whatisgithub

What is mssqlhound?

specterops/mssqlhound — explained in plain English

Analysis updated 2026-07-18 · repo last pushed 2026-07-10

338GoAudience · ops devopsComplexity · 4/5ActiveSetup · hard

In one sentence

MSSQLHound maps attack paths in Microsoft SQL Server environments by querying permissions, logins, and linked servers, then feeding that data into BloodHound's visual graph for security teams to analyze.

Mindmap

mindmap
  root((repo))
    What it does
      Maps SQL attack paths
      Integrates with BloodHound
      Auto-discovers servers
    Tech stack
      Go
      BloodHound
      Active Directory
    Use cases
      Penetration testing
      Security auditing
      Detection analysis
    Audience
      Red team operators
      Blue teams
      Security auditors

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Map how a compromised database login could escalate privileges across linked SQL Servers.

USE CASE 2

Audit an organization's SQL Server permissions and visualize attack paths in BloodHound.

USE CASE 3

Simulate reconnaissance traffic so blue teams can build detection rules for SQL Server probing.

What is it built with?

GoBloodHoundActive DirectorySQL ServerKerberos

How does it compare?

specterops/mssqlhoundcaddyserver/nginx-adapterantflydb/antfly
Stars338354360
LanguageGoGoGo
Last pushed2026-07-102026-02-15
MaintenanceActiveMaintained
Setup difficultyhardeasyhard
Complexity4/52/54/5
Audienceops devopsops devopsdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1h+

Requires network access to SQL Server instances and Active Directory domain controllers, plus a running BloodHound instance to visualize results.

No license information is provided in the explanation, so usage rights are unknown.

So what is it?

MSSQLHound is a security tool that helps red team operators and security auditors map out how attackers could move through an organization's Microsoft SQL Server environment. It plugs into BloodHound, a popular tool for visualizing attack paths in corporate networks. By adding SQL Server relationships to BloodHound's visual maps, security teams can see things like which database accounts could impersonate others, which servers are linked together, and which credentials might be exploited to move deeper into a network. At its core, the tool connects to SQL Server instances and queries them for information about logins, roles, database permissions, linked servers, and service accounts. It translates all of that data into a format BloodHound can display as a graph, showing how different permissions and relationships could be chained together. You can point it at a single server, or let it automatically discover every SQL Server across an Active Directory domain by querying domain controllers. It then packages the results into a file you can upload directly to BloodHound, or it can push the data there automatically. The people who would use this are penetration testers, red team operators, and internal security teams who need to understand the blast radius of a compromised SQL Server account. For example, if an attacker gains access to a low-privilege database login, this tool helps answer questions like "could they escalate to admin on another server?" or "which linked servers could they pivot to?" The detailed OPSEC documentation also makes it useful for blue teams who want to understand exactly what network traffic and log entries this kind of reconnaissance would generate. The project was originally a PowerShell script and has since been rewritten in Go, which brings faster concurrent collection and cross-platform support. The Go version can scan multiple servers simultaneously, route traffic through SOCKS5 proxies, and support advanced authentication methods like Kerberos and pass-the-hash. It also documents every network connection, authentication event, and SQL query it runs, which is valuable for operators who need to assess detection risk during engagements.

Copy-paste prompts

Prompt 1
Generate a BloodHound-compatible data file from a single SQL Server instance showing all login impersonation relationships and linked server connections.
Prompt 2
Discover all SQL Server instances across an Active Directory domain and map their permission chains, then push the results directly into BloodHound.
Prompt 3
Route SQL Server reconnaissance scans through a SOCKS5 proxy using Kerberos authentication and document every network connection for OPSEC reporting.
Prompt 4
Analyze a BloodHound graph enriched with MSSQLHound data to identify which low-privilege database accounts could pivot to admin access on linked servers.

Frequently asked questions

What is mssqlhound?

MSSQLHound maps attack paths in Microsoft SQL Server environments by querying permissions, logins, and linked servers, then feeding that data into BloodHound's visual graph for security teams to analyze.

What language is mssqlhound written in?

Mainly Go. The stack also includes Go, BloodHound, Active Directory.

Is mssqlhound actively maintained?

Active — commit in last 30 days (last push 2026-07-10).

What license does mssqlhound use?

No license information is provided in the explanation, so usage rights are unknown.

How hard is mssqlhound to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is mssqlhound for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.