# mssqlhound
Awsome [tool](https://github.com/SpecterOps/MSSQLHound) to find cool attack paths via SQL!

## Running enumeration at the domain level
```
.\MSSQLHound.ps1 -domain domain.com -Verbose
```

## Running enumeration against a specific instance
```
.\MSSQLHound.ps1 -UserID SomeSQLAdminLocalAccount -password 'YourPass123!' -ServerList SQL07 -domain domain.com -Verbose
```

!!!tip
* (I'm a newb with this but found even if I want to do enumeration with a LOCAL SA account, I still need to specify the `-domain` flag or the enumeration doesn't work)*
!!!

## To populate MSSQL visuals in BloodHound:
1. Run this:

```
MSSQLHound.ps1 -OutputFormat BloodHound-customnodes
```

You can also copy this directly from the [GitHub](https://github.com/SpecterOps/MSSQLHound?tab=readme-ov-file#usage-info) readme.

2. Log into BloodHound, and from the left menu click **API Explorer** then look for `POST /api/v2/custom-nodes`, click on it to expand it, then click **Try it out**.   

3. In the *Request body* field, paste in the JSON output.

4. Click **Execute.**

5. In the upload area, upload the `seed_data.json` file (in the same place you upload Active Directory data)

6. In the **Explore** area, click **CYPHER** and then click **Saved Queries** and then click **Import** and import everything in the `saved_queries` folder.

7.  Back in the main upload area, upload your `.json` file that MSSQLHound gave you.

## Queries to find SQL pwnage:

### Find all MSSQL_Base nodes and returns every relationship/path going outbound from them (anything that MSSQL instances have connections TO)
```
MATCH p = (:MSSQL_Base)-[]->() RETURN p
```

### Return all MSSQL_Base nodes by themselves with no relationship context
```
MATCH (n:MSSQL_Base) RETURN n
```