May 15, 2022

MSSQL Proxy

In this tutorial, we will see how to proxy our traffic through Microsoft SQL Server. This technique can be used to perform lateral movement through a compromised Microsoft SQL Server. It is important to have "sysadmin" privileges on the Microsoft SQL server.

This is the GitHub page for mssqlproxy.

GitHub page for mssqlproxy.

This shows a quick description and usage of mssqlproxy.

Description and usage of mssqlproxy.

Description and usage of mssqlproxy.

Description and usage of mssqlproxy.

It is important to download these two DLL libraries as well.

DLL libraries required for mssqlproxy.

Let's clone this repo.

Cloning the mssqlproxy repo from GitHub.

It shows the contents of the repo. And note that I have also downloaded the DLL files in this directory.

Contents of the mssqlproxy repo.

Trying to connect to the target presents a "ModuleNotFoundError". This script is not compatible with Python3.

ModuleNotFoundError while trying to run the mssqlproxy tool.

This script is written by 0xdf and it is compatible with Python3.

Python3 compatible mssqlproxy script.

Let's download this script.

Downloading the Python3 compatible mssqlproxy script.

It connects to the target. There is no error.

Connecting to the target using mssqlproxy.

Running help shows the available commands.

Running help to find the different commands for mssqlproxy.

Let's rename "assembly.dll" to "Microsoft.SqlServer.Proxy.dll".

Renaming assembly.dll to Microsoft.SqlServer.Proxy.dll.

Next, upload "reciclador.dll" to the target in the temp directory.

Uploading reciclador.dll to the target using mssqlproxy.

It installs "Microsoft.SqlServer.Proxy.dll" on the target.

Installing Microsoft.SqlServer.Proxy.dll to the target using mssqlproxy.

It checks if "reciclador" is installed.

mssqlproxy checks if reciclador is installed.

It enables proxy on port 1337.

mssqlproxy enables proxy on port 1337.

We can see that port 1337 is in listening state on the local box.

Checking to see if port 1337 is listening.

Let's enable proxychains.

Enabling proxychains using /etc/proxychains4.conf.

Scanning port 5985 (WinRM) using proxychains shows that the port is open.

Scanning port 5985 through namp using proxychains.

We can also connect to the Windows Remote Management port using evil-winrm.

Connecting to the target through evil-winrm using proxychains.

Directly scanning the target without proxychains shows that the port is filtered.

Directly scanning the target's WinRM port without proxychains.

If you liked reading this article, you can follow me on Twitter: 0xmaCyberSec.