MSSQL Linked Servers
Discover and execute MSSQL queries and system commands on linked MSSQL servers using NetExec
MSSQL linked servers allow a database instance to establish a trusted connection to another database across domain or forest trusts, allowing users to query data and execute commands on remote databases.
Find Linked Servers
The enum_links module queries the database to enumerate configured MSSQL linked servers.
nxc mssql <ip> -u user -p password -M enum_links
MSSQL <ip> 1433 FQDN [*] Windows 10 / Server 2019 Build 17763 (name:FQDN) (domain:FQDN.local) (EncryptionReq:False)
MSSQL <ip> 1433 FQDN [+] FQDN\user:password
ENUM_LINKS <ip> 1433 FQDN [+] Linked servers found:
ENUM_LINKS <ip> 1433 FQDN [*] - BRAAVOS
ENUM_LINKS <ip> 1433 FQDN [*] - FQDN\SQLEXPRESSExecute MSSQL Queries on a Linked Server
Execute a MSSQL query specified in the COMMAND argument on the linked server specified in LINKED_SERVER.
nxc mssql <ip> -u user -p password -M exec_on_link -o LINKED_SERVER=BRAAVOS COMMAND='select @@servername'
MSSQL <ip> 1433 FQDN [*] Windows 10 / Server 2019 Build 17763 (name:FQDN) (domain:FQDN.local) (EncryptionReq:False)
MSSQL <ip> 1433 FQDN [+] FQDN\user:pass (Pwn3d!)
EXEC_ON_LINK <ip> 1433 FQDN [*] Command output: [{'': 'BRAAVOS\\SQLEXPRESS'}]Enable xp_cmdshell on a Linked Server
Enable xp_cmdshell on the linked server to allow execution of system commands.
Command Execution on a Linked Server
Execute system commands on the linked server using xp_cmdshell.
Don't forget to disable xp_cmdshell in production!
Last updated
Was this helpful?