MSDAT (Microsoft SQL Database Attacking Tool) is an open source penetration testing tool that tests the security of Microsoft SQL Databases remotely.
Usage examples of MSDAT:
- You have a Microsoft database listening remotely and you want to find valid credentials in order to connect to the database
- You have a valid Microsoft SQL account on a database and you want to escalate your privileges
- You have a valid Microsoft SQL account and you want to execute commands on the operating system hosting this DB (xp_cmdshell)
Tested on Microsof SQL database 2005, 2008 and 2012.
Features
Thanks to MSDAT (Microsoft SQL Database Attacking Tool), you can:
- get technical information (ex: database version) of a MSSQL database without to be authenticated
- search MSSQL accounts with a dictionnary attack
- test each login as password (authentication required)
- get a windows shell on the database server with
- xp_cmdshell
- download files remotely with:
- OLE Automation
- bulkinsert
- openrowset
- upload files on the server with:
- OLE Automation
- openrowset
- capture a SMB authentication thanks to:
- bulkinsert
- openrowset
- xp_dirtree
- xp_fileexist
- xp-getfiledetails
- steal MSSQL hashed password, on an any MSSQL version
- scan ports through the database:
- openrowset
- execute SQL requests on a remote MSSQL server trough the database (target) with:
- bulkinsert
- openrowset
- list files/directories with:
- xp_subdirs
- xp_dirtree
- list drives/medias with:
- xp_fixeddrives
- xp_availablemedia
- create folder with:
- xp_create_subdir
Installation
Some dependancies must be installed in order to run MSDAT.
In ubuntu:
sudo apt-get install freetds-dev
or download freetds on http://www.freetds.org/
sudo pip install cython colorlog termcolor pymssql argparse
sudo pip install argcomplete && sudo activate-global-python-argcomplete
Add “use ntlmv2 = yes” in your freetds configuration file (ex: /etc/freetds/freetds.conf or /usr/local/etc/freetds.conf). Example:
[global]
# TDS protocol version
tds version = 8.0
use ntlmv2 = yes
