Shulou(Shulou.com)06/01 Report--

This article mainly shows you "how to use PowerUpSQL to attack SQL Server instances", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn "how to use PowerUpSQL to attack SQL Server instances" this article.

Summary of test methods

The default password is still one of the biggest problems we encounter in intranet penetration testing. Web applications are particularly easy to ignore this problem, but third-party applications deployed with their own SQL Server instances can also be browsed. Rob Fuller establishes a default list of SQL Server instance passwords in PWNWiki. We also track our own lists, so to automate the test process, I put them together and wrap them in PowerShell.

This high-level process is simple:

Create a list of the application-specific SQLServer instance name and the default username / password associated with this instance

Identify SQL instances through LDAP queries, scanning activities, or other ways.

Cross-references the list of default instance names with the found instance name.

Try to log in to the SQL Server instance that matches with the associated default certificate.

Load PowerUpSQL

PowerUpSQL can be loaded in PowerShell in many different ways. Here is a basic example of how to download and import modules from GitHub:

IEX (New-Object System.Net.WebClient) .DownloadString ("https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/PowerUpSQL.ps1")

For more basic options, see https://github.com/NetSPI/PowerUpSQL/wiki/Setting-Up-PowerUpSQL.

Similarly, to download more content, see Matthew Green's blog: https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html.

Command example: positioning through broadcast PING

After you load PowerUpSQL, you can find SQL Server instances within your current broadcast domain by running the following command.

Get-SQLInstanceBroadcast-Verbose

As you can see, this command provides you with a list of SQL Server instances on your local network. To tell which SQL instance uses the default password, you can pass "Get-SQLInstanceBroadcast" to "Get-SQLServerLoginDefaultPw", as shown below.

Get-SQLInstanceBroadcast-Verbose | Get-SQLServerLoginDefaultPw-Verbose

Command example: locate through LDAP query

If you have a domain name certificate or are already running on a domain name system, you can also query the active directory through LDAP and use the following command for a series of registered SQLServer. This can also be done from a non-domain system by using the syntax from PowerUpSQL Discovery Cheatsheet.

Get-SQLInstanceDomain-Verbose

As the last example shows, you only need to pass "Get-SQLInstanceDomain" to "Get-SQLServerLoginDefaultPw" to identify those SQLServer instances registered in the domain with the default password setting.

Get-SQLInstanceDomain-Verbose | Get-SQLServerLoginDefaultPw-Verbose

A complete list of SQLServer instance discovery features supported by PowerUpSQL is listed below:

Function NameDescriptionGet-SQLInstanceFileReturns SQL Server instances from a file. One per line.Get-SQLInstanceLocalReturns SQL Server instances from the local system based on a registry search.Get-SQLInstanceDomainReturns a list of SQL Server instances discovered by querying a domain controller for systems with registered MSSQL service principal names. The function will default to the current user's domain and logon server, but an alternative domain controller can be provided. UDP scanning of management servers is optional.Get-SQLInstanceScanUDPReturns SQL Server instances from UDP scan results.Get-SQLInstanceScanUDPThreadedReturns SQL Server instances from UDP scan results and supports threading.Get-SQLInstanceBroadcastReturns SQL Server instances on the local network by sending a UDP request to the broadcast address of the subnet and parsing responses.

I also want to point out that a DBATools function called "Find-DbaInstance" can be used for blind SQL Server instance discovery. It actually provides more discovery options than PowerUpSQL. Chrissy LeMaire has written a good overview that can be found on https://dbatools.io/find-sql-instances/.

What is Get-SQLServerLoginDefaultPw looking for?

Typically the Get-SQLServerLoginDefaultPw function contains 41 application-specific default SQLServer instances, users, and passwords. I deliberately did not include an instance named SQL Express or MSSQLSERVER because I wanted to avoid account locking. The only login attempt is that there is an instance here that matches the application deployment. For those curious, the following provides a current list of application-specific instances:

ACSCODEPALMYMOVIESRTCLOCALvocollectACT7CODEPAL08ECCSALESLOGIXVSDOTNETAOM2CounterPointECOPYDBSIDEXIS_SQL

ARISCSSQL05ECOPYDBSQL2K5

AutodeskVaultCADSQLEmerson2012STANDARDDEV2014

BOSCHSQLDHLEASYSHIPHDPSPCAMERICA

BPASERVER9DPMHPDSSPRISM

CDRDICOMDVTELINSERTGTTEW_SQLEXPRESS

VSQLEASYSHIPINTRAVETRMSQLDATA

The above is all the content of the article "how to use PowerUpSQL to attack SQL Server instances". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.