SQLRecon is a Microsoft SQL Server toolkit that is designed for offensive reconnaissance and post-exploitation.

For detailed information on how to use each technique, refer to the wiki.

You can download a copy of SQLRecon from the releases page. Alternatively, feel free to compile the solution yourself.

This should be as straight forward as cloning the repo, double clicking the solution file and building.

Prevention, detection and mitigation guidance has also been provided for all you defenders out there.

Check out my blog post on the IBM Security Intelligence website. If you prefer videos, then check out my presentation at Black Hat.

Enumeration Modules

Enumeration Modules do not require an authentication provider to be supplied. These modules must be passed into the enumeration module flag (/e:, /enum:).

Info    - Show information about the SQL server.
          /h:, /host    -> SQL server hostname or IP. Multiple hosts supported.
          /port:        -> (OPTIONAL) Defaults to 1434 (UDP).
          /t:, timeout: -> (OPTIONAL) Defaults to 3s.

SqlSpns - Use the current user token to enumerate the AD domain for MSSQL SPNs.
          /d:, /domain: -> (OPTIONAL) NETBIOS name or FQDN of domain.

Authentication Providers

SQLRecon supports a diverse set of authentication providers (/a:, /auth:) to enable interacting with a Microsoft SQL Server.

WinToken   - Use the current users token to authenticate against the SQL database
             /h:, /host:     -> SQL server hostname or IP

WinDomain  - Use AD credentials to authenticate against the SQL database
             /h:, /host:     -> SQL server hostname or IP. Multiple hosts supported.
             /d:, /domain:   -> NETBIOS name or FQDN of domain.
             /u:, /username: -> Username for domain user.
             /p:, /password: -> Password for domain user.

Local      - Use local SQL credentials to authenticate against the SQL database
             /h:, /host:     -> SQL server hostname or IP. Multiple hosts supported.
             /u:, /username: -> Username for local SQL user.
             /p:, /password: -> Password for local SQL user.

EntraID    - Use Azure EntraID credentials to authenticate against the Azure SQL database
             /h:, /host:     -> SQL server hostname or IP. Multiple hosts supported.
             /d:, /domain:   -> FQDN of domain (DOMAIN.COM).
             /u:, /username: -> Username for domain user.
             /p:, /password: -> Password for domain user.

AzureLocal - Use local SQL credentials to authenticate against the Azure SQL database
             /h:, /host:     -> SQL server hostname or IP. Multiple hosts supported.
             /u:, /username: -> Username for local SQL user.
             /p:, /password: -> Password for local SQL user.

Authentication Providers – Additional Details

  • Hosts: The host flag (/h:, host:) is required and allows one or more SQL servers. If you want to execute a module against multiple SQL servers, separate the hosts with a comma, for example /h:SQL01,10.10.10.2,SQL03.
  • Database: SQLRecon connects to the master database by default, however, this can be optionally changed by supplying a custom database name via the database (/database:) flag.
  • Debug: The /debug flag is optional and displays all SQL queries that are executed by a module, without actually executing them on the remote host(s). An example of this can be found in the wiki.
  • Port: In some cases, a Microsoft SQL Server may not be listening on a standard TCP port. Some examples are Microsoft SQL Server failover clustering, or dynamic TCP ports. SQLRecon connects to databases via TCP Port 1433 by default, however, this can be optionally changed using the /port: flag.
  • Timeout: The default SQL database connection time is 3 seconds, however, this value can be optionally changed by supplying a timeout value (/t:, /timeout:) which corresponds to the number of seconds before terminating the connection attempt.
  • Verbose: The /v, /verbose flag is optional and displays all SQL queries that are executed by a module before executing them on the remote host(s). An example of this can be found in the wiki.

Please note that the EntraID authentication provider requires that the Azure Active Directory Authentication Library (ADAL) or Microsoft Authentication Library (MSAL) exists on the system SQLRecon is executed from.

This is for Azure EntraID authentication and authorization functionality.

For more information click here.

LEAVE A REPLY

Please enter your comment!
Please enter your name here