Tool developed for OSEP exam to aid in exploitation of MS SQL Servers and lateral movement inside of Active Directory via SQL Servers.

#Usage

• Using /instance flag will identify what privileges the user is currently running in and identify if the SQL Server has any links to other SQL Servers.

LinkedSQL.exe /instance sql1

• After identify any links, the user can supply /linkedinstance along with the /checkrpc flag to check if RPC Out (disabled by default) is enabled. If RPC Out is disabled, LinkedSQL will attempt to enable on the linked server.

LinkedSQL.exe /instance sql1 /linkedinstance sql2 /checkrpc

• With RPC Out enabled, using /command followed by a command will go through the process of enabling xp_cmdshell and running the command supplied by the user. For better opsec, the user can supply /opsec as well to have xp_cmdshell disabled after having their command executed.

LinkedSQL.exe /instance sql1 /linkedinstance sql2 /command whoami /opsec

• In the case you have credentials of a user and want to interact with SQL server with that user, you can run with /uname and /pwd with the user's username and password respectively. To query the SQL server, supply /query.