# Enumerate MSSQL servers with CrackMap & Impacket
#### CrackMapExec
* Let’s try with crackmapexec
```
crackmapexec mssql 192.168.56.22-23
```
* Now we could try with the user miguel.ortiz
```
crackmapexec mssql 192.168.56.22 -u miguel.cabrera -p ilovebaseball -d north.newyork.local
```
* As we can see we got an access to the database
#### Impacket
* To enumerate and use impacket mssql, i made a modified version of the example mssqlclient.py.
* You can find the version [here](https://github.com/SecureAuthCorp/impacket/pull/1397)
* The install is just like what we done in part5 merge the PR on your local impacket project and relaunch install:
```
cd /opt/tools
git clone https://github.com/SecureAuthCorp/impacket myimpacket
cd myimpacket
python3 -m virtualenv myimpacket
source myimpacket/bin/activate
git fetch origin pull/1397/head:1397
git merge 1397
python3 -m pip install .
```
* We connect to the mssql server with the following command :
```
mssqlclient.py -windows-auth north.newyork.local/miguel.cabrera:ilovebaseball@yonkers.north.newyork.local
```
* And type help:
```
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
enum_db - enum databases
enum_links - enum linked servers
enum_impersonate - check logins that can be impersonate
enum_logins - enum login users
enum_users - enum current db users
enum_owner - enum db owner
exec_as_user {user} - impersonate with execute as user
exec_as_login {login} - impersonate with execute as login
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
xp_dirtree {path} - executes xp_dirtree on the path
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
use_link {link} - linked server to use (set use_link localhost to go back to local or use_link .. to get back one step)
! {cmd} - executes a local shell cmd
show_query - show query
mask_query - mask query
```
* I added some new entries to the database : enum\_db/enum\_links/enum\_impersonate/enum\_login/enum\_owner/exec\_as\_user/exec\_as\_login/use\_link/show\_query/mask\_query
* Let’s start the enumeration :
```
enum_logins
```
* This launch the following query (roles value meaning can be show [here](https://docs.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-server-principals-transact-sql?view=sql-server-ver16))
```
select r.name,r.type_desc,r.is_disabled, sl.sysadmin, sl.securityadmin,
sl.serveradmin, sl.setupadmin, sl.processadmin, sl.diskadmin, sl.dbcreator, sl.bulkadmin
from master.sys.server_principals r
left join master.sys.syslogins sl on sl.sid = r.sid
where r.type in ('S','E','X','U','G')
```
* We see only a basic view as we are a simple user
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://watchdogsacademy.gitbook.io/attacking-active-directory/mssql-servers-exploitation/enumerate-mssql-servers-with-crackmap-and-impacket.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.