The Python counterpart to MSSQLand. mssqlclient-ng is a Python Microsoft SQL Server (MS SQL / MSSQL) client built for red team operations and penetration testing. It lets you interact with SQL Server instances over TDS, traverse linked server chains, and impersonate any login encountered along the way, emerging from the last hop ready to execute any action.
- Authentication: SQL auth, Windows auth (NTLM), Kerberos, pass-the-hash, NTLM relay
- Linked server traversal: chain multiple MS SQL servers with automatic
OPENQUERY/EXEC ATwrapping - Impersonation:
EXECUTE AS LOGINat every hop, including cascading multi-user impersonation - Interactive shell: tab completion, persistent history, built-in commands, Markdown-ready output
- Non-interactive mode: run any action or raw T-SQL query directly from the CLI for scripting
Built on Impacket's TDS implementation, it works from any Linux or Windows attack box and integrates naturally into Active Directory penetration testing workflows.
Tip
If you have access to a MS SQL instance only through your implant/beacon, use MSSQLand, the C# version built with assembly execution in mind.
Note
Do not forget the basics. During a security assessment, it is sometimes easier to use SQL Server Management Studio (SSMS).
Prefer using uv, a fast Python package manager that installs tools in isolated environments. Alternatively, pipx or pip work as well.
With uv (recommended)
uv tool install persistently installs the tool and adds it to your PATH, similar to pipx:
From PyPI:
uv tool install mssqlclient-ngFrom GitHub (latest):
uv tool install git+https://github.com/n3rada/mssqlclient-ng.gitAfter installation, mssqlclient-ng is available directly:
mssqlclient-ng --helpTo upgrade later:
uv tool upgrade mssqlclient-ngTip
You can also run mssqlclient-ng without installing it using uvx (alias for uv tool run), which creates a temporary isolated environment on the fly:
uvx mssqlclient-ng --help
uvx --from git+https://github.com/n3rada/mssqlclient-ng.git mssqlclient-ng --helppipx install mssqlclient-ng
# or from GitHub
pipx install 'git+https://github.com/n3rada/mssqlclient-ng.git'pip install mssqlclient-ng
# or from GitHub
pip install 'git+https://github.com/n3rada/mssqlclient-ng.git'mssqlclient-ng <host> [options] [--action <action> [action-args...]]Note
Omitting --action drops you into an interactive SQL shell with tab completion, command history, and built-in commands.
Format: server:port/user@database or any combination server/user@database:port.
server(required) - The SQL Server hostname or IP:port(optional) - Port number (default: 1433, also common: 1434, 14333, 2433)/user(optional) - User to impersonate on this server ("execute as login")- Supports cascading impersonation:
/user1/user2/user3executesEXECUTE AS LOGIN = 'user1'; EXECUTE AS LOGIN = 'user2'; EXECUTE AS LOGIN = 'user3'; - Each
/userpushes a new impersonation context onto the security stack
- Supports cascading impersonation:
@database(optional) - Database context (defaults to 'master' if not specified)
# Connection test only (no action, enters interactive shell)
mssqlclient-ng localhost -u sa -p password
# Windows authentication
mssqlclient-ng LAB-SQL01 -windows-auth -u 'DOMAIN\user' -p 'password'
# Execute specific action
mssqlclient-ng localhost -u sa -p password --action info
mssqlclient-ng localhost:1434@db03 -u sa -p password --action whoami
# Kerberos authentication
mssqlclient-ng LAB-SQL01 -k -dc-ip 10.0.0.1
# Pass-the-hash
mssqlclient-ng LAB-SQL01 -windows-auth -u admin -hashes :NTHASH
# With impersonation on the initial server
mssqlclient-ng LAB-SQL01/sa -windows-auth -u 'DOMAIN\user' -p 'password' --action whoamiChain multiple SQL servers using the -l flag with semicolon (;) as the separator:
-l SQL01;SQL02/user;SQL03@databaseTip
Avoid typing out all the RPC Out or OPENQUERY calls manually. Let the tool handle any linked servers chain with the -l argument, so you can focus on the big picture.
Syntax:
- Semicolon (
;) - Separates servers in the chain - Forward slash (
/) - Specifies user to impersonate ("execute as login")- Supports cascading impersonation:
/user1/user2executes sequential impersonations
- Supports cascading impersonation:
- At sign (
@) - Specifies database context - Brackets (
[...]) - Used to protect the server name from being split by our delimiters
Examples:
# Simple chain
-l SQL01;SQL02;SQL03
# With impersonation and databases
-l SQL01/admin;SQL02;SQL03/manager@clients
# Cascading impersonation (impersonate user1, then user2 on SQL01)
-l SQL01/user1/user2;SQL02;SQL03
# Mixed cascading (SQL01: user1โuser2, SQL03: user3โuser4โuser5)
-l SQL01/user1/user2;SQL02;SQL03/user3/user4/user5@database
# Server names can contain hyphens, dots (no brackets needed)
-l SQL-01;SERVER.001;HOST.DOMAIN.COM
# Brackets only needed if server name contains delimiter characters
-l [SERVER;PROD];SQL02;[SQL03@clients]@clientdbNote
Port specification (:port) only applies to the initial host connection. Linked server chains (-l) use the linked server names as configured in sys.servers, not hostname:port combinations.
mssqlclient-ng does not include built-in discovery like MSSQLand does because your Linux attack box already has mature tools for this. Here are the common approaches:
Query the SQL Server Browser service to enumerate instances, ports, and versions on a host:
nmap -sU -p 1434 --script ms-sql-info <target>Find SQL Server instances registered in AD via Service Principal Names you can use any LDAP search tool.
Once a target host is confirmed alive, validate SQL Server presence with TDS protocol handshake (not just TCP SYN):
# Common SQL Server ports with TDS validation
nmap -Pn -sS -p 1433,1434,14333,2433 --script ms-sql-info <target>
# Full scan for instances on non-standard ports (ephemeral range)
nmap -Pn -sS -p 1024-65535 --script ms-sql-info --open <target>Tip
Use -Pn to skip host discovery (the target is already known alive) and -sS for SYN scan to reduce noise. The ms-sql-info script performs a TDS pre-login handshake, confirming actual SQL Server instances rather than just open TCP ports.
mssqlclient-ng can act as an NTLM relay listener, capturing incoming authentication attempts and relaying them to a SQL Server target:
# Start relay listener and wait for an incoming authentication
mssqlclient-ng <target_sql_server> -r
# With SMB2 support and custom timeout
mssqlclient-ng <target_sql_server> -r -smb2support -t 120Once a connection is relayed, you land in the interactive shell authenticated as the relayed user. Pair this with PetitPotam, PrinterBug, or any coercion technique to relay machine accounts to SQL Server.
# Show all available options
mssqlclient-ng --help
# Show help for a specific action (without connecting)
mssqlclient-ng <host> -u sa -p password --action whoami --helpInside the interactive shell:
# List all actions
!help
# Show help for an action
!help whoami
!whoami --help
# Show help for a built-in command
!help chain
!link --help
All output formats are selected with -o / --output-format. The default is markdown. For scripting, piping to jq, or feeding results into an LLM, use json:
mssqlclient-ng <host> -u sa -p pass --action <action> -o jsonLogs are always written to stderr; formatted data goes to stdout. The two streams never mix, so piping works cleanly without suppressing anything:
# filter results with jq
mssqlclient-ng SQL01 -u sa -p pass --action users -o json | jq '.[].name'
# inspect a specific field
mssqlclient-ng SQL01 -u sa -p pass -q "SELECT * FROM sys.databases" -o json | jq '.[] | select(.name != "master")'
# pass output directly to an LLM
mssqlclient-ng SQL01 -u sa -p pass --action databases -o json | llm "which of these look like application databases?"
# store to a file and query later
mssqlclient-ng SQL01 -u sa -p pass --action linkmap -o json > linkmap.json
jq '[.[] | .server]' linkmap.jsonRedirect stderr to silence logs when only the data matters:
mssqlclient-ng SQL01 -u sa -p pass --action users -o json 2>/dev/null | jq .The tool's output, enriched with timestamps and valuable contextual information, is designed to produce visually appealing and professional results, making it ideal for capturing high-quality screenshots for any of your reports (e.g., customer deliverable, internal report, red team assessments).
All output tables are Markdown-friendly and can be copied and pasted directly into your notes without any formatting hassle.
- Built upon Impacket, based on the core tds.py.
- OOP design is really tied to MSSQLand.
- Terminal interface powered by prompt_toolkit.
This tool is provided strictly for defensive security research, education, and authorized penetration testing. You must have explicit written authorization before running this software against any system you do not own.
This tool is designed for educational purposes only and is intended to assist security professionals in understanding and testing the security of SQL Server environments in authorized engagements.
Acceptable environments include:
- Private lab environments you control (local VMs, isolated networks).
- Sanctioned learning platforms (CTFs, Hack The Box, OffSec exam scenarios).
- Formal penetration-test or red-team engagements with documented customer consent.
Misuse of this project may result in legal action.
Any unauthorized use of this tool in real-world environments or against systems without explicit permission from the system owner is strictly prohibited and may violate legal and ethical standards. The creators and contributors of this tool are not responsible for any misuse or damage caused.
Use responsibly and ethically. Always respect the law and obtain proper authorization.