mssql: add --database flag to list databases or tables in a named DB

adriaan.bosch · adriaan.bosch · commit e8f8d7e90ee6 · 2025-08-09T17:05:34.000+02:00
diff --git a/nxc/protocols/mssql.py b/nxc/protocols/mssql.py
@@ -435,3 +435,83 @@ def rid_brute(self, max_rid=None):
 
             so_far += simultaneous
         return entries
+
+    def _qname(self, ident: str) -> str:
+        if ident is None:
+            return "[]"
+        return "[" + str(ident).replace("]", "]]") + "]"
+
+    def _exec(self, sql: str, params=None):
+        try:
+            return self.conn.sql_query(sql, params=params) if params is not None else self.conn.sql_query(sql)
+        except TypeError:
+            if params is not None:
+                return self.conn.sql_query(sql, params)
+            raise
+
+    def list_databases(self):
+        try:
+            q = (
+                "SELECT d.name AS DatabaseName, "
+                "       suser_sname(d.owner_sid) AS Owner "
+                "FROM sys.databases d "
+                "ORDER BY d.name;"
+            )
+            rows = self._exec(q) or []
+            if not rows:
+                self.logger.display("No databases returned")
+                return
+
+            self.logger.display("Enumerated databases")
+            self.logger.highlight(f"{'Database Name':<30} {'Owner':<25}")
+            self.logger.highlight(f"{'-'*30} {'-'*25}")
+            for r in rows:
+                self.logger.highlight(f"{r.get('DatabaseName',''):<30} {r.get('Owner',''):<25}")
+            self.logger.highlight(f"Total: {len(rows)} database(s)")
+        except Exception as e:
+            self.logger.fail(f"Failed to enumerate databases: {e}")
+            self.logger.debug("list_databases error", exc_info=True)
+
+    def database(self):
+        db_arg = self.args.database
+
+        # nxc --database (no value) -> list
+        if db_arg is True or db_arg is None:
+            self.list_databases()
+            return
+
+        # nxc --database <name> -> tables
+        if isinstance(db_arg, str):
+            try:
+                safe = db_arg.replace("'", "''")
+                exists = self._exec(f"SELECT 1 FROM sys.databases WHERE name = N'{safe}';")
+                if not exists:
+                    self.logger.fail(f"Database [{db_arg}] does not exist on the server.")
+                    return
+
+                tq = (
+                    f"SELECT t.name AS TableName, t.modify_date "
+                    f"FROM {self._qname(db_arg)}.sys.tables t "
+                    f"ORDER BY t.name;"
+                )
+                rows = self._exec(tq) or []
+            except Exception as e:
+                self.logger.fail(f"Insufficient permissions or query error in [{db_arg}]: {e}")
+                self.logger.debug("database() error", exc_info=True)
+                return
+
+            if not rows:
+                self.logger.display(f"Database [{db_arg}] has no user tables.")
+                return
+
+            self.logger.display(f"Tables in database: {db_arg}")
+            self.logger.highlight(f"{'Table Name':<50} {'Last Modified':<25}")
+            self.logger.highlight(f"{'-'*50} {'-'*25}")
+            for r in rows:
+                mod = r.get('modify_date', '')
+                if mod and hasattr(mod, 'strftime'):
+                    mod = mod.strftime("%Y-%m-%d %H:%M:%S")
+                self.logger.highlight(f"{r.get('TableName',''):<50} {str(mod):<25}")
+            self.logger.highlight(f"Total: {len(rows)} table(s)")
+            return
+ 
diff --git a/nxc/protocols/mssql/proto_args.py b/nxc/protocols/mssql/proto_args.py
@@ -6,7 +6,10 @@ def proto_args(parser, parents):
     mssql_parser.add_argument("-H", "--hash", metavar="HASH", dest="hash", nargs="+", default=[], help="NTLM hash(es) or file(s) containing NTLM hashes")
     mssql_parser.add_argument("--port", default=1433, type=int, metavar="PORT", help="MSSQL port")
     mssql_parser.add_argument("--mssql-timeout", help="SQL server connection timeout", type=int, default=5)
-    mssql_parser.add_argument("-q", "--query", dest="mssql_query", metavar="QUERY", type=str, help="execute the specified query against the MSSQL DB")
+    
+    qgroup = mssql_parser.add_mutually_exclusive_group()
+    qgroup.add_argument("-q", "--query", dest="mssql_query", metavar="SQL", type=str, help="execute the specified query against the mssql db")
+    qgroup.add_argument("--database", nargs="?", const=True, metavar="NAME", help="list databases or list tables for NAME")
 
     dgroup = mssql_parser.add_mutually_exclusive_group()
     dgroup.add_argument("-d", metavar="DOMAIN", dest="domain", type=str, help="domain name")
