Description

Adds mssql_audit module for identifying exploitable configurations in MSSQL services.

Identifies exploitable MSSQL configurations:

• Sysadmin access detection
• identified account running the MSSQL service (juicy it's a privileged user/service account)
• xp_dirtree/xp_fileexist availability (hash capture and relays FTW)
• Extended Protection status (MSSQL relays FTW)
• Impersonation privilege enumeration
• Linked server mapping to show authenticated as status when traversing link

Type of change

• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Deprecation of feature or functionality
• This change requires a documentation update
• This requires a third party update (such as Impacket, Dploot, lsassy, etc)

Setup guide for the review

No external dependencies required. Just a matter of ensuring the mssql_audit.py file is in the nxc/modules folder.

Test with domain credentials against one or more hosts

nxc mssql <target> -u user -p pass -M mssql_audit

Test with local SQL auth against one or more hosts

nxc mssql <target> -u sa -p pass --local-auth -M mssql_audit

Screenshots

Checklist:

• I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
• I have added or updated the tests/e2e_commands.txt file if necessary (new modules or features are required to be added to the e2e tests)
• New and existing e2e tests pass locally with my changes
• If reliant on changes of third party dependencies, such as Impacket, Dploot, lsassy, etc, I have linked the relevant PRs in those projects (N/A)
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (PR here: Adding documentation for mssql_audit MSSQL module NetExec-Wiki#76)