PySQLRecon - Offensive MSSQL Toolkit Written In Python, Based Off SQLRecon


PySQLRecon is a Python port of the awesome SQLRecon project by @sanjivkawa. See the commands section for a list of capabilities.


Install

PySQLRecon can be installed with pip3 install pysqlrecon or by cloning this repository and running pip3 install .

Commands

All of the main modules from SQLRecon have equivalent commands. Commands noted with [PRIV] require elevated privileges or sysadmin rights to run. Alternatively, commands marked with [NORM] can likely be run by normal users and do not require elevated privileges.

Support for impersonation ([I]) or execution on linked servers ([L]) are denoted at the end of the command description.

adsi                 [PRIV] Obtain ADSI creds from ADSI linked server [I,L]
agentcmd [PRIV] Execute a system command using agent jobs [I,L]
agentstatus [PRIV] Enumerate SQL agent status and jobs [I,L]
checkrpc [NORM] Enumerate RPC status of linked servers [I,L]
clr [PRIV] Load and execute .NET assembly in a stored procedure [I,L]
columns [NORM] Enumerate columns within a table [I,L]
databases [NORM] Enumerate databases on a server [I,L]
disableclr [PRIV] Disable CLR integration [I,L]
disableole [PRIV] Disable OLE automation procedures [I,L]
disablerpc [PRIV] Disable RPC and RPC Out on linked server [I]
disablexp [PRIV] Disable xp_cmdshell [I,L]
enableclr [PRIV] Enable CLR integration [I,L]
enableole [PRIV] Enable OLE automation procedures [I,L]
enablerpc [PRIV] Enable RPC and RPC Out on linked server [I]
enablexp [PRIV] Enable xp_cmdshell [I,L]
impersonate [NORM] Enumerate users that can be impersonated
info [NORM] Gather information about the SQL server
links [NORM] Enumerate linked servers [I,L]
olecmd [PRIV] Execute a system command using OLE automation procedures [I,L]
query [NORM] Execute a custom SQL query [I,L]
rows [NORM] Get the count of rows in a table [I,L]
search [NORM] Search a table for a column name [I,L]
smb [NORM] Coerce NetNTLM auth via xp_dirtree [I,L]
tables [NORM] Enu merate tables within a database [I,L]
users [NORM] Enumerate users with database access [I,L]
whoami [NORM] Gather logged in user, mapped user and roles [I,L]
xpcmd [PRIV] Execute a system command using xp_cmdshell [I,L]

Usage

PySQLRecon has global options (available to any command), with some commands introducing additional flags. All global options must be specified before the command name:

pysqlrecon [GLOBAL_OPTS] COMMAND [COMMAND_OPTS]

View global options:

pysqlrecon --help

View command specific options:

pysqlrecon [GLOBAL_OPTS] COMMAND --help

Change the database authenticated to, or used in certain PySQLRecon commands (query, tables, columns rows), with the --database flag.

Target execution of a PySQLRecon command on a linked server (instead of the SQL server being authenticated to) using the --link flag.

Impersonate a user account while running a PySQLRecon command with the --impersonate flag.

--link and --impersonate and incompatible.

Development

pysqlrecon uses Poetry to manage dependencies. Install from source and setup for development with:

git clone https://github.com/tw1sm/pysqlrecon
cd pysqlrecon
poetry install
poetry run pysqlrecon --help

Adding a Command

PySQLRecon is easily extensible - see the template and instructions in resources

TODO

  • Add SQLRecon SCCM commands
  • Add Azure SQL DB support?

References and Credits



PySQLRecon - Offensive MSSQL Toolkit Written In Python, Based Off SQLRecon PySQLRecon - Offensive MSSQL Toolkit Written In Python, Based Off SQLRecon Reviewed by Zion3R on 8:30 AM Rating: 5