search

Enumeration

Using PowerUpSQL

hashtag
Look for SPN's related to mssql

Import-Module PowerUpSQL.ps1
powershell Get-SQLInstanceDomain

ComputerName     : sql-2.dev.cyberbotic.io
Instance         : sql-2.dev.cyberbotic.io,1433
DomainAccountSid : 1500000521000672332383313895871914512914091400
DomainAccount    : mssql_svc
DomainAccountCn  : MS SQL Service
Service          : MSSQLSvc
Spn              : MSSQLSvc/sql-2.dev.cyberbotic.io:1433
LastLogon        : 8/15/2022 7:55 PM
Description      :

You may also search the domain for groups that sound like they may have access to database instances (for example, a "SQL Admins" group).

Use native setspn tool:

setspn -T corp1 -Q MSSQLSvc/*
.\GetUserSPNs.ps1

hashtag
Check if we can connect to database

hashtag
Gather more information about the instance

If there are multiple SQL Servers available, you can chain these commands together to automate the data collection.

hashtag
Check which roles we have

hashtag
Finding a user (or group) that does have access can be challenging

circle-info

Another option is to go after the MS SQL service account itself as this is also often given sysadmin privileges.

hashtag
Query against MS SQL

hashtag
Non AD linked servers

These have to be checked manually (look for hostnames containing SQL)

hashtag
Tooling

Last updated