SQLRecon
A C# MS SQL toolkit designed for offensive reconnaissance and post-exploitation.
Install / Use
/learn @skahwah/SQLReconREADME
SQLRecon
<p align="center"> <img src="./images/sqlrecon-40.png"> </p>SQLRecon is a Microsoft SQL Server toolkit that is designed for offensive reconnaissance and post-exploitation. For detailed information on how to use each technique, refer to the <a href="https://github.com/skahwah/SQLRecon/wiki">wiki</a>.
You can download a copy of SQLRecon from the releases page. Alternatively, feel free to compile the solution yourself. This should be as straight forward as cloning the repo, double clicking the solution file and building.
<a href="https://github.com/skahwah/SQLRecon/wiki/9.-Prevention,-Detection-and-Mitigation-Guidance">Prevention, detection and mitigation guidance</a> has also been provided for all you defenders out there.
Check out my blog post on the <a href="https://securityintelligence.com/posts/databases-beware-abusing-microsoft-sql-server-with-sqlrecon/">IBM Security Intelligence</a> website. If you prefer videos, then check out my <a href="https://www.youtube.com/watch?v=LsYSePobFWA">presentation at Black Hat</a>.
Enumeration Modules
Enumeration Modules do not require an authentication provider to be supplied. These modules must be passed into the enumeration module flag (/e:, /enum:). The wiki has details on using <a href="https://github.com/skahwah/SQLRecon/wiki/1.-Enumeration">enumeration modules</a>.
Info - Show information about the SQL server.
/h:, /host -> SQL server hostname or IP. Multiple hosts supported.
/port: -> (OPTIONAL) Defaults to 1434 (UDP).
/t:, timeout: -> (OPTIONAL) Defaults to 3s.
SqlSpns - Use the current user token to enumerate the AD domain for MSSQL SPNs.
/d:, /domain: -> (OPTIONAL) NETBIOS name or FQDN of domain.
Authentication Providers
SQLRecon supports a diverse set of authentication providers (/a:, /auth:) to enable interacting with a Microsoft SQL Server.
WinToken - Use the current users token to authenticate against the SQL database
/h:, /host: -> SQL server hostname or IP
WinDomain - Use AD credentials to authenticate against the SQL database
/h:, /host: -> SQL server hostname or IP. Multiple hosts supported.
/d:, /domain: -> NETBIOS name or FQDN of domain.
/u:, /username: -> Username for domain user.
/p:, /password: -> Password for domain user.
Local - Use local SQL credentials to authenticate against the SQL database
/h:, /host: -> SQL server hostname or IP. Multiple hosts supported.
/u:, /username: -> Username for local SQL user.
/p:, /password: -> Password for local SQL user.
EntraID - Use Azure EntraID credentials to authenticate against the Azure SQL database
/h:, /host: -> SQL server hostname or IP. Multiple hosts supported.
/d:, /domain: -> FQDN of domain (DOMAIN.COM).
/u:, /username: -> Username for domain user.
/p:, /password: -> Password for domain user.
AzureLocal - Use local SQL credentials to authenticate against the Azure SQL database
/h:, /host: -> SQL server hostname or IP. Multiple hosts supported.
/u:, /username: -> Username for local SQL user.
/p:, /password: -> Password for local SQL user.
Pth - Authenticate using an NT hash (pass-the-hash) over raw TDS/NTLM. Elevated privileges or SeImpersonate is not required.
/h:, /host: -> SQL server hostname or IP. Multiple hosts supported.
/d:, /domain: -> NETBIOS domain name.
/u:, /username: -> Domain username.
/hash: -> NT hash (32 hex chars, 8846f7eaee8fb117ad06bdd830b7586c) or LM:NT format.
Authentication Providers - Additional Details
- Hosts: The host flag (
/h:, host:) is required and allows one or more SQL servers. If you want to execute a module against multiple SQL servers, separate the hosts with a comma, for example/h:SQL01,10.10.10.2,SQL03. - Database: SQLRecon connects to the
masterdatabase by default, however, this can be optionally changed by supplying a custom database name via the database (/database:) flag. - Debug: The
/debugflag is optional and displays all SQL queries that are executed by a module, without actually executing them on the remote host(s). An example of this can be found in the <a href="https://github.com/skahwah/SQLRecon/wiki">wiki</a>. - Port: In some cases, a Microsoft SQL Server may not be listening on a standard TCP port. Some examples are Microsoft SQL Server failover clustering, or dynamic TCP ports. SQLRecon connects to databases via TCP Port
1433by default, however, this can be optionally changed using the/port:flag. - Timeout: The default SQL database connection time is
3seconds, however, this value can be optionally changed by supplying a timeout value (/t:, /timeout:) which corresponds to the number of seconds before terminating the connection attempt. - Verbose: The
/v, /verboseflag is optional and displays all SQL queries that are executed by a module before executing them on the remote host(s). An example of this can be found in the <a href="https://github.com/skahwah/SQLRecon/wiki">wiki</a>.
Please note that the EntraID authentication provider requires that the Azure Active Directory Authentication Library (ADAL) or Microsoft Authentication Library (MSAL) exists on the system SQLRecon is executed from. This is for Azure EntraID authentication and authorization functionality.
SQL Modules
SQL modules are executed against one or more instance of Microsoft SQL server. These modules must be passed into the module flag (/m:, /module:).
| Module Name | Description | Impersonation | Linked Execution | Linked Chain Execution | Requires Privileged Context |
| ----------- | ----------- | ------------- | ---------------- | ---------------------- | --------------------------- |
| AuditStatus | Check if SQL auditing is in place. | :white_check_mark: | :white_check_mark: | :white_check_mark: | :negative_squared_cross_mark: |
| CheckRpc | Obtain a list of linked servers and their RPC status. | :white_check_mark: | :white_check_mark: | :white_check_mark: | :negative_squared_cross_mark: |
| Databases | Display all databases. | :white_check_mark: | :white_check_mark: | :white_check_mark: | :negative_squared_cross_mark: |
| Impersonate | Enumerate user accounts that can be impersonated. | :white_check_mark: | :white_check_mark: | :white_check_mark: | :negative_squared_cross_mark: |
| Info | Show information about the SQL server. | :white_check_mark: | :white_check_mark: | :white_check_mark: | :negative_squared_cross_mark: |
| Links | Enumerate linked SQL servers. | :white_check_mark: | :white_check_mark: | :white_check_mark: | :negative_squared_cross_mark: |
| Users | Display what user accounts and groups can authenticate against the database. | :white_check_mark: | :white_check_mark: | :white_check_mark: | :negative_squared_cross_mark: |
| Whoami | Display your privileges. | :white_check_mark: | :white_check_mark: | :white_check_mark: | :negative_squared_cross_mark: |
| Query /c:QUERY | Execute a SQL query. | :white_check_mark: | :white_check_mark: | :white_check_mark: | :negative_squared_cross_mark: |
| Smb /unc:UNC_PATH | Capture NetNTLMv2 hash. | :white_check_mark: | :white_check_mark: | :white_check_mark: | :negative_squared_cross_mark: |
| Columns /db:DATABASE /table:TABLE | Display all columns in the supplied database and table. | :white_check_mark: | :white_check_mark: | :white_check_mark: | :negative_squared_cross_mark: |
| Rows /db:DATABASE /table:TABLE | Display the number of rows in the supplied database table. | :white_check_mark: | :white_check_mark: | :white_check_mark: | :negative_squared_cross_mark: |
| Search /keyword:KEYWORD | Search column names in the supplied table of the database you are connected to. | :white_check_mark: | :white_check_mark: | :white_check_mark: | :negative_squared_cross_mark: |
| Tables /db:DATABASE | Display all tables in the supplied database. | :white_check_mark: | :white_check_mark: | :white_check_mark: | :negative_squared_cross_mark: |
| EnableRpc /rhost:LINKED_HOST | Enable RPC and RPC out on a linked server. | :white_check_mark: | :x: | :x: | :heavy_check_mark: |
| EnableClr | Enable CLR integration. | :white_check_mark: | :white_check_mark: | :white_check_mark: | :heavy_check_mark: |
| EnableOle | Enable OLE automation procedures. | :white_check_mark: | :white_check_mark: | :white_check_mark: | :heavy_check_mark: |
| EnableXp | Enable xp_cmdshell. | :white_check_mark: | :white_check_mark: | :white_check_mark: | :heavy_check_mark: |
| DisableRpc /rhost:LINKED_HOST | Disable RPC and RPC out on a linked server. | :white_check_mark: | :x: | :x: | :heavy_check_mark: |
| DisableClr | Disable CLR integration. | :white_check_mark: | :white_check_mark: | :white_check_mark: | :heavy_check_mark: |
| DisableOle | Disable OLE automation procedures. | :white_check_mark: | :white_check_mark: | :white_check_mark: | :heavy_check_mark: |
