# Extract MSSQL Link Password

![](/files/-MTKJbmz5LFJo_NiOuRU)

Step 1: Get Local Instances 

![Local Instances on the system](/files/-MTKD0QucAn7uZczVGYw)

Step 2 : Get the current User

![Getting the current user name](/files/-MTKEYJF1B5K3kG0FMWq)

Step 3: Get the version 

![](/files/-MTKFrLDvlEH4t-srEg6)

Step 4: Check if you can impersonate sa

![](/files/-MTKGzHjpiOyQV88jXz2)

Step 5: Enable DAC

![](/files/-MTKJ0DbY0n0pKOBiXEa)

Step 6: Check if port 1434 is enabled

Step 7: If you dont see 1434 enabled see below

Step 8: Check if you have  **-T7806 in SQL Args. If you dont see below**

![](/files/-MTKMa9gKObbZN52XMEP)

Step 9 : Add SQLArg3 as -T7806

```
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQLServer\Parameters\" -Name "SQLArg3" -Value "-T7806"  -PropertyType "String"
```

![](/files/-MTKOlyu4s9a1ATWe1_6)

Step 10: Check if you have SQLBrowser running 

```
Get-Service | Where {$_.Name -Like "*SQLBROWSER*"}
```

![](/files/-MTKPsOe-vEayX2jXgev)

![](/files/-MTKRXNe14_Bqvg7izzy)

Step 11: Check if you have named pipes enabled

![](/files/-MTKUmtwRW8XhMGz7W0M)

```
Set-ItemProperty "HKLM:\Software\Microsoft\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQLServer\SuperSocketNetLib\Np\" -Name Enabled -Value 1 -Type DWord
```

![](/files/-MTKWa0_kMI4nqCOxd89)

Step 12: Restart the services

![](/files/-MTK_4ZZX2uEeP8G-sb6)

Step 13: Check if UDP port  1434 is now enabled 

![](/files/-MTKaDe6xqZHsy45z3qW)

Extract the Link Password 

![](/files/-MTKfPghEFQTBt_hfMim)

Reference:

{% embed url="<https://www.mssqltips.com/sqlservertip/5364/troubleshooting-the-sql-server-dedicated-administrator-connection/>" %}

{% embed url="<https://dba.stackexchange.com/questions/200499/enabling-admin-connection-on-sql-server-express-to-fix-logon-trigger>" %}

Create SA account&#x20;

{% embed url="<https://sudeeptaganguly.wordpress.com/2010/04/20/how-to-enable-sa-account-in-sql-server/>" %}

{% embed url="<https://stackoverflow.com/questions/11343606/automatically-enable-named-pipes-tcp-ip-protocols-sql-server-2008-r2>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.redteam.cafe/red-team/database/extract-mssql-link-password.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.