SQLRecon is a Microsoft SQL Server toolkit that is designed for offensive reconnaissance and post-exploitation. For detailed information on how to use each technique, refer to the wiki.
Prevention, detection and mitigation guidance has also been provided for all you defenders out there.
Check out my blog post on the IBM Security Intelligence website.
You can download a copy of SQLRecon from the releases page. Alternatively, feel free to compile the solution yourself. This should be as straight forward as cloning the repo, double clicking the solution file and building.
SQLRecon supports enumerating Active Directory for Server Principal Names (SPNs) that are associated with Microsoft SQL Server.
Enumeration Modules (/e:, /enum:
) do not require an authentication provider to be supplied.
SqlSpns - Use the current user token to enumerate the current AD domain for MSSQL SPNs
/d:, /domain: | (OPTIONAL) NETBIOS name (DOMAIN) or FQDN of domain (DOMAIN.COM)
SQLRecon supports a diverse set of authentication providers to enable interacting with a Microsoft SQL Server. An authentication provider must be supplied (/a:, /auth:
).
WinToken - Use the current users token to authenticate against the SQL database
/h:, /host: | SQL server hostname or IP
/database: | (OPTIONAL) SQL server database name, defaults to 'master'
/port: | (OPTIONAL) Defaults to 1433
WinDomain - Use AD credentials to authenticate against the SQL database
/h:, /host: | SQL server hostname or IP
/d:, /domain: | NETBIOS name (DOMAIN) or FQDN of domain (DOMAIN.COM)
/u:, /username: | Username for domain user
/p:, /password: | Password for domain user
/database: | (OPTIONAL) SQL server database name, defaults to 'master'
/port: | (OPTIONAL) Defaults to 1433
Local - Use local SQL credentials to authenticate against the SQL database
/h:, /host: | SQL server hostname or IP
/u:, /username: | Username for local SQL user
/p:, /password: | Password for local SQL user
/database: | (OPTIONAL) SQL server database name, defaults to 'master'
/port: | (OPTIONAL) Defaults to 1433
AzureAD - Use Azure AD credentials to authenticate against the Azure SQL database
/h:, /host: | SQL server hostname or IP
/d:, /domain: | FQDN of domain (DOMAIN.COM)
/u:, /username: | Username for domain user
/p:, /password: | Password for domain user
/database: | (OPTIONAL) SQL server database name, defaults to 'master'
AzureLocal - Use local SQL credentials to authenticate against the Azure SQL database
/h:, /host: | SQL server hostname or IP
/u:, /username: | Username for local SQL user
/p:, /password: | Password for local SQL user
/database: | (OPTIONAL) SQL server database name, defaults to 'master'
/port: | (OPTIONAL) Defaults to 1433
There are cases where a Microsoft SQL Server might not be listening on a standard TCP port. Some examples are Microsoft SQL Server failover clustering, or dynamic TCP ports. SQLRecon supports setting non-standard connection port by supplying the port flag (/port:
). By default, SQLRecon will connect to databases via TCP Port 1433.
SQLRecon connects to the master
database by default, however, this can be changed by supplying a custom database name via the database flag (/database:
).
Please note that the AzureAD
authentication provider reqires that the Azure Active Directory Authentication Library (ADAL) or Microsoft Authentication Library (MSAL) exists on the system SQLRecon is executed from. This is for Azure Active Directory authentication and authorization functionality.
Standard modules are executed against a single instance of Microsoft SQL server. Standard modules must be passed into the module flag (/m:, /module:
).
Modules starting with [*]
require the sysadmin role or a similar privileged context.
For detailed information on how to use each technique, refer to the wiki.
Info | Show information about the SQL server
Query /c:QUERY | Execute a SQL query
Whoami | Display what user you are logged in as, mapped as and what roles exist
Users | Display what user accounts and groups can authenticate against the database
Databases | Display all databases
Tables /db:DATABASE | Display all tables in the supplied database
Columns /db:DATABASE /table:TABLE | Display all columns in the supplied database and table
Rows /db:DATABASE /table:TABLE | Display the number of rows in the supplied database table
Search /keyword:KEYWORD | Search column names in the supplied table of the database you are connected to
Smb /rhost:UNC_PATH | Capture NetNTLMv2 hash
Impersonate | Enumerate user accounts that can be impersonated
Links | Enumerate linked SQL servers
CheckRpc | Obtain a list of linked servers and their RPC status
[*] EnableRpc /rhost:LINKED_HOST | Enable RPC and RPC out on a linked server
[*] DisableRpc /rhost:LINKED_HOST | Disable RPC and RPC out on a linked server
[*] EnableXp | Enable xp_cmdshell
[*] DisableXp | Disable xp_cmdshell
[*] XpCmd /c:COMMAND | Execute a system command using xp_cmdshell
[*] EnableOle | Enable OLE automation procedures
[*] DisableOle | Disable OLE automation procedures
[*] OleCmd /c:COMMAND | Execute a system command using OLE automation procedures
[*] EnableClr | Enable CLR integration
[*] DisableClr | Disable CLR integration
[*] Clr /dll:DLL /function:FUNCTION | Load and execute a .NET assembly in a custom stored procedure
[*] AgentStatus | Display if SQL agent is running and obtain agent jobs
[*] AgentCmd /c:COMMAND | Execute a system command using agent jobs
[*] Adsi /rhost:ADSI_SERVER_NAME /lport:LDAP_SERVER_PORT | Obtain cleartext ADSI credentials from a linked ADSI server
Linked modules are executed on a linked Microsoft SQL server.
All linked modules have the following minimum requirements:
- A linked SQL server must be specified (
/l:, /lhost:
). - A linked module must be specified (
/m:, /module:
).
Modules starting with [*]
require the sysadmin role or a similar privileged context.
For detailed information on how to use each technique, refer to the wiki.
lQuery /l:LINKED_HOST /c:QUERY | Execute a SQL query
lWhoami /l:LINKED_HOST | Display what user you are logged in as, mapped as and what roles exist
lUsers /l:LINKED_HOST | Display what user accounts and groups can authenticate against the database
lDatabases /l:LINKED_HOST | Display all databases
lTables /l:LINKED_HOST /db:DATABASE | Display all tables in the supplied database
lColumns /l:LINKED_HOST /db:DATABASE /table:TABLE | Display all columns in the supplied database and table
lRows /l:LINKED_HOST /db:DATABASE /table:TABLE | Display the number of rows in the supplied database and table
lSearch /l:LINKED_HOST /db:DATABASE /keyword:KEYWORD | Search column names in the supplied table of the database you are connected to
lSmb /l:LINKED_HOST /rhost:UNC_PATH | Capture NetNTLMv2 hash
lLinks /l:LINKED_HOST | Enumerate linked SQL servers on a linked SQL server
lCheckRpc /l:LINKED_HOST | Obtain a list of linked servers on the linked server and their RPC status
[*] lEnableXp /l:LINKED_HOST | Enable xp_cmdshell
[*] lDisableXp /l:LINKED_HOST | Disable xp_cmdshell
[*] lXpCmd /l:LINKED_HOST /c:COMMAND | Execute a system command using xp_cmdshell
[*] lEnableOle /l:LINKED_HOST | Enable OLE automation procedures
[*] lDisableOle /l:LINKED_HOST | Disable OLE automation procedures
[*] lOleCmd /l:LINKED_HOST /c:COMMAND | Execute a system command using OLE automation procedures
[*] lEnableClr /l:LINKED_HOST | Enable CLR integration
[*] lDisableClr /l:LINKED_HOST | Disable CLR integration
[*] lClr /l:LINKED_HOST /dll:DLL /function:FUNCTION | Load and execute a .NET assembly in a custom stored procedure
[*] lAgentStatus /l:LINKED_HOST | Display if SQL agent is running and obtain agent jobs
[*] lAgentCmd /l:LINKED_HOST /c:COMMAND | Execute a system command using agent jobs
[*] lAdsi /l:LINKED_HOST /rhost:ADSI_SERVER_NAME /lport:LDAP_SERVER_PORT | Obtain cleartext ADSI credentials from a double-linked ADSI server
Impersonation modules are executed against a single instance of Microsoft SQL server, under the context of an impersonated SQL user.
All impersonation modules have the following minimum requirements:
- An impersonation user must be specified (
/i:, /iuser:
). - An impersonation module must be specified (
/m:, /module:
).
Modules starting with [*]
require the sysadmin role or a similar privileged context.
For detailed information on how to use each technique, refer to the wiki.
iQuery /i:IMPERSONATE_USER /c:QUERY | Execute a SQL query
iWhoami /i:IMPERSONATE_USER | Display what user you are logged in as, mapped as and what roles exist
iUsers /i:IMPERSONATE_USER | Display what user accounts and groups can authenticate against the database
iDatabases /i:IMPERSONATE_USER | Display all databases
iTables /i:IMPERSONATE_USER /db:DATABASE | Display all tables in the supplied database
iColumns /i:IMPERSONATE_USER /db:DATABASE /table:TABLE | Show all columns in the database and table you specify
iRows /i:IMPERSONATE_USER /db:DATABASE /table:TABLE | Display the number of rows in the database and table you specify
iSearch /i:IMPERSONATE_USER /keyword:KEYWORD | Search column names in the supplied table of the database you are connected to
iLinks /i:IMPERSONATE_USER | Enumerate linked SQL servers
iCheckRpc /i:IMPERSONATE_USER | Obtain a list of linked servers and their RPC status
[*] iEnableRpc /i:IMPERSONATE_USER /rhost:LINKED_HOST | Enable RPC and RPC out on a linked server
[*] iDisableRpc /i:IMPERSONATE_USER /rhost:LINKED_HOST | Disable RPC and RPC out on a linked server
[*] iEnableXp /i:IMPERSONATE_USER | Enable xp_cmdshell
[*] iDisableXp /i:IMPERSONATE_USER | Disable xp_cmdshell
[*] iXpCmd /i:IMPERSONATE_USER /c:COMMAND | Execute a system command using xp_cmdshell
[*] iEnableOle /i:IMPERSONATE_USER | Enable OLE automation procedures
[*] iDisableOle /i:IMPERSONATE_USER | Disable OLE automation procedures
[*] iOleCmd /i:IMPERSONATE_USER /c:COMMAND | Execute a system command using OLE automation procedures
[*] iEnableClr /i:IMPERSONATE_USER | Enable CLR integration
[*] iDisableClr /i:IMPERSONATE_USER | Disable CLR integration
[*] iClr /i:IMPERSONATE_USER /dll:DLL /function:FUNCTION | Load and execute a .NET assembly in a custom stored procedure
[*] iAgentStatus /i:IMPERSONATE_USER | Display if SQL agent is running and obtain agent jobs
[*] iAgentCmd /i:IMPERSONATE_USER /c:COMMAND | Execute a system command using agent jobs
[*] iAdsi /i:IMPERSONATE_USER /rhost:ADSI_SERVER_NAME /lport:LDAP_SERVER_PORT | Obtain cleartext ADSI credentials from a linked ADSI server
SQLRecon has several modules that can assist with enumerating and attacking Microsoft System Center Configuration Manager (SCCM) and Microsoft Endpoint Configuration Manager (ECM).
SCCM modules must be passed into the module flag (/m:, /module:
).
SCCM and ECM will need to have a Microsoft SQL database exposed either locally or remotely.
Modules starting with [*]
require the sysadmin role or a similar privileged context.
For detailed information on how to use each technique, refer to the wiki.
sUsers | Display all SCCM users
sSites | Display all other sites with data stored
sLogons /option:OPTIONAL_FILTER | Display all associated SCCM clients and the last logged in user
sTaskList | Display all task sequences, but do not access the task data contents
sTaskData | Decrypt all task sequences to plaintext
sCredentials | Display encrypted credentials vaulted by SCCM
[*] sDecryptCredentials | Attempt to decrypt recovered SCCM credential blobs. Must be ran in a high-integrty or SYSTEM process on an SCCM server
[*] sAddAdmin /user:DOMAIN\USERNAME /sid:SID | This will elevate a supplied account to a 'Full Administrator' in SCCM
[*] sRemoveAdmin /user:ADMIN_ID /remove:REMOVE_STRING | Removes privileges of a user, or remove a user entirely from the SCCM database
The table below contains additional information for each SCCM module:
Module | Description |
---|---|
sUsers | Lists all users in the RBAC_Admins table. These are all users configured for some level of access to SCCM. |
sSites | Lists all other sites with data stored in the SCCM databases' DPInfo table. This can provide additional attack avenues as different sites can be configured in different (insecure) ways. |
sLogons | Queries the Computer_System_DATA table to retrieve all associated SCCM clients along with the user that last logged into them. NOTE: This only updates once a week by default and will not be 100% up to date. Use /option: as an optional (not required) argument to filter SCCM clients. |
sTaskList | Provides a list of all task sequences stored in the SCCM database, but does not access the actual task data contents. |
sTaskData | Recovers all task sequences stored in the SCCM database and decrypts them to plaintext. Task sequences can contain credentials for joining systems to domains, mapping shares, running commands, etc. |
sCredentials | Lists credentials vaulted by SCCM for use in various functions. These credentials can not be remotely decrypted as the key is stored on the SCCM server. However, this module provides intel on if it makes sense to attempt to obtain the key. |
sDecryptCredentials | Attempt to decrypt recovered SCCM credential blobs. This module must be ran in a high-integrty or SYSTEM process on an SCCM server. |
sAddAdmin | This module will elevate the specified account to a 'Full Administrator' within SCCM. If target user is already an SCCM user, this module will instead add necessary privileges to elevate. Provide two arguments, either /user:current /sid:current if seeking to add the user currently executing the SQLRecon process as a 'Full Administrator' in SCCM. If seeking to add another user as a 'Full Administrator' in SCCM, specify their domain user name and full SID /user:DOMAIN\USERNAME /sid:S-1-5-... . This module require sysadmin or similar privileges as writing to SCCM database tables is required. |
sRemoveAdmin | This modlue removes the privileges of a user by removing a newly added user entirely from the SCCM database. If the user already existed in some capacity this module just removes the three roles that were added to the account via writes to the permission table. Use the arguments provided by output of the sAddAdmin command to run this command. This module require sysadmin or similar privileges as writing to SCCM database tables is required. |
If you are interested in extending SQLRecon, refer to the write up in the wiki.
v3.3
- Created
rows
,iRows
andlRows
modules. - Updated
sLogons
to include an optional filter. - Bug fix where
xp_cmdshell
modules were not printing command output to console. - Cleaned up Help menu.
v3.2
- Command line argument parsing overhaul.
- Updated README, test cases and wiki with new examples.
- Reworked enumeration and authentication based argument parsing.
- Created
SetEnumerationType.cs
. - Changed enumeration module
domain
toSqlSpns
.
v3.1
- Changed
SetAuthenticationType.cs
constructor to a new method calledEvaluateAuthenticationType
. - Created
CreateSqlConnectionObject
inSetAuthenticationType.cs
which extends SQLRecon to support multiple simultaneous SQL connection objects. - Created
ADSI.cs
, which incorporates ADSI credential attacks as described here. - Created
adsi
,iAdsi
, andlAdsi
modules. - Created
lLinks
andiLinks
modules. - Updated README, test cases and wiki with new examples.
v3.0
- Implemented error checking for non-existant impersonated users.
- Created
ExecuteImpersonationQuery
andExecuteImpersonationCustomQuery
. - Deleted
Impersonate.cs
- Added
checkRpc
module. - Added
iCheckRpc
module. - Added
lCheckRpc
module. - Reworked SCCM modules.
- Reworked SCCM argument parsing.
- Camel cased commands in help menu for easier reading.
- Updated tests with new modules.
v2.9
- Renamed
EnableDisable.cs
toConfigureOptions.cs
- Overhauled advanced option configurations.
- Implemented RPC error checking wherever
ExecuteLinkedCustomQueryRpcExec
is called.
v2.8
- Created
PrintUtils.cs
, which implements a print class for standardized output. - Moved
TablePrinter
fromHelp.cs
toPrintUtils.cs
. - Standardized print formatting for all console output using the
PrintUtils
class. - Changed access modifiers for classes and class variables.
- Added check to see if result is empty for:
query
search
tables
lColumns
lQuery
lSearch
lTables
iColumns
iQuery
iSearch
- Signifiant reliability and functionality testing against all authentication providers and modules.
v2.7
- Changed
Azure
authentication toAzureAD
. - Created
AzureLocal
authentication. - Added
disableRpc
module. - Added
enableRpc
module. - Added
iEnableRpc
module. - Added
iDisableRpc
module. - Removed
lEnableRpc
module. - Removed
lDisbleRpc
module. - Updated tests with new modules.
v2.6.1
lAgentCmd
bug fixes.- Fixed
clr
,iClr
andlClr
stability by usingSqlCommand.ExecuteNonQuery
when creating the stored procedure. - Fixed
lClr
bug where it was not removing created assemblies or stored procedures.
v2.6
- Added
columns
module. - Added
iColumns
module. - Added
iDatabases
module. - Added
iSearch
module. - Added
iTables
module. - Added
lColumns
module. - Added
lSearch
module.
v2.5
- Various bug fixed in the SCCM modules.
- Organized the help menu using a table.
- Improved the output provided by
ExecuteLinkedCustomQueryRpcExec
. - Improved code commenting through out.
- Improved consistency of method names across command execution functions.
- Improved modularity through better use of object oriented programming.
- Changed custom SQL server port flag to
x
. - Moved
Random.cs
intoutilities
directory. - Standardized the printing style to make it more consistent across all modules.
- Created standard, impersonation and linked test harnesses.
v2.4
- Changed
Windows
authentication toWinToken
. - Created
WinDomain
authentication, which uses AD domain username and password for authentication via impersonation. Check outImpersonation.cs
. - Reworked argument parsing and handling across
ArgumentLogic.cs
,SQLAuthentication.cs
andModuleHandler.cs
. ModuleHandler.cs
no longer uses a massive if/else if/else statement to execute modules. Instead, reflection is now used to call methods matching command modules names.- Added
commands
directory, which has global variables that are used throughout the program. - Rolled all authentication providers into
SQLAuthentication.cs
. - Moved argument parsing from
Program.cs
toArgumentLogic.cs
. - Removed the
authentication
directory. - Changed code style to better follow Microsoft's C#/.NET style code style guide.
- Changed
Help.cs
from a method into a constructor. - Changed
CaptureHash.cs
from a method into a constructor. - Changed
Impersonate.cs
from a method into a constructor. - Re-factored complete code base.
v2.3
- Added SCCM functionality.
- Added SCCM modules, which can be executed using the
sccm
command. - Fixed checking RPC status on linked SQL servers.
- Added the capability to download .NET assemblies via HTTP/S.
v2.2
- Expanded roles which are queried in the
roles
,iRoles
andlRoles
modules. - Created
users
,iUsers
andlUsers
modules. - Fixed hash not being dropped from
sp_drop_trusted_assembly
inclr
andiClr
modules. - Created
lAgentCmd
module. - Created
lClr
module.
v2.1.6
- Added
info
module. - Corrections in help menu.
- Resolved issues with mandatory arguments with
Local
andAzure
authentication.
v2.1.5
- Added module to enumerate domain SPNs (
-e domain
).
v2.1.4
- Fixed minor string formatting issue.
v2.1.3
- Added
-r
flag intoWindows
andLocal
authentication modes so that non-standard TCP ports can be supplied.
v2.1.2
- Improved logic around null connection strings.
v2.1.1
- Removed
Environment.Exit
fromTestAuthentication.cs
.
v2.1
- Created
AgentJobs.cs
. - Created
agentStatus
. - Created
iAgentStatus
. - Created
lAgentStatus
. - Created
agentCmd
. - Created
iAgentCmd
.
v2.0
- Created
clr
. - Created
iEnableClr
. - Created
iDisbleClr
. - Created
iClr
. - Created
iWhoami
. - Created
iMapped
. - Created
iRoles
. - Created
lEnableRpc
. - Created
lDisableRpc
. - Created
lWhoai
. - Created
lEnableXp
. - Created
lDisableXp
. - Created
lEnableOle
. - Created
lDisableOle
. - Created
lEnableClr
. - Created
lDisableClr
. - Created
lXpCmd
. - Created
lXpOle
. - Created
Random.cs
. - Created
EnableDisable.cs
. - Implemented randomly generated assembly names for
clr
. - Implemented randomly generated variable and method names for
ole
. - Rolled
mapped
androles
modules intowhoami
. - Rolled
lMapped
andlRoles
modules intolWhoami
. - Rolled
iMapped
andiRoles
modules intoiWhoami
. - Re-factored complete code base.
v1.2
- Created
lSmb
module. - Created
lWhoami
module. - Created
lRoles
module.
v1.1
- Fixed
oldCmd
module. - Fixed
iOleCmd
module. - Fixed
lDatabases
module. - Fixed
lTables
module. - Cleaned up code base.
- Corrected inconsistencies in help menu.