SQLRecon is a Microsoft SQL Server toolkit that is designed for offensive reconnaissance and post-exploitation. For detailed information on how to use each technique, refer to the wiki.
You can download a copy of SQLRecon from the releases page. Alternatively, feel free to compile the solution yourself. This should be as straight forward as cloning the repo, double clicking the solution file and building.
Prevention, detection and mitigation guidance has also been provided for all you defenders out there.
Check out my blog post on the IBM Security Intelligence website. If you prefer videos, then check out my presentation at Black Hat.
Enumeration Modules do not require an authentication provider to be supplied. These modules must be passed into the enumeration module flag (/e:, /enum:
). The wiki has details on using enumeration modules.
Info - Show information about the SQL server.
/h:, /host -> SQL server hostname or IP. Multiple hosts supported.
/port: -> (OPTIONAL) Defaults to 1434 (UDP).
/t:, timeout: -> (OPTIONAL) Defaults to 3s.
SqlSpns - Use the current user token to enumerate the AD domain for MSSQL SPNs.
/d:, /domain: -> (OPTIONAL) NETBIOS name or FQDN of domain.
SQLRecon supports a diverse set of authentication providers (/a:, /auth:
) to enable interacting with a Microsoft SQL Server.
WinToken - Use the current users token to authenticate against the SQL database
/h:, /host: -> SQL server hostname or IP
WinDomain - Use AD credentials to authenticate against the SQL database
/h:, /host: -> SQL server hostname or IP. Multiple hosts supported.
/d:, /domain: -> NETBIOS name or FQDN of domain.
/u:, /username: -> Username for domain user.
/p:, /password: -> Password for domain user.
Local - Use local SQL credentials to authenticate against the SQL database
/h:, /host: -> SQL server hostname or IP. Multiple hosts supported.
/u:, /username: -> Username for local SQL user.
/p:, /password: -> Password for local SQL user.
EntraID - Use Azure EntraID credentials to authenticate against the Azure SQL database
/h:, /host: -> SQL server hostname or IP. Multiple hosts supported.
/d:, /domain: -> FQDN of domain (DOMAIN.COM).
/u:, /username: -> Username for domain user.
/p:, /password: -> Password for domain user.
AzureLocal - Use local SQL credentials to authenticate against the Azure SQL database
/h:, /host: -> SQL server hostname or IP. Multiple hosts supported.
/u:, /username: -> Username for local SQL user.
/p:, /password: -> Password for local SQL user.
- Hosts: The host flag (
/h:, host:
) is required and allows one or more SQL servers. If you want to execute a module against multiple SQL servers, separate the hosts with a comma, for example/h:SQL01,10.10.10.2,SQL03
. - Database: SQLRecon connects to the
master
database by default, however, this can be optionally changed by supplying a custom database name via the database (/database:
) flag. - Debug: The
/debug
flag is optional and displays all SQL queries that are executed by a module, without actually executing them on the remote host(s). An example of this can be found in the wiki. - Port: In some cases, a Microsoft SQL Server may not be listening on a standard TCP port. Some examples are Microsoft SQL Server failover clustering, or dynamic TCP ports. SQLRecon connects to databases via TCP Port
1433
by default, however, this can be optionally changed using the/port:
flag. - Timeout: The default SQL database connection time is
3
seconds, however, this value can be optionally changed by supplying a timeout value (/t:, /timeout:
) which corresponds to the number of seconds before terminating the connection attempt. - Verbose: The
/v, /verbose
flag is optional and displays all SQL queries that are executed by a module before executing them on the remote host(s). An example of this can be found in the wiki.
Please note that the EntraID
authentication provider requires that the Azure Active Directory Authentication Library (ADAL) or Microsoft Authentication Library (MSAL) exists on the system SQLRecon is executed from. This is for Azure EntraID authentication and authorization functionality.
SQL modules are executed against one or more instance of Microsoft SQL server. These modules must be passed into the module flag (/m:, /module:
).
Module Name | Description | Impersonation | Linked Execution | Linked Chain Execution | Requires Privileged Context |
---|---|---|---|---|---|
CheckRpc |
Obtain a list of linked servers and their RPC status. | ✅ | ✅ | ✅ | ❎ |
Databases |
Display all databases. | ✅ | ✅ | ✅ | ❎ |
Impersonate |
Enumerate user accounts that can be impersonated. | ✅ | ✅ | ✅ | ❎ |
Info |
Show information about the SQL server. | ✅ | ✅ | ✅ | ❎ |
Links |
Enumerate linked SQL servers. | ✅ | ✅ | ✅ | ❎ |
Users |
Display what user accounts and groups can authenticate against the database. | ✅ | ✅ | ✅ | ❎ |
Whoami |
Display your privileges. | ✅ | ✅ | ✅ | ❎ |
Query /c:QUERY |
Execute a SQL query. | ✅ | ✅ | ✅ | ❎ |
Smb /unc:UNC_PATH |
Capture NetNTLMv2 hash. | ✅ | ✅ | ✅ | ❎ |
Columns /db:DATABASE /table:TABLE |
Display all columns in the supplied database and table. | ✅ | ✅ | ✅ | ❎ |
Rows /db:DATABASE /table:TABLE |
Display the number of rows in the supplied database table. | ✅ | ✅ | ✅ | ❎ |
Search /keyword:KEYWORD |
Search column names in the supplied table of the database you are connected to. | ✅ | ✅ | ✅ | ❎ |
Tables /db:DATABASE |
Display all tables in the supplied database. | ✅ | ✅ | ✅ | ❎ |
EnableRpc /rhost:LINKED_HOST |
Enable RPC and RPC out on a linked server. | ✅ | ❌ | ❌ | ✔️ |
EnableClr |
Enable CLR integration. | ✅ | ✅ | ✅ | ✔️ |
EnableOle |
Enable OLE automation procedures. | ✅ | ✅ | ✅ | ✔️ |
EnableXp |
Enable xp_cmdshell. | ✅ | ✅ | ✅ | ✔️ |
DisableRpc /rhost:LINKED_HOST |
Disable RPC and RPC out on a linked server. | ✅ | ❌ | ❌ | ✔️ |
DisableClr |
Disable CLR integration. | ✅ | ✅ | ✅ | ✔️ |
DisableOle |
Disable OLE automation procedures. | ✅ | ✅ | ✅ | ✔️ |
DisableXp |
Disable xp_cmdshell. | ✅ | ✅ | ✅ | ✔️ |
AgentStatus |
Display if SQL agent is running and obtain agent jobs. | ✅ | ✅ | ✅ | ✔️ |
AgentCmd /c:COMMAND |
Execute a system command using agent jobs. | ✅ | ✅ | ✅ | ✔️ |
Adsi /adsi:SERVER_NAME /lport:LOCAL_PORT |
Obtain cleartext ADSI credentials from a linked ADSI server. | ✅ | ✅ | ✅ | ✔️ |
Clr /dll:DLL /function:FUNCTION |
Load and execute a .NET assembly in a custom stored procedure. | ✅ | ✅ | ✅ | ✔️ |
OleCmd /c:COMMAND /subsystem:(OPTIONAL) |
Execute a system command using OLE automation procedures. | ✅ | ✅ | ✅ | ✔️ |
XpCmd /c:COMMAND |
Execute a system command using xp_cmdshell. | ✅ | ✅ | ✅ | ✔️ |
The host flag (/h:, host:
) is required and allows one or more SQL servers. If you want to execute a module against multiple SQL servers, separate the hosts with a comma, for example /h:SQL01,10.10.10.2,SQL03
.
The wiki has details on using each module which supports execution on one or more instance of SQL Server.
Impersonation modules are executed against one or more instances of Microsoft SQL server, under the context of an impersonated SQL user. All impersonation modules have the following minimum requirements:
- An impersonation user must be specified (
/i:, /iuser:
). - A module which supports impersonation must be specified (
/m:, /module:
).
The wiki has details on using each module which supports execution using Impersonation.
Linked modules are executed on one or more instances of a linked Microsoft SQL server. All linked modules have the following minimum requirements:
- A linked SQL server must be specified (
/l:, /link:
). The link flag allows one or more linked SQL servers. For example, if SQL01 has a link to SQL02, and SQL01 has a link to DB04, you can separate the linked hosts with a comma, and a module will be executed on each linked SQL server, for example/l:SQL02,DB04
. - A module which supports linked execution must be specified (
/m:, /module:
).
The wiki has details on using each module which supports execution on one or more instance of a Linked SQL Server.
Linked chain modules are executed on the final Microsoft SQL server in a linked server chain. All linked chain modules have the following minimum requirements:
- A linked SQL server chain must be specified in the
/l:, /link:
flag. If SQL01 has a link to SQL02, and SQL02 has a link to PAYMENTS01, and you want to execute a module on PAYMENTS01, then the argument would be/l:SQL02,PAYMENTS01
. - The
/chain
flag must be included to execute the module against the final SQL server in the supplied linked chain. - A module which supports linked chain execution must be specified (
/m:, /module:
).
The wiki has details on using each module which supports execution on the final SQL server supplied in a Linked SQL Server Chain.
SQLRecon has several modules that can assist with enumerating and attacking Microsoft System Center Configuration Manager (SCCM) and Microsoft Endpoint Configuration Manager (ECM). The SCCM or ECM server will need to have a Microsoft SQL database exposed either locally or remotely.
SCCM modules must be passed into the SCCM module flag (/s:, /sccm:
).
Most of the SCCM modules can be executed under the context of an impersonated SQL user (/i:, /iuser:
).
The wiki has details on using each module against an SCCM/ECM database.
Module Name | Description | Impersonation | Requires Privileged Context |
---|---|---|---|
Users |
Display all SCCM users. | ✅ | ❎ |
Sites |
Display all other sites with data stored. | ✅ | ❎ |
Logons |
Display all associated SCCM clients and the last logged in user. | ✅ | ❎ |
Credentials |
Display encrypted credentials vaulted by SCCM. | ✅ | ❎ |
TaskList |
Display all task sequences, but do not access the task data contents. | ✅ | ❎ |
TaskData |
Decrypt all task sequences to plaintext. | ✅ | ❎ |
DecryptCredentials |
Decrypt an SCCM credential blob. Must execute in a high-integrity or SYSTEM process on the SCCM server. | ❌ | ✔️ |
AddAdmin /user:DOMAIN\USERNAME /sid:SID |
Elevate a supplied account to a 'Full Administrator' in SCCM. | ✅ | ✔️ |
RemoveAdmin /user:ADMIN_ID /remove:STRING |
Removes privileges of a user, or remove a user entirely from the SCCM database. | ✅ | ✔️ |
SCCM Modules - Additional Details
- The
Users
module lists all users in theRBAC_Admins
table. These are all users configured for some level of access to SCCM. - The
Sites
module lists all other sites with data stored in the SCCM databases'DPInfo
table. This can provide additional attack avenues as different sites can be configured in different (insecure) ways. - The
Logons
module queries theComputer_System_DATA
table to retrieve all associated SCCM clients along with the user that last logged into them. NOTE: This only updates once a week by default and will not be 100% up to date. Use/option:
as an optional (not required) argument to filter SCCM clients. - The
TaskList
module provides a list of all task sequences stored in the SCCM database, but does not access the actual task data contents. - The
TaskData
module recovers all task sequences stored in the SCCM database and decrypts them to plaintext. Task sequences can contain credentials for joining systems to domains, mapping shares, running commands, etc. - The
Credentials
module lists credentials vaulted by SCCM for use in various functions. These credentials can not be remotely decrypted as the key is stored on the SCCM server. However, this module provides intel on if it makes sense to attempt to obtain the key. - The
DecryptCredentials
module attempts to decrypt recovered SCCM credential blobs. This module must be ran in a high-integrty or SYSTEM process on an SCCM server. - The
AddAdmin
module elevates the specified account to a 'Full Administrator' within SCCM. If target user is already an SCCM user, this module will instead add necessary privileges to elevate. Provide two arguments, either/user:current /sid:current
if seeking to add the user currently executing the SQLRecon process as a 'Full Administrator' in SCCM. If seeking to add another user as a 'Full Administrator' in SCCM, specify their domain user name and full SID/user:DOMAIN\USERNAME /sid:S-1-5-...
. This module require sysadmin or similar privileges as writing to SCCM database tables is required. - The
RemoveAdmin
module removes the privileges of a user by removing a newly added user entirely from the SCCM database. If the user already existed in some capacity this module just removes the three roles that were added to the account via writes to the permission table. Use the arguments provided by output of thesAddAdmin
command to run this command. This module require sysadmin or similar privileges as writing to SCCM database tables is required.
If you are interested in extending SQLRecon, please refer to the contributing and extending section in the wiki.
I encourage you to open an issue if you have any suggestions or ideas.
The goal is to continuously improve SQLRecon. Listed below are some planned research areas:
- Implement support for NTLM hash-based authentication.
- Explore enablerpc/disablerpc functionalities for linked and link chained SQL servers.
The following people have contributed either directly or indirectly to various aspects of SQLRecon.
- Adam Chester (xpn)
- Azaël Martin (n3rada)
- Daniel Duggan (rasta-mouse)
- Dave Cossa (G0ldenGunSec)
- Dwight Hohnstein (djhohnstein)
- Joshua Magri (passthehashbrowns)
v3.9
- Added databases that the user has access to in the
whoami
module (JBalanza). - Corrected an issue in the
adsi
module where the LDAP server does not need to be added to the msdb database, also the created function is now dropped properly. - Corrected an issue where RPC queries that have an AT statement fail on the destination server if the supplied hostname is a FQDN.
- Updated README.
- Updated Wiki.
v3.8
- Added logic to support the execution of CLR assemblies on SQL Server 2016 and below. This is for the clr module. Execution supported in all contexts.
- Added logic to load a LDAP server CLR assembly on SQL Server 2016 and below. This is for the adsi module. Execution supported in all contexts.
- Updated README.
- Updated Wiki.
v3.7
- Complete refactor of code base.
- Updated documentation (code comments, README, and wiki)
- Execution against a linked SQL server chain. For example, if
SQL01
has a link toSQL02
, andSQL02
, has a link toSQL03
, andSQL03
, has a link toPAYMENTS01
. It is now possible to execute commands fromSQL01
onPAYMENTS01
using the linked server chain (/link:SQL02,SQL03,PAYMENTS01 /chain
). Credit to Azaël Martin (n3rada). - Removed '
l
' and 'i
' modules, and introduced context logic so module names can be the same across standard, impersonation, linked and chained execution. - Added chain support to all linked modules.
- Added support for debug (
/debug
), which will display various debugging information and all SQL queries that will be executed by a module, without executing them. - Added verbose (
/verbose, /v
), which will display all SQL queries that will be executed during module execution. - Added timeout (
/timeout, /t
), which takes an integer value for SQL server database connection timeout. - Improved
links
module to include detailed information. Credit to Azaël Martin (n3rada). - Improved
whoami
module to include Windows principals and database users. Credit to Azaël Martin (n3rada). - Improved
impersonation
module to include Windows principals and database users. Credit to Azaël Martin (n3rada). - Added IP address retrieval into the
sqlspns
enumeration module. Credit to Azaël Martin (n3rada). - Standardized console output to markdown where applicable. Credit to Azaël Martin (n3rada).
- Added DNS support to
/enum:info
module. - Added optional
/subsystem
argument to theolecmdexec
module, which accepts execution using theCmdExec
orPowerShell
OLE automation subsystems. - Updated test harnesses to reflect CLI changes and new modules.
- Changed
AzureAD
authentication toEntraID
.
v3.6
- Execution against multiple SQL servers supplied in the
/host
or/h
flag is now supported using comma separated values. - Execution against multiple linked SQL servers supplied in the
/link
or/l
flag is now supported using comma separated values. - Changed
/lhost
to/link
. - Removed '
s
' modules and created the/s
,/sccm
switch for SCCM modules. - Added impersonation support to all SCCM modules, with the exception of
DecryptCredentials
. - Added a new enumeration (
/enum
) module calledinfo
which is able to used an unauthenticated context to obtain SQL server information, including instance name and TCP port using the UDP protocol. - Moved argument logic into individual methods within
ModuleHandler.cs
to promote simplification and extensibility. - Moved all SQL queries to
Queries.cs
. - Created
EnumerationModules.cs
. - Created
FormatQuery.cs
. - Created
SccmModules.cs
. - Renamed
ModuleHandler.cs
toSqlModules.cs
.
v3.5
- Bug fix where linked
adsi
execution was not removing the LDAP server. - Removed agent job execution from linked
adsi
, in favor of openquery/rpc. - Changed
/lhost
to/adsi
in inadsi
module. - Changed
/rhost
to/unc
insmb
module. - Removed
CaptureHash.cs
and simplified logic. - Removed
SetEnumerationType.cs
and simplified logic. - Renamed
Impersonation.cs
toImpersonate.cs
. - Renamed
OleCmdExec.cs
toOleAutomation.cs
. - Renamed
PrintUtils.cs
toPrint.cs
. - Renamed
SQLServerInfo.cs
toInfo.cs
.
v3.4
- Added impersonation support for
smb
module. - Added impersonation support for
info
module. - Added linked support for
info
module.
v3.3
- Created
rows
,iRows
andlRows
modules. - Updated
sLogons
to include an optional filter. - Bug fix where
xp_cmdshell
modules were not printing command output to console. - Cleaned up Help menu.
v3.2
- Command line argument parsing overhaul.
- Updated README, test cases and wiki with new examples.
- Reworked enumeration and authentication based argument parsing.
- Created
SetEnumerationType.cs
. - Changed enumeration module
domain
toSqlSpns
.
v3.1
- Changed
SetAuthenticationType.cs
constructor to a new method calledEvaluateAuthenticationType
. - Created
CreateSqlConnectionObject
inSetAuthenticationType.cs
which extends SQLRecon to support multiple simultaneous SQL connection objects. - Created
ADSI.cs
, which incorporates ADSI credential attacks as described here. - Created
adsi
,iAdsi
, andlAdsi
modules. - Created
lLinks
andiLinks
modules. - Updated README, test cases and wiki with new examples.
v3.0
- Implemented error checking for non-existant impersonated users.
- Created
ExecuteImpersonationQuery
andExecuteImpersonationCustomQuery
. - Deleted
Impersonate.cs
- Added
checkRpc
module. - Added
iCheckRpc
module. - Added
lCheckRpc
module. - Reworked SCCM modules.
- Reworked SCCM argument parsing.
- Camel cased commands in help menu for easier reading.
- Updated tests with new modules.
v2.9
- Renamed
EnableDisable.cs
toConfigureOptions.cs
- Overhauled advanced option configurations.
- Implemented RPC error checking wherever
ExecuteLinkedCustomQueryRpcExec
is called.
v2.8
- Created
PrintUtils.cs
, which implements a print class for standardized output. - Moved
TablePrinter
fromHelp.cs
toPrintUtils.cs
. - Standardized print formatting for all console output using the
PrintUtils
class. - Changed access modifiers for classes and class variables.
- Added check to see if result is empty for:
query
search
tables
lColumns
lQuery
lSearch
lTables
iColumns
iQuery
iSearch
- Signifiant reliability and functionality testing against all authentication providers and modules.
v2.7
- Changed
Azure
authentication toAzureAD
. - Created
AzureLocal
authentication. - Added
disableRpc
module. - Added
enableRpc
module. - Added
iEnableRpc
module. - Added
iDisableRpc
module. - Removed
lEnableRpc
module. - Removed
lDisbleRpc
module. - Updated tests with new modules.
v2.6.1
lAgentCmd
bug fixes.- Fixed
clr
,iClr
andlClr
stability by usingSqlCommand.ExecuteNonQuery
when creating the stored procedure. - Fixed
lClr
bug where it was not removing created assemblies or stored procedures.
v2.6
- Added
columns
module. - Added
iColumns
module. - Added
iDatabases
module. - Added
iSearch
module. - Added
iTables
module. - Added
lColumns
module. - Added
lSearch
module.
v2.5
- Various bug fixed in the SCCM modules.
- Organized the help menu using a table.
- Improved the output provided by
ExecuteLinkedCustomQueryRpcExec
. - Improved code commenting through out.
- Improved consistency of method names across command execution functions.
- Improved modularity through better use of object oriented programming.
- Changed custom SQL server port flag to
x
. - Moved
Random.cs
intoutilities
directory. - Standardized the printing style to make it more consistent across all modules.
- Created standard, impersonation and linked test harnesses.
v2.4
- Changed
Windows
authentication toWinToken
. - Created
WinDomain
authentication, which uses AD domain username and password for authentication via impersonation. Check outImpersonation.cs
. - Reworked argument parsing and handling across
ArgumentLogic.cs
,SQLAuthentication.cs
andModuleHandler.cs
. ModuleHandler.cs
no longer uses a massive if/else if/else statement to execute modules. Instead, reflection is now used to call methods matching command modules names.- Added
commands
directory, which has global variables that are used throughout the program. - Rolled all authentication providers into
SQLAuthentication.cs
. - Moved argument parsing from
Program.cs
toArgumentLogic.cs
. - Removed the
authentication
directory. - Changed code style to better follow Microsoft's C#/.NET style code style guide.
- Changed
Help.cs
from a method into a constructor. - Changed
CaptureHash.cs
from a method into a constructor. - Changed
Impersonate.cs
from a method into a constructor. - Re-factored complete code base.
v2.3
- Added SCCM functionality.
- Added SCCM modules, which can be executed using the
sccm
command. - Fixed checking RPC status on linked SQL servers.
- Added the capability to download .NET assemblies via HTTP/S.
v2.2
- Expanded roles which are queried in the
roles
,iRoles
andlRoles
modules. - Created
users
,iUsers
andlUsers
modules. - Fixed hash not being dropped from
sp_drop_trusted_assembly
inclr
andiClr
modules. - Created
lAgentCmd
module. - Created
lClr
module.
v2.1.6
- Added
info
module. - Corrections in help menu.
- Resolved issues with mandatory arguments with
Local
andAzure
authentication.
v2.1.5
- Added module to enumerate domain SPNs (
-e domain
).
v2.1.4
- Fixed minor string formatting issue.
v2.1.3
- Added
-r
flag intoWindows
andLocal
authentication modes so that non-standard TCP ports can be supplied.
v2.1.2
- Improved logic around null connection strings.
v2.1.1
- Removed
Environment.Exit
fromTestAuthentication.cs
.
v2.1
- Created
AgentJobs.cs
. - Created
agentStatus
. - Created
iAgentStatus
. - Created
lAgentStatus
. - Created
agentCmd
. - Created
iAgentCmd
.
v2.0
- Created
clr
. - Created
iEnableClr
. - Created
iDisbleClr
. - Created
iClr
. - Created
iWhoami
. - Created
iMapped
. - Created
iRoles
. - Created
lEnableRpc
. - Created
lDisableRpc
. - Created
lWhoai
. - Created
lEnableXp
. - Created
lDisableXp
. - Created
lEnableOle
. - Created
lDisableOle
. - Created
lEnableClr
. - Created
lDisableClr
. - Created
lXpCmd
. - Created
lXpOle
. - Created
Random.cs
. - Created
EnableDisable.cs
. - Implemented randomly generated assembly names for
clr
. - Implemented randomly generated variable and method names for
ole
. - Rolled
mapped
androles
modules intowhoami
. - Rolled
lMapped
andlRoles
modules intolWhoami
. - Rolled
iMapped
andiRoles
modules intoiWhoami
. - Re-factored complete code base.
v1.2
- Created
lSmb
module. - Created
lWhoami
module. - Created
lRoles
module.
v1.1
- Fixed
oldCmd
module. - Fixed
iOleCmd
module. - Fixed
lDatabases
module. - Fixed
lTables
module. - Cleaned up code base.
- Corrected inconsistencies in help menu.