Merge pull request Pennyw0rth#847 from A3-N/feat/mssql-database-table-list

Add --database option to MSSQL protocol

Author: NeffIsBack

nxc/protocols/mssql.py

@@ -435,3 +435,74 @@ def rid_brute(self, max_rid=None):
 
             so_far += simultaneous
         return entries
+
+    def _qname(self, ident: str) -> str:
+        if ident is None:
+            return "[]"
+        return "[" + str(ident).replace("]", "]]") + "]"
+
+    def list_databases(self):
+        try:
+            q = (
+                "SELECT d.name AS DatabaseName, "
+                "       suser_sname(d.owner_sid) AS Owner "
+                "FROM sys.databases d "
+                "ORDER BY d.name;"
+            )
+            rows = self.conn.sql_query(q) or []
+            if not rows:
+                self.logger.display("No databases returned")
+                return
+
+            self.logger.display("Enumerated databases")
+            self.logger.highlight(f"{'Database Name':<30} {'Owner':<25}")
+            self.logger.highlight(f"{'-' * 30} {'-' * 25}")
+            for r in rows:
+                self.logger.highlight(f"{r.get('DatabaseName', ''):<30} {r.get('Owner', ''):<25}")
+            self.logger.highlight(f"Total: {len(rows)} database(s)")
+        except Exception as e:
+            self.logger.fail(f"Failed to enumerate databases: {e}")
+            self.logger.debug("list_databases error", exc_info=True)
+
+    def database(self):
+        db_arg = self.args.database
+
+        # nxc --database (no value) -> list
+        if db_arg is True or db_arg is None:
+            self.list_databases()
+            return
+
+        # nxc --database <name> -> tables
+        if isinstance(db_arg, str):
+            try:
+                safe = db_arg.replace("'", "''")
+                exists = self.conn.sql_query(f"SELECT 1 FROM sys.databases WHERE name = N'{safe}';")
+                if not exists:
+                    self.logger.fail(f"Database [{db_arg}] does not exist on the server.")
+                    return
+
+                tq = (
+                    f"SELECT t.name AS TableName, t.modify_date "
+                    f"FROM {self._qname(db_arg)}.sys.tables t "
+                    f"ORDER BY t.name;"
+                )
+                rows = self.conn.sql_query(tq) or []
+            except Exception as e:
+                self.logger.fail(f"Insufficient permissions or query error in [{db_arg}]: {e}")
+                self.logger.debug("database() error", exc_info=True)
+                return
+
+            if not rows:
+                self.logger.display(f"Database [{db_arg}] has no user tables.")
+                return
+
+            self.logger.display(f"Tables in database: {db_arg}")
+            self.logger.highlight(f"{'Table Name':<50} {'Last Modified':<25}")
+            self.logger.highlight(f"{'-' * 50} {'-' * 25}")
+            for r in rows:
+                mod = r.get("modify_date", "")
+                if mod and hasattr(mod, "strftime"):
+                    mod = mod.strftime("%Y-%m-%d %H:%M:%S")
+                self.logger.highlight(f"{r.get('TableName', ''):<50} {mod!s:<25}")
+            self.logger.highlight(f"Total: {len(rows)} table(s)")
+            return

nxc/protocols/mssql/proto_args.py

@@ -6,7 +6,8 @@ def proto_args(parser, parents):
     mssql_parser.add_argument("-H", "--hash", metavar="HASH", dest="hash", nargs="+", default=[], help="NTLM hash(es) or file(s) containing NTLM hashes")
     mssql_parser.add_argument("--port", default=1433, type=int, metavar="PORT", help="MSSQL port")
     mssql_parser.add_argument("--mssql-timeout", help="SQL server connection timeout", type=int, default=5)
-    mssql_parser.add_argument("-q", "--query", dest="mssql_query", metavar="QUERY", type=str, help="execute the specified query against the MSSQL DB")
+    mssql_parser.add_argument("-q", "--query", dest="mssql_query", metavar="QUERY", type=str, help="execute the specified query against the mssql db")
+    mssql_parser.add_argument("--database", nargs="?", const=True, metavar="NAME", help="list databases or list tables for NAME")
 
     dgroup = mssql_parser.add_mutually_exclusive_group()
     dgroup.add_argument("-d", metavar="DOMAIN", dest="domain", type=str, help="domain name")