Microsoft SQL server installs by default on port 1433, if mis-configured the "sa" or systems administrator password can be left with a weak password. The MSSQL bruter looks for SQL servers, then attempts to guess the "sa" password. Usually when performing an internal pentest this is highly successful, most development servers are lax on security and are usually easier to compromise. On some instances, production servers have these as well. When Fast-Track successfully guesses the password, it will allow you to select multiple payloads, if the xp cmdshell stored procedure is disabled, Fast-Track will re-enable it as well as try to elevate your permissions to "sa" if it doesn't have that role assigned. The MSSQL bruter uses the same method for payload delivery as SQLPwange and SQL Injector by using the binary to hex conversion method. There is a little twist to this method, windows debug only allows us to take something 64kb or under and convert it back to a binary, if you use Meterpreter or VNC, the payload is much larger. In order to bypass this, there is a custom stager payload that gets dropped on the system that is essentially windows debug without the 64kb restrictions. This was a topic that we presented on at Defcon and allows us to bypass the 64kb restrictions when converting our payloads on the operating system.