specterops/mssqlhound — explained in plain English
Analysis updated 2026-07-18 · repo last pushed 2026-07-10
Map how a compromised database login could escalate privileges across linked SQL Servers.
Audit an organization's SQL Server permissions and visualize attack paths in BloodHound.
Simulate reconnaissance traffic so blue teams can build detection rules for SQL Server probing.
| specterops/mssqlhound | caddyserver/nginx-adapter | antflydb/antfly | |
|---|---|---|---|
| Stars | 338 | 354 | 360 |
| Language | Go | Go | Go |
| Last pushed | 2026-07-10 | 2026-02-15 | — |
| Maintenance | Active | Maintained | — |
| Setup difficulty | hard | easy | hard |
| Complexity | 4/5 | 2/5 | 4/5 |
| Audience | ops devops | ops devops | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires network access to SQL Server instances and Active Directory domain controllers, plus a running BloodHound instance to visualize results.
MSSQLHound is a security tool that helps red team operators and security auditors map out how attackers could move through an organization's Microsoft SQL Server environment. It plugs into BloodHound, a popular tool for visualizing attack paths in corporate networks. By adding SQL Server relationships to BloodHound's visual maps, security teams can see things like which database accounts could impersonate others, which servers are linked together, and which credentials might be exploited to move deeper into a network. At its core, the tool connects to SQL Server instances and queries them for information about logins, roles, database permissions, linked servers, and service accounts. It translates all of that data into a format BloodHound can display as a graph, showing how different permissions and relationships could be chained together. You can point it at a single server, or let it automatically discover every SQL Server across an Active Directory domain by querying domain controllers. It then packages the results into a file you can upload directly to BloodHound, or it can push the data there automatically. The people who would use this are penetration testers, red team operators, and internal security teams who need to understand the blast radius of a compromised SQL Server account. For example, if an attacker gains access to a low-privilege database login, this tool helps answer questions like "could they escalate to admin on another server?" or "which linked servers could they pivot to?" The detailed OPSEC documentation also makes it useful for blue teams who want to understand exactly what network traffic and log entries this kind of reconnaissance would generate. The project was originally a PowerShell script and has since been rewritten in Go, which brings faster concurrent collection and cross-platform support. The Go version can scan multiple servers simultaneously, route traffic through SOCKS5 proxies, and support advanced authentication methods like Kerberos and pass-the-hash. It also documents every network connection, authentication event, and SQL query it runs, which is valuable for operators who need to assess detection risk during engagements.
MSSQLHound maps attack paths in Microsoft SQL Server environments by querying permissions, logins, and linked servers, then feeding that data into BloodHound's visual graph for security teams to analyze.
Mainly Go. The stack also includes Go, BloodHound, Active Directory.
Active — commit in last 30 days (last push 2026-07-10).
No license information is provided in the explanation, so usage rights are unknown.
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.