Home

Awesome

  licence badge wiki Badge stars badge forks badge issues badge

SQLRecon

<p align="center"> <img src="./images/sqlrecon-40.png"> </p>

SQLRecon is a Microsoft SQL Server toolkit that is designed for offensive reconnaissance and post-exploitation. For detailed information on how to use each technique, refer to the <a href="https://github.com/skahwah/SQLRecon/wiki">wiki</a>.

You can download a copy of SQLRecon from the releases page. Alternatively, feel free to compile the solution yourself. This should be as straight forward as cloning the repo, double clicking the solution file and building.

<a href="https://github.com/skahwah/SQLRecon/wiki/9.-Prevention,-Detection-and-Mitigation-Guidance">Prevention, detection and mitigation guidance</a> has also been provided for all you defenders out there.

Check out my blog post on the <a href="https://securityintelligence.com/posts/databases-beware-abusing-microsoft-sql-server-with-sqlrecon/">IBM Security Intelligence</a> website. If you prefer videos, then check out my <a href="https://www.youtube.com/watch?v=LsYSePobFWA">presentation at Black Hat</a>.

Enumeration Modules

Enumeration Modules do not require an authentication provider to be supplied. These modules must be passed into the enumeration module flag (/e:, /enum:). The wiki has details on using <a href="https://github.com/skahwah/SQLRecon/wiki/1.-Enumeration">enumeration modules</a>.

Info    - Show information about the SQL server.
          /h:, /host    -> SQL server hostname or IP. Multiple hosts supported.
          /port:        -> (OPTIONAL) Defaults to 1434 (UDP).
          /t:, timeout: -> (OPTIONAL) Defaults to 3s.

SqlSpns - Use the current user token to enumerate the AD domain for MSSQL SPNs.
          /d:, /domain: -> (OPTIONAL) NETBIOS name or FQDN of domain.

Authentication Providers

SQLRecon supports a diverse set of authentication providers (/a:, /auth:) to enable interacting with a Microsoft SQL Server.

WinToken   - Use the current users token to authenticate against the SQL database
             /h:, /host:     -> SQL server hostname or IP

WinDomain  - Use AD credentials to authenticate against the SQL database
             /h:, /host:     -> SQL server hostname or IP. Multiple hosts supported.
             /d:, /domain:   -> NETBIOS name or FQDN of domain.
             /u:, /username: -> Username for domain user.
             /p:, /password: -> Password for domain user.

Local      - Use local SQL credentials to authenticate against the SQL database
             /h:, /host:     -> SQL server hostname or IP. Multiple hosts supported.
             /u:, /username: -> Username for local SQL user.
             /p:, /password: -> Password for local SQL user.

EntraID    - Use Azure EntraID credentials to authenticate against the Azure SQL database
             /h:, /host:     -> SQL server hostname or IP. Multiple hosts supported.
             /d:, /domain:   -> FQDN of domain (DOMAIN.COM).
             /u:, /username: -> Username for domain user.
             /p:, /password: -> Password for domain user.

AzureLocal - Use local SQL credentials to authenticate against the Azure SQL database
             /h:, /host:     -> SQL server hostname or IP. Multiple hosts supported.
             /u:, /username: -> Username for local SQL user.
             /p:, /password: -> Password for local SQL user.

Authentication Providers - Additional Details

Please note that the EntraID authentication provider requires that the Azure Active Directory Authentication Library (ADAL) or Microsoft Authentication Library (MSAL) exists on the system SQLRecon is executed from. This is for Azure EntraID authentication and authorization functionality.

SQL Modules

SQL modules are executed against one or more instance of Microsoft SQL server. These modules must be passed into the module flag (/m:, /module:).

Module NameDescriptionImpersonationLinked ExecutionLinked Chain ExecutionRequires Privileged Context
CheckRpcObtain a list of linked servers and their RPC status.:white_check_mark::white_check_mark::white_check_mark::negative_squared_cross_mark:
DatabasesDisplay all databases.:white_check_mark::white_check_mark::white_check_mark::negative_squared_cross_mark:
ImpersonateEnumerate user accounts that can be impersonated.:white_check_mark::white_check_mark::white_check_mark::negative_squared_cross_mark:
InfoShow information about the SQL server.:white_check_mark::white_check_mark::white_check_mark::negative_squared_cross_mark:
LinksEnumerate linked SQL servers.:white_check_mark::white_check_mark::white_check_mark::negative_squared_cross_mark:
UsersDisplay what user accounts and groups can authenticate against the database.:white_check_mark::white_check_mark::white_check_mark::negative_squared_cross_mark:
WhoamiDisplay your privileges.:white_check_mark::white_check_mark::white_check_mark::negative_squared_cross_mark:
Query /c:QUERYExecute a SQL query.:white_check_mark::white_check_mark::white_check_mark::negative_squared_cross_mark:
Smb /unc:UNC_PATHCapture NetNTLMv2 hash.:white_check_mark::white_check_mark::white_check_mark::negative_squared_cross_mark:
Columns /db:DATABASE /table:TABLEDisplay all columns in the supplied database and table.:white_check_mark::white_check_mark::white_check_mark::negative_squared_cross_mark:
Rows /db:DATABASE /table:TABLEDisplay the number of rows in the supplied database table.:white_check_mark::white_check_mark::white_check_mark::negative_squared_cross_mark:
Search /keyword:KEYWORDSearch column names in the supplied table of the database you are connected to.:white_check_mark::white_check_mark::white_check_mark::negative_squared_cross_mark:
Tables /db:DATABASEDisplay all tables in the supplied database.:white_check_mark::white_check_mark::white_check_mark::negative_squared_cross_mark:
EnableRpc /rhost:LINKED_HOSTEnable RPC and RPC out on a linked server.:white_check_mark::x::x::heavy_check_mark:
EnableClrEnable CLR integration.:white_check_mark::white_check_mark::white_check_mark::heavy_check_mark:
EnableOleEnable OLE automation procedures.:white_check_mark::white_check_mark::white_check_mark::heavy_check_mark:
EnableXpEnable xp_cmdshell.:white_check_mark::white_check_mark::white_check_mark::heavy_check_mark:
DisableRpc /rhost:LINKED_HOSTDisable RPC and RPC out on a linked server.:white_check_mark::x::x::heavy_check_mark:
DisableClrDisable CLR integration.:white_check_mark::white_check_mark::white_check_mark::heavy_check_mark:
DisableOleDisable OLE automation procedures.:white_check_mark::white_check_mark::white_check_mark::heavy_check_mark:
DisableXpDisable xp_cmdshell.:white_check_mark::white_check_mark::white_check_mark::heavy_check_mark:
AgentStatusDisplay if SQL agent is running and obtain agent jobs.:white_check_mark::white_check_mark::white_check_mark::heavy_check_mark:
AgentCmd /c:COMMANDExecute a system command using agent jobs.:white_check_mark::white_check_mark::white_check_mark::heavy_check_mark:
Adsi /adsi:SERVER_NAME /lport:LOCAL_PORTObtain cleartext ADSI credentials from a linked ADSI server.:white_check_mark::white_check_mark::white_check_mark::heavy_check_mark:
Clr /dll:DLL /function:FUNCTIONLoad and execute a .NET assembly in a custom stored procedure.:white_check_mark::white_check_mark::white_check_mark::heavy_check_mark:
OleCmd /c:COMMAND /subsystem:(OPTIONAL)Execute a system command using OLE automation procedures.:white_check_mark::white_check_mark::white_check_mark::heavy_check_mark:
XpCmd /c:COMMANDExecute a system command using xp_cmdshell.:white_check_mark::white_check_mark::white_check_mark::heavy_check_mark:

SQL Modules - Standard

The host flag (/h:, host:) is required and allows one or more SQL servers. If you want to execute a module against multiple SQL servers, separate the hosts with a comma, for example /h:SQL01,10.10.10.2,SQL03.

The wiki has details on using each module which supports execution on one or more instance of <a href="https://github.com/skahwah/SQLRecon/wiki/3.-Standard-Modules">SQL Server</a>.

SQL Modules - Impersonation

Impersonation modules are executed against one or more instances of Microsoft SQL server, under the context of an impersonated SQL user. All impersonation modules have the following minimum requirements:

The wiki has details on using each module which supports execution using <a href="https://github.com/skahwah/SQLRecon/wiki/4.-Impersonation-Modules">Impersonation</a>.

SQL Modules - Linked

Linked modules are executed on one or more instances of a linked Microsoft SQL server. All linked modules have the following minimum requirements:

The wiki has details on using each module which supports execution on one or more instance of a <a href="https://github.com/skahwah/SQLRecon/wiki/5.-Linked-Modules">Linked SQL Server</a>.

SQL Modules - Linked Chain

Linked chain modules are executed on the final Microsoft SQL server in a linked server chain. All linked chain modules have the following minimum requirements:

The wiki has details on using each module which supports execution on the final SQL server supplied in a <a href="https://github.com/skahwah/SQLRecon/wiki/6.-Linked-Chain-Modules">Linked SQL Server Chain</a>.

SCCM Modules

SQLRecon has several modules that can assist with enumerating and attacking Microsoft System Center Configuration Manager (SCCM) and Microsoft Endpoint Configuration Manager (ECM). The SCCM or ECM server will need to have a Microsoft SQL database exposed either locally or remotely.

SCCM modules must be passed into the SCCM module flag (/s:, /sccm:).

Most of the SCCM modules can be executed under the context of an impersonated SQL user (/i:, /iuser:).

The wiki has details on using each module against an <a href="https://github.com/skahwah/SQLRecon/wiki/7.-SCCM-Modules">SCCM/ECM database</a>.

Module NameDescriptionImpersonationRequires Privileged Context
UsersDisplay all SCCM users.:white_check_mark::negative_squared_cross_mark:
SitesDisplay all other sites with data stored.:white_check_mark::negative_squared_cross_mark:
LogonsDisplay all associated SCCM clients and the last logged in user.:white_check_mark::negative_squared_cross_mark:
CredentialsDisplay encrypted credentials vaulted by SCCM.:white_check_mark::negative_squared_cross_mark:
TaskListDisplay all task sequences, but do not access the task data contents.:white_check_mark::negative_squared_cross_mark:
TaskDataDecrypt all task sequences to plaintext.:white_check_mark::negative_squared_cross_mark:
DecryptCredentialsDecrypt an SCCM credential blob. Must execute in a high-integrity or SYSTEM process on the SCCM server.:x::heavy_check_mark:
AddAdmin /user:DOMAIN\USERNAME /sid:SIDElevate a supplied account to a 'Full Administrator' in SCCM.:white_check_mark::heavy_check_mark:
RemoveAdmin /user:ADMIN_ID /remove:STRINGRemoves privileges of a user, or remove a user entirely from the SCCM database.:white_check_mark::heavy_check_mark:
<details> <summary>SCCM Modules - Additional Details</summary> </details>

Extending SQLRecon

If you are interested in extending SQLRecon, please refer to the contributing and extending section in the <a href="https://github.com/skahwah/SQLRecon/wiki/8.-Contributing-and-Extending-SQLRecon">wiki</a>.

I encourage you to open an issue if you have any suggestions or ideas.

Roadmap

The goal is to continuously improve SQLRecon. Listed below are some planned research areas:

Credits

The following people have contributed either directly or indirectly to various aspects of SQLRecon.

History

<details> <summary>v3.8</summary> </details> <details> <summary>v3.7</summary> </details> <details> <summary>v3.6</summary> </details> <details> <summary>v3.5</summary> </details> <details> <summary>v3.4</summary> </details> <details> <summary>v3.3</summary> </details> <details> <summary>v3.2</summary> </details> <details> <summary>v3.1</summary> </details> <details> <summary>v3.0</summary> </details> <details> <summary>v2.9</summary> </details> <details> <summary>v2.8</summary> </details> <details> <summary>v2.7</summary> </details> <details> <summary>v2.6.1</summary> </details> <details> <summary>v2.6</summary> </details> <details> <summary>v2.5</summary> </details> <details> <summary>v2.4</summary> </details> <details> <summary>v2.3</summary> </details> <details> <summary>v2.2</summary> </details> <details> <summary>v2.1.6</summary> </details> <details> <summary>v2.1.5</summary> </details> <details> <summary>v2.1.4</summary> </details> <details> <summary>v2.1.3</summary> </details> <details> <summary>v2.1.2</summary> </details> <details> <summary>v2.1.1</summary> </details> <details> <summary>v2.1</summary> </details> <details> <summary>v2.0</summary> </details> <details> <summary>v1.2</summary> </details> <details> <summary>v1.1</summary> </details>