Enumeration

Using PowerUpSQL

Look for SPN's related to mssql

Import-Module PowerUpSQL.ps1
powershell Get-SQLInstanceDomain

ComputerName     : sql-2.dev.cyberbotic.io
Instance         : sql-2.dev.cyberbotic.io,1433
DomainAccountSid : 1500000521000672332383313895871914512914091400
DomainAccount    : mssql_svc
DomainAccountCn  : MS SQL Service
Service          : MSSQLSvc
Spn              : MSSQLSvc/sql-2.dev.cyberbotic.io:1433
LastLogon        : 8/15/2022 7:55 PM
Description      :

You may also search the domain for groups that sound like they may have access to database instances (for example, a "SQL Admins" group).

Use native setspn tool:

setspn -T corp1 -Q MSSQLSvc/*
.\GetUserSPNs.ps1

Check if we can connect to database

Gather more information about the instance

If there are multiple SQL Servers available, you can chain these commands together to automate the data collection.

Check which roles we have

Finding a user (or group) that does have access can be challenging

Another option is to go after the MS SQL service account itself as this is also often given sysadmin privileges.

Query against MS SQL

Non AD linked servers

These have to be checked manually (look for hostnames containing SQL)

Tooling

Last updated