How to Use the Command 'nxc mssql' (with Examples)
The nxc mssql
command is a versatile utility designed to perform penetration testing and exploit Microsoft SQL servers. It allows users to execute various operations on MSSQL servers, including credential abuse, SQL query executions, and file transfers. This command is often used by security researchers to identify vulnerabilities, assess server integrity, and ensure robust database security. More information can be found at NetExec Wiki
.
Use case 1: Searching for Valid Credentials
Code:
nxc mssql 192.168.178.2 -u path/to/usernames.txt -p path/to/passwords.txt
Motivation:
This use case is particularly useful for penetration testers who need to verify the strength of the login credentials used by a server. By attempting every combination of usernames and passwords from specified lists, one can identify weak or default credentials that may pose a security risk.
Explanation:
192.168.178.2
: The IP address of the target MSSQL server.-u path/to/usernames.txt
: Path to a text file containing a list of potential usernames to try.-p path/to/passwords.txt
: Path to a text file containing a list of potential passwords to try.
Example Output:
[+] Found valid credentials: user: admin, pass: admin123
Use case 2: Executing an SQL Query
Code:
nxc mssql 192.168.178.2 -u username -p password --query 'SELECT * FROM sys.databases;'
Motivation:
Executing SQL queries directly on the server is crucial for understanding the databases hosted on it. This use case is especially beneficial for IT professionals needing to audit databases or troubleshoot database-related issues.
Explanation:
192.168.178.2
: The target server’s IP address.-u username
: A valid username for authentication.-p password
: The corresponding password to the username.--query 'SELECT * FROM sys.databases;'
: SQL query to retrieve information about all databases present on the server.
Example Output:
Database_ID Database_Name
1 master
2 tempdb
3 model
4 msdb
Use case 3: Executing a Shell Command
Code:
nxc mssql 192.168.178.2 -u username -p password -x whoami
Motivation:
Executing shell commands is essential for comprehensive server diagnostics and security assessments. This functionality allows you to leverage MSSQL’s capabilities to execute system-level commands, providing deeper insight into the server environment.
Explanation:
192.168.178.2
: The specific IP address of the MSSQL server.-u username
: Authorized username for log-in.-p password
: Matching password for the designated username.-x whoami
: Shell command to determine the current user context under which SQL server services are being executed.
Example Output:
mssqlserviceaccount
Use case 4: Running a PowerShell Command without Output
Code:
nxc mssql 192.168.178.2 -u username -p password -X whoami --no-output
Motivation:
Running PowerShell commands silently can be necessary when the goal is to modify configurations or execute scripts without cluttering your CLI with unnecessary output. This is particularly useful in scenarios where you want to focus on backend processing rather than immediate results.
Explanation:
192.168.178.2
: IP address targeting the MSSQL server.-u username
: Designated username for connecting to the server.-p password
: Password linked to the username.-X whoami
: PowerShell command to be executed.--no-output
: Option to suppress command output to prevent information display in the terminal.
Example Output:
(No stdout output displayed)
Use case 5: Downloading a Remote File
Code:
nxc mssql 192.168.178.2 -u username -p password --get-file C:\path\to\remote_file path/to/local_file
Motivation:
Downloading files from a remote server is often required during security assessments for further analysis or when backing up essential data. This option allows one to seamlessly transfer files from the MSSQL server to a local directory.
Explanation:
192.168.178.2
: The IP address of the server holding the target file.-u username
: Used for server login authentication.-p password
: The password for the login attempt.--get-file C:\path\to\remote_file
: Specifies the file to be downloaded from the server.path/to/local_file
: Destination path on the local machine where the file will be stored.
Example Output:
[+] File downloaded successfully to path/to/local_file
Use case 6: Uploading a Local File
Code:
nxc mssql 192.168.178.2 -u username -p password --put-file path/to/local_file C:\path\to\remote_file
Motivation:
Uploading files to a server can be essential for installing scripts or delivering updates. This feature permits easy transfer of necessary files from your local environment to the target MSSQL server as required for operational needs or specific security tests.
Explanation:
192.168.178.2
: Target server’s IP to which the file is to be sent.-u username
: The username for server access.-p password
: Corresponding password for the server account.--put-file path/to/local_file
: Specifies the local file to be uploaded.C:\path\to\remote_file
: Path where the file will be saved on the server.
Example Output:
[+] File uploaded successfully to C:\path\to\remote_file
Conclusion:
The nxc mssql
command is a critical tool for cybersecurity professionals seeking to thoroughly test and exploit MS SQL servers. From verifying credential strength to executing administrative commands and managing files, it serves a range of purposes that can enhance security analysis and system management. Proper utilization of nxc mssql
empowers teams to defend against potential threats and maintain robust database fortifications.