Enumeration

Overview

MS SQL Server integrates right out the box with Windows and Active Directory Domains. Consequently, there are trust relationships which we can leverage from an attacker perspective.

Enumeration

Identifying MS SQL Server within an AD domain

Using PowerUpSQL

PowerUpSQL includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post exploitation actions such as OS command execution.

import-module .\PowerUPSQL.psd1

# Discovering local SQL server instance
Get-SQLInstanceLocal -Verbose

# Discovery Active Directory Domain SQL Server instances
Get-SQLInstanceDomain -Verbose

Testing connectivity

Using PowerUpSQL

# Get a list of domain SQL servers that can be logged into with a provided SQL Server login
$Targets = Get-SQLInstanceDomain -Verbose | Get-SQLConnectionTestThreaded -Verbose -Threads 10 -username testuser -password testpass | Where-Object {$_.Status -like "Accessible"}
$Targets

Enumeration SQL server links

SQL Server links are a feature in Microsoft SQL Server that allow you to connect to and access data from another SQL Server instance or another database system.

# Get database links
Get-SQLServerLink -Verbose -Instance SQLSERVER1\Instance1

# Crawl database links	
Get-SqlServerLinkCrawl -Verbose -Instance SQLSERVER1\Instance1

# Crawl database links and execute query	
Get-SqlServerLinkCrawl -Verbose -Instance SQLSERVER1\Instance1 -Query "select name from master..sysdatabases"

References

GitHub - NetSPI/PowerUpSQL: PowerUpSQL: A PowerShell Toolkit for Attacking SQL ServerGitHub

PowerUpSQL Cheat SheetGitHub