Modern enterprise networks often rely on MSSQL servers to power business applications and data storage. This makes them a prime target for adversaries. In this POC, Pentest Copilot autonomously identifies, exploits, and exfiltrates data from an MSSQL instance — all while visualizing the end-to-end attack path in real time.
Mapping the Attack Surface
The exploit graph shows the MSSQL service (1433/tcp) as a reachable node in the subnet. Pentest Copilot highlights relationships to the target host and the service, setting the stage for further exploitation.
Pentest Copilot tests previously discovered credentials (username: samwell.tarly) against the service. Authentication succeeds, confirming valid access. The graph updates with a Secret → Service edge, visually representing credential reuse risk.
Chaining MSSQL Vulnerabilities
The AI agent autonomously runs multiple submodules to enumerate attack vectors:
JOB_FUNC_CHECK_MSSQL_PRIVS → Detects sysadmin privileges, granting full control.JOB_FUNC_CHECK_IMPERSONATION → Validates user impersonation paths.JOB_FUNC_CHECK_LINKED → Checks for linked servers.JOB_FUNC_CHK_MSSQL_QUERY_INJECTION_RCE → Explores query injection vectors.JOB_FUNC_CHK_MSSQL_XP_CMDSHELL → Attempts OS command execution via xp_cmdshell.Each successful check is displayed as a new vulnerability node linked back to the MSSQL instance, clearly showing escalation steps.
JOB_FUNC_CHK_MSSQL_QUERY_INJECTION_RCE confirms arbitrary SQL query execution. This provides a reliable RCE vector inside the database engine.
exp_share_steal for Data ExfiltrationThe agent executes the exp_share_steal submodule. This module automatically dumps sensitive tables (sysmanagement, sysutility_mi_smo_objects_to_collect_internal, etc.) and exfiltrates data. Extracted credentials and system info are stored as Secret entities in the graph.
All discovered vulnerabilities and secrets are interlinked in the graph. The final visualization shows exactly how initial MSSQL access cascaded into:
The graph provides defenders and red teamers with traceable provenance edges, showing every step from exposed MSSQL service → credential abuse → privilege escalation → secret theft.
Pentest Copilot transforms MSSQL exploitation from a manual, multi-step process into a fully autonomous AI-driven attack chain. This not only accelerates testing but also provides clear, auditable graphs for defenders to understand and remediate.
1. How does Pentest Copilot discover MSSQL services?
It scans subnets for common ports (1433/tcp for MSSQL) and correlates services with live hosts in the exploit graph.
2. What if no valid credentials exist?
The AI agent attempts multiple authentication strategies: weak/default creds, secrets from other modules, and injection vectors.
3. Does it support chained exploits (e.g., linked servers)?
Yes — Copilot automatically explores linked servers, escalating access where possible.
4. How are secrets stored and represented?
Extracted credentials, tokens, and dumped tables are stored as Secret entities, linked to both vulnerabilities and the exploited service.
5. Can defenders use these graphs for remediation?
Absolutely. The attack graph provides a forensic replay of the exploit chain, helping blue teams close privilege gaps, credential exposures, and misconfigurations.
