Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/ka7ana/redknifesql

A C# console utility for interacting with MSSQL servers
https://github.com/ka7ana/redknifesql

command-line command-line-tool console console-application csharp dotnet mssql offensive-security osep pen-300 pentesting pentesting-tools red-team sql

Last synced: 8 months ago
JSON representation

A C# console utility for interacting with MSSQL servers

Awesome Lists containing this project

README 

          
# RedknifeSQL



A C# console utility for interacting with MSSQL servers



RedknifeSQL is a simple menu-based console application to aid with pen-testing, specifically whilst dealing with Microsoft SQL servers in an AD environment.



The application prompts the user for the server hostname and database name to connect to. At present, only Windows authentication is supported.



## Command line arguments



The following command line options are supported:



- `--debug` - run RedknifeSQL in debug mode (outputs all SQL queries/statements executed via options)

- `--server` - set the server hostname to connect to on startup (saves having to explicitly connect via option)

- `--db` - set the database name to connect to on startup (saves having to explicitly connect via option)

- `--script` - the path of a text file containing a SQL script to execute against the connected server (requires both `server` and `db` to be provided as args). This is for non-interactive mode.

- `--output` - the path of a file that output will be redirected to. Useful for non-interactive mode.



## Interactive mode



RedknifeSQL interactive mode outputs a numeric menu to the user and loops until the user quits. The options are as follows:



1. `Connect to server` - initiates a connection to a specific server and database - the user is prompted for these values

2. `Get current user information` - Outputs information about the current user database connection - the `SYSTEM_USER` and `USER_NAME()` values, as well as whether the user has the `public` and `sysadmin` roles.

3. `Get impersonatable roles` - gets the MSSQL server principals that can be impersonated by the current user.

4. `Connect to UNC path` - attempts to execute connect to the provided UNC path by executing the `xp_dirtree` procedure. Handy for grabbing NetNTLM hashes.

5. `Set 'EXECUTE AS LOGIN' value` - sets the `EXECUTE AS LOGIN` value

6. `Set 'EXECUTE AS USER' value` - sets the `EXECUTE AS USER` value

7. `Check if xp_cmdshell enabled` - checks whether `xp_cmdshell` is enabled on the server

8. `Set xp_cmdshell status` - attempts to enable/disable `xp_cmdshell` on the connected server. Also enables `show advanced options`. Requires appropriate permissions.

9. `Execute xp_cmdshell` - attempts to execute `xp_cmdshell` on the connected server. Requires `xp_cmdshell` to be enabled, and the appropriate permissions.

10. `Execute cmd via sp_OACreate/sp_OAMethod` - enables `Ole Automation Procedures` and attempts to use `sp_oacreate` to execute `wscript.shell`. Then calls `sp_oamethod` with the user provided shell command.

11. `List TRUSTWORTHY databases` - lists the system databases with the `is_trustworthy_on` flag set to `1` and the owner of the database

12. `Create assembly stored procedure` - uses `CREATE ASSEMBLY` to create a new DLL-based stored procedure for command execution. Enables `show advanced options`, `clr enabled` and disables `clr strict security`.

13. `Execute cmd via assembly stored procedure` - attempts to call the `cmdExecute` stored procedure (created by option `12`) with the user-provided command.

14. `Get linked SQL server info` - get information about the configured linked SQL servers, including usernames, roles and which user has the linked server connection

15. `Call xp_cmdshell on linked server` - attempts to call `xp_cmdshell` on a linked server. Note that this can be chained via serval linked servers by supplying the hostname as a comma-separated string (i.e. hostA,hostB,hostC). This option generates the appropriate `EXEC (...) AT [server]` query depending on the number of hosts supplied. This option also attempts to enable `show advanced options` on the target server.

16. `PrivEsc via callback xp_cmdshell from linked server` - calls `xp_cmdshell` on a linked server to gain priv esc on current server (in cases where current user does not have `xp_cmdshell` permissions on the current server)

17. `Execute SQL Command` - execute an arbitrary SQL command provided by the user. Formats the output as a table.

18. `Get server principals` - lists the `user`, `pricipal_id`, `type_desc` and `default_database_name` from `sys.server_principals`.



### Exiting RedknifeSQL



Entering option value `q`, `quit` or `exit` (irrespective of case) will exit RedknifeSQL and close the current DB connection (if one exists).



## Non-interactive (script mode)



In script mode, RedknifeSQL reads an input file (specified by the `--script` argument) containing SQL statements to execute. Note that the `--server` and `--db` command line args must be supplied in order to specify which server and database to connect to.



Upon connecting to the specified database, RedknifeSQL automatically executes the following options:



- `Get user information` (option 2)

- `Get impersonatable roles` (option 3)

- `Get server principals` (option 18)

- `Check if xp_cmdshell enabled` (option 7)

- `List TRUSTWORTHY databases` (option 11)

- `Get linked SQL server info` (option 14)



Once these options have been executed, RedknifeSQL attempts to execute the script/statements as specified in the `--script` argument. 



## RedknifeSQL as an InstallUtil Uninstall



RedknifeSQL can also be run as an InstallUtil Uninstall process, i.e.:



```

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\path\to\RedknifeSQL.exe

```



When run as an uninstaller, you can provide the arguments to RedknifeSQL as a text file named `RedknifeSQL.txt` (located in the same directory as `RedknifeSQL.exe`) - these will be parsed and passed to RedknifeSQL as if they had been specified at the command line directly.



**Quick note**: when running as an uninstaller, the presence of RedknifeSQL.txt is required. However, if no args are specified in the file, RedknifeSQL will drop into interactive mode, which is quite handy :). I should get round to fixing this i.e. allow it to drop into interactive mode by default if no RedknifeSQL.txt file present.