Enumeration using credentials

Using Impacket mssqlclient.py:

mssqlclient.py [-db volume] <DOMAIN>/<USERNAME>:<PASSWORD>@<IP> -port 1433

Connect using windows authentication (Recommended -windows-auth when you are going to use a domain. Use as domain the netBIOS name of the machine):

mssqlclient.py [-db volume] <DOMAIN>/<USERNAME>:<PASSWORD>@<IP> -port 1433 -windows-auth

Execute OS commands

Note that in order to be able to execute commands it's not only necessary to have xp_cmdshell enabled, but also have the EXECUTE permission on the xp_cmdshell stored procedure.

You can get who (except sysadmins) can use xp_cmdshell with:

Use master
EXEC sp_helprotect 'xp_cmdshell'

Check if xp_cmdshell is enabled:

SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';

This query directly checks the value_in_use column of the sys.configurations system view to determine whether xp_cmdshell is enabled or disabled:

SELECT CASE
				WHEN (
							SELECT value_in_use
							FROM sys.configurations
							WHERE name = 'xp_cmdshell'
							) = 1
				THEN 'Enabled'
				ELSE 'Disabled'
				END AS 'xp_cmdshell Status';

Listing remote directories and files

You can check if who (apart sysadmins) has permissions to run those MSSQL functions with: