Enhanced version of impacket's mssqlclient.py. It lets you interact with Microsoft SQL Server (MS SQL / MSSQL) servers and their linked instances, impersonating any account encountered along the way, without requiring complex T-SQL queries.
N.B. It can handle NTLM relaying 🔄
Tip
If you have only access to a MS SQL instance through your implant/beacon, use MSSQLand, the C# version built with assembly execution in mind.
To install mssqlclient-ng, you can use pip, pip3 or pipx. Either from pypi repository or from GitHub source. Prefer using pipx, since it install Python applications in isolated virtual environments.
From PyPI
pipx install mssqlclient-ngpip install mssqlclient-ngpipx install 'git+https://github.com/n3rada/mssqlclient-ng.git'mssqlclient-ng <host> [options]Tip
Avoid typing out all the RPC Out or OPENQUERY calls manually. Let the tool handle any linked servers chain with the -l argument, so you can focus on the big picture.
Format: server,port:user@database or any combination server:user@database,port.
server(required) - The SQL Server hostname or IP,port(optional) - Port number (default: 1433, also common: 1434, 14333, 2433):user(optional) - User to impersonate on this server@database(optional) - Database context (defaults to 'master' if not specified)
mssqlclient-ng localhost -c tokenImportant
The host (first argument) and action (after flags) are positional arguments. All flags use - prefix. For example: localhost -c token createuser -p p@ssword! - here -p belongs to the action, not the global arguments.
Common options:
--timeout 30- Connection timeout in seconds (default: 15)-l SERVER1:user1,SERVER2:user2@dbclients- Chain through linked servers (uses configured linked server names)
Note
Port specification (,port) only applies to the initial host connection. Linked server chains (-l) use the linked server names as configured in sys.servers, not hostname:port combinations.
Contributions are welcome and appreciated! Whether it's fixing bugs, adding new features, improving the documentation, or sharing feedback, your effort is valued and makes a difference. Open-source thrives on collaboration and recognition. Contributions, large or small, help improve the tool and its community. Your time and effort are truly valued.
Here, no one will be erased from Git history. No fear to have here. No one will copy-paste your code without adhering to the collaborative ethos of open-source.
- Built upon Impacket, based on the core tds.py.
- OOP design is really tied to MSSQLand.
- Terminal interface powered by prompt_toolkit.
This tool is provided strictly for defensive security research, education, and authorized penetration testing. You must have explicit written authorization before running this software against any system you do not own.
This tool is designed for educational purposes only and is intended to assist security professionals in understanding and testing the security of SQL Server environments in authorized engagements.
Acceptable environments include:
- Private lab environments you control (local VMs, isolated networks).
- Sanctioned learning platforms (CTFs, Hack The Box, OffSec exam scenarios).
- Formal penetration-test or red-team engagements with documented customer consent.
Misuse of this project may result in legal action.