GithubTwitter

MSSQL Servers

General

  • Generally deployed in a lot of Windows domains

  • Good option for lateral movement as domain users can be mapped to database roles

  • We can use PowerUpSQL for exploitation

  • Cheatsheet

Exploitation

Enumeration

# Discovery (SPN Scanning)
Get-SQLInstanceDomain

# Check accessibility
Get-SQLConnectionTestThreaded
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose

# Gather information
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose

Database Links

  • Database link allows a SQL Server to access exteranl data sources like other SQL server and OLE DB data sources

  • For links between SQL servers, we can exectue stored procedures

  • Links work across forest trusts

Using PowerUpSQL

Using SQL Queries

PreviousCross Forest AttacksNextMITM & Relay Attacks

Last updated