Finding Sql Servers

Unauthenticated

To find SQL servers from an unauthenticated user, we can use SQLCMD:

sqlcmd -L

We can do the same with metasploit

msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > set RHOSTS Target_IP_or_CIDR_identifier
msf auxiliary(mssql_ping) > run

PowerUpSQL

>> import-module .\PowerUpSQL.psd1
>> Get-SQLInstanceScanUDP

Other tools are

OSQL.
SQLPing3.
Nmap
Nessus

Local User

As a local user SQL Server instances can be identified by checking system services and registry settings.

>> Get-SQLInstanceLocal

Domain User

SQL servers are automatically registered in AD with an associated service account. This is done to support Kerberos authentication. We can use SPN scanning like so:

>> setspn -T domain -Q MSSQLSvc/*

or just use powerupsql again

>> Get-SQLInstanceDomain

Tools are:

setspn.exe.
adfind.exe.
Get-Spn.psm1.

PreviousBasics NextPrivilege Escalation

Last updated 3 years ago