of an authentication type (either Windows, Local or Azure), connection parameters and a module.

  • -a – Authentication Type
    • -a Windows – Use Windows authentication. This uses the current users token.
    • -a Local – Use local authentication. This requires the credentials for a local database user.
    • -a Azure – Use Azure AD domain username and password authentication. This requires the credentials for a domain user.

If the authentication type is Windows, then you will need to supply the following parameters.

  • -s SERVERNAME – SQL server hostname
  • -d DATABASE – SQL server database name
  • -m MODULE – The module you want to use

If the authentication type is Local, then you will need to supply the following parameters.

  • -d DATABASE – SQL server database name
  • -u USERNAME – Username of local SQL user
  • -p PASSWORD – Password of local SQL user
  • -m MODULE – The module you want to use

If the authentication type is Azure, then you will need to supply the following parameters.

  • -d DATABASE – SQL server database name
  • -r DOMAIN.COM – FQDN of Domain
  • -u USERNAME – Username of domain user
  • -p PASSWORD – Password of domain user
  • -m MODULE – The module you want to use

Standard Modules

Standard modules are used to interact against a single MS SQL server.

  • query -o QUERY – Execute an arbitrary SQL query
  • whoami – See what user you are logged in as
  • mapped – See what user you are mapped to
  • roles – Enumerate if the user has public and/or sysadmin roles mapped
  • databases – Show all databases present on the SQL server
  • tables – Show all tables in the database you are connected to
  • search -o KEYWORD – Search column names within tables of the database you are connected to.
  • smb -o SHARE – Capture NetNTLMv2 hash
  • enablexp – Enable xp_cmdshell (requires sysadmin role or similar)
  • disablexp – Disable xp_cmdshell (requires sysadmin role or similar)
  • xpcmd -o COMMAND – Execute an arbitrary system command (requires sysadmin role or similar)
  • enableole – Enable OLE Automation Procedures (requires sysadmin role or similar)
  • disableole – Disable OLE Automation Procedures (requires sysadmin role or similar)
  • olecmd -o COMMAND – Execute an arbitrary system command (requires sysadmin role or similar)
  • enableclr – Enable Custom CLR Assemblies (requires sysadmin role or similar)
  • disableclr – Disable Custom CLR Assemblies (requires sysadmin role or similar)
  • impersonate – Enumerate any user accounts that can be impersonated
  • links – Enumerate any linked SQL servers

Impersonation Modules

Impersonation modules are used to interact against a single MS SQL server, under the context of an impersonated SQL user.

  • iquery -i IMPERSONATEUSER -o QUERY – Execute an arbitrary SQL query as an impersonated user
  • ienablexp -i IMPERSONATEUSER – Enable xp_cmdshell (requires sysadmin role or similar)
  • idisablexp -i IMPERSONATEUSER– Disable xp_cmdshell (requires sysadmin role or similar)
  • ixpcmd -i IMPERSONATEUSER -o COMMAND – Execute an arbitrary system command (requires sysadmin role or similar)
  • ienableole -i IMPERSONATEUSER – Enable OLE Automation Procedures (requires sysadmin role or similar)
  • idisableole -i IMPERSONATEUSER – Disable OLE Automation Procedures (requires sysadmin role or similar)
  • iolecmd -i IMPERSONATEUSER -o COMMAND – Execute an arbitrary system command (requires sysadmin role or similar)

Linked SQL Server Modules

Linked SQL Server modules are effective when you are able to interact with a linked SQL server via an established connection.

  • ldatabases -l LINKEDSERVERNAME – Show all databases present on the Linked SQL server
  • ltables -l LINKEDSERVERNAME – Show all tables in the database you are connected to on the Linked SQL server
  • lquery -l LINKEDSERVERNAME -o QUERY – Execute an arbitrary SQL query on a linked SQL server

Download & Use