01. Enumeration
Direct Access
- SQLPS module
- SQL Server Management Modules (SMO)
- .NET (System.Data.SQL / System.Data.SQLClient)
Modules
PowerUpSQL - Toolkit for Attacking SQL Server: https://github.com/NetSPI/PowerUpSQL
Discovery
- PowerUpSQL:
Get-SQLInstanceScanUDP -ComputerName 192.168.1.2 -verbose - .NET (UDP Broadcast):
[System.Data.Sql.SqlDataSourceEnumeration]::Instance.GetDataSources()
Local Enumeration
Import-Module -Name SQLPS
Get-ChildItem SQLSERVER:\SQL\<machinename>
Get-Service -Name MSSQL*
sqlinstances = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server' foreach ($SQLInstance in $SQLInstances) { foreach ($s in $SQLInstance.InstalledInstances) { [PSCustomObject]@{ PSComputerName = $SQLInstance.PSComputerName InstanceName = $s}}}
Get-SQLInstanceLocal
http://www.powershellmagazine.com/2014/07/21/using-powershell-to-discover-information-about-your-microsoft-sql-servers/
Domain Enumeration
- Search AD user attribute:
servicePrincipalName=MSSQL*
Import-Module -Name PowerUpSQL
Get-SQLInstanceDomain -verbose
Queries
| Information Obtained | Query |
|---|---|
| Version | SELECT @@version |
| Current User | SELECT SUSER_SNAME() SELECT SYSTEM_USER |
| Current Role | SELECT IS_SRVROLEMEMBER('sysadmin') SELECT user |
| Current Database | SELECT db_name() |
| List All Databases | SELECT name FROM master..sysdatabases |
| List All Logins | SELECT - FROM sys.server_principals WHERE type_desc != 'SERVER_ROLE' |
| List All Users for Database | SELECT - FROM sys.database_principals WHERE type_desc != 'DATABASE_ROLE' |
| List All Sysadmins | SELECT name,type_desc,is_disabled FROM sys.server_principals WHERE IS_SRVROLEMEMBER ('sysadmin',name) = 1 |
| List All Roles | SELECT DP1.name AS DatabaseRoleName, isnull (DP2.name, 'No members') AS DatabaseUserName FROM sys.database_role_members AS DRM RIGHT OUTER JOIN sys.database_principals AS DP1 ON DRM.role_principal_id = DP1.principal_id LEFT OUTER JOIN sys.database_principals AS DP2 ON DRM.member_principal_id = DP2.principal_id WHERE DP1.type = 'R' ORDER BY DP1.name; |
| Effective Permissions for Server | SELECT - FROM fn_my_permissions(NULL, 'SERVER'); |
| Effective Permissions for Database | SELECT - FROM fn_my_permissions(NULL, 'DATABASE'); |
| Active User Tokens | SELECT - FROM sys.user_token |
| Active Login Tokens | SELECT - FROM sys.login_token |
| Impersonatable Accounts | SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE' |
| Find Trustworthy Databases | SELECT name as database_name , SUSER_NAME(owner_sid) AS database_owner , is_trustworthy_on AS TRUSTWORTHY from sys.databases |
| > https://docs.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-database-role-members-transact-sql |
Information Gathering
Looking for interesting databases
Get-SQLDatabaseThreaded -Threads 10 -Username sa -Password pw -Instance instance -verbose | select -ExpandProperty DatabaseName
Get-SQLDatabaseThreaded -Threads 10 -Username sa -Password pw -Instance instance | Where-Object {$_.is_encrypted -eq “True"}
Get-SQLColumnSampleDataThreaded -Threads 10 -Keywords "password, credit" -SampleSize 5 -ValidateCC -NoDefaults -Username sa -Password pw -Instance instance -Verbose