13 July 2020

The github repo for SQLClient is available here - https://github.com/FortyNorthSecurity/SqlClient

On an assume breach assessment, FortyNorth was able to successfully obtain a web.config file (always great to find this) and within the config file were database credentials. For this assessment, the team had a Cobalt Srike Beacon for controlling the compromised system. This lead us to wanting to find a tool we could used which could query the MSSQL database through Beacon's execute-assembly functionality.

While searching for this functionality, the only real existing utility we found was TrustedSec's QuickSQL tool. However this was written in Python and wouldn't have worked with execute-assembly. However, we found a blog post which showed how to remotely query a remote MSSQL database and find its version information in .NET. We used this code as the foundation for writing a .NET assembly which would allow anyone to remotely perform SQL queries against a MSSQL database. This lead us to writing SQLClient.exe which is now publicly available.

You can use SQLClient to connect to remote databases by providing multiple command line options.

If you provide the username, password, IP, and database name, you can easily query database tables from the command line.

When performing a standard SQL query to enumerate information within the "Login_info" table, you will receive the same results as if you used the SQL Management Studio.

We were also able to accomplish the main goal of making this work within Cobalt Strike's execute-assembly.

We hope that this can give others an option to have a quick and easy to use MSSQL client without requiring to install a large application like SQL Server Management Studio or other applications which require a driver installation (and admin rights). If you have any questions, don't hesitate to reach out to us!