tralsesec

Offensive Security Researcher · Malware Developer & Analyst · Exploit Developer · CTF Player

© 2026. All rights reserved.

Weaponizing T-SQL – Language-Agnostic RID Cycling and Transitive Impersonation

// 2026-05-17

The transition from v2.3 to v2.4 marks a critical evolution for EnumMSSQL. Instead of operating simply as a high-visibility scanner and network capture trigger, v2.4 introduces deep contextual awareness. This update weaponizes low-privilege database access to perform native Active Directory harvesting, maps multi-layered identity delegation chains, and automates high-yield data discovery.

Here is the architectural breakdown of the newly implemented execution layers: Phases 10, 11, and 12.

Breaking Localization: Language-Agnostic RID Cycling (Phase 10)

Standard post-exploitation scripts typically fail during Active Directory enumeration if the environment uses non-English language packs (e.g., German, French, Spanish) because they rely on hardcoded strings like REDELEGATE\Administrator or REDELEGATE\Domain Users to capture the base Domain SID.

v2.4 circumvents this limitation entirely by leveraging an immutable cryptographic anchor: the Key Distribution Center (krbtgt) service account.

1. The Immutable Anchor

The krbtgt account name is fixed across all worldwide Windows installations and cannot be modified or renamed. By combining it with DEFAULT_DOMAIN(), we dynamically obtain its system identity regardless of OS language layout:

DECLARE @f VARBINARY(85)=SUSER_SID(CONCAT(DEFAULT_DOMAIN(),N'\krbtgt'));

2. Bin-Slicing the Domain SID

The returned binary string is a standard 28-byte Windows SID structure. The final 4 bytes constitute the Relative Identifier (RID), which is always hardcoded to 502 (0x01F6) for krbtgt. By systematically applying SUBSTRING, we drop the final 4 bytes, isolating the pristine 24-byte Domain SID base.

3. Little-Endian Hex Reconstruction via CTE

Active Directory expects SIDs to be processed in memory using Little-Endian byte order (lowest-value byte stored first). To iterate through thousands of potential users efficiently, the tool runs a Recursive Common Table Expression (CTE) loop that converts integers into 4 distinct bytes using inline T-SQL bit-shifting arithmetic:

+ CONVERT(VARBINARY(1), rid & 255) 
+ CONVERT(VARBINARY(1), (rid/256) & 255) 
+ CONVERT(VARBINARY(1), (rid/65536) & 255) 
+ CONVERT(VARBINARY(1), (rid/16777216) & 255)

These bytes are appended back onto the base Domain SID on the fly. SUSER_SNAME() then evaluates the synthetic binary block, translating valid strings into clear-text usernames.

To prevent execution failures or SQL execution timeouts during massive range brute-forcing, we also implemented the parameterized --rid command-line flag backed by a strict Bash regex engine (^[0-9]+$) to validate safe integer bounds before passing queries over the wire.

Mapping the Backdoors: Impersonation Path Analysis (Phase 11)

Identity isolation inside an MSSQL instance is frequently broken by misconfigured explicit permissions. If a login possesses the IMPERSONATE grant over another high-privilege principal (like sa), an attacker can instantly assume their context via EXECUTE AS LOGIN.

Phase 11 introduces granular mapping of the internal delegation topology by joining sys.server_permissions against underlying security identifiers:

SELECT grantee.name AS [Grantee_User], perm.permission_name AS [Permission_Type], target.name AS [Target_Identity] 
FROM sys.server_permissions perm 
JOIN sys.server_principals grantee ON perm.grantee_principal_id = grantee.principal_id 
JOIN sys.server_principals target ON perm.major_id = target.principal_id 
WHERE perm.permission_name = 'IMPERSONATE';

This output automatically surfaces multi-stage, transitive paths where a low-privilege account can jump to a medium-privilege service account, which in turn holds execution rights over a local administrator rendering nested lateral movement vectors visible at a glance.

Autonomous Loot Auditing: Targeted Data Classification (Phase 12)

Manual schema parsing across complex enterprise database instances consumes vast amounts of operational time. Phase 12 implements a fast, non-intrusive keyword profiler running directly against metadata boundaries.

Using recursive lookups in INFORMATION_SCHEMA.COLUMNS, the script screens every table across the currently mapped database context for high-yield schema identifiers, searching for matching strings like %pass%, %cred%, %secret%, or %token%.

This enables rapid targeting of configuration blocks, Web API integration backends, and poorly hashed application password stores without needing to pull down massive, unparsed table dumps over the network connection.

What’s Next?

With the local enumeration, coercion vectors, and Active Directory indexing layers stabilized, development is pivoting toward cross-instance scaling. The next milestones on the roadmap include multi-threaded concurrent targeting loops and automated JSON reporting output for programmatic pipeline consumption.