-
Notifications
You must be signed in to change notification settings - Fork 473
Active Directory Recon Functions
Scott Sutherland edited this page May 14, 2018
·
13 revisions
The PowerUpSQL functions listed below use the OLE DB ADSI provider to query Active Directory for domain users, computers, and other configuration information through SQL Server queries. Each function can execute it's LDAP queries through a Linked Server (OPENQUERY) or ad hoc query (OPENROWSET). Use the -UseAdHoc flag to switch between modes. If you're interested in a cheatsheet with additional LDAP queries check out out this Microsoft article on ldap filters. Also, this Microsoft article provides a basic overview of the Active Directory object model.
Note: All functions require the sysadmin role.
| Function Name | Description |
|---|---|
| Get-SQLDomainAccountPolicy | Provides the domain account policy for the SQL Server's domain. |
| Get-SQLDomainComputer | Provides a list of the domain computers on the SQL Server's domain. |
| Get-SQLDomainController | Provides a list of the domain controllers on the SQL Server's domain. |
| Get-SQLDomainExploitableSystem | Provides a list of the potential exploitable computers on the SQL Server's domain based on Operating System version information. |
| Get-SQLDomainGroup | Provides a list of the domain groups on the SQL Server's domain. |
| Get-SQLDomainGroupMember | Provides a list of the domain group members on the SQL Server's domain. |
| Get-SQLDomainObject | Can be used to execute arbitrary LDAP queries on the SQL Server's domain. |
| Get-SQLDomainOu | Provides a list of the organization units on the SQL Server's domain. |
| Get-SQLDomainPasswordsLAPS | Provides a list of the local administrator password on the SQL Server's domain. This typically required Domain Admin privileges. |
| Get-SQLDomainSite | Provides a list of sites. |
| Get-SQLDomainSubnet | Provides a list of subnets. |
| Get-SQLDomainTrust | Provides a list of domain trusts. |
| Get-SQLDomainUser | Provides a list of the domain users on the SQL Server's domain. |
| Get-SQLDomainUser -UserState Disabled | Provides a list of the disabled domain users on the SQL Server's domain. |
| Get-SQLDomainUser -UserState Enabled | Provides a list of the enabled domain users on the SQL Server's domain. |
| Get-SQLDomainUser -UserState Locked | Provides a list of the locked domain users on the SQL Server's domain. |
| Get-SQLDomainUser -UserState PreAuthNotRequired | Provides a list of the domain users that do not require Kerberos preauthentication on the SQL Server's domain. |
| Get-SQLDomainUser -UserState PwLastSet 90 | This parameter can be used to list users that have not change their password in the last 90 days. Any number can be provided though. |
| Get-SQLDomainUser -UserState PwNeverExpires | Provides a list of the domain users that never expire on the SQL Server's domain. |
| Get-SQLDomainUser -UserState PwNotRequired | Provides a list of the domain users with the PASSWD_NOTREQD flag set on the SQL Server's domain. |
| Get-SQLDomainUser -UserState PwStoredRevEnc | Provides a list of the domain users storing their password using reversible encryption on the SQL Server's domain. |
| Get-SQLDomainUser -UserState SmartCardRequired | Provides a list of the domain users that require smart card for interactive login on the SQL Server's domain. |
| Get-SQLDomainUser -UserState TrustedForDelegation | Provides a list of the domain users trusted for delegation on the SQL Server's domain. |
| Get-SQLDomainUser -UserState TrustedToAuthForDelegation | Provides a list of the domain users trusted to authenticate for delegation on the SQL Server's domain. |
Examples:
LDAP query will run as the SQL Server service account using an ad-hoc query, but assumes that the domain user is a sysadmin:
Get-SQLDomainUser -Verbose -Instance MSSQLSRV04\SQLSERVER2014 -UseAdHoc
LDAP query will run as the current domain user using an ad-hoc query, but the SQL login provided must be a sysadmin.
Get-SQLDomainUser -Verbose -Instance MSSQLSRV04\SQLSERVER2014 -Username sa -Password 'Pass123!' -UseAdHoc
LDAP query will run as the provided domain user using a SQL Server link, but assumes that current domain user is a sysadmin.
Get-SQLDomainUser -Verbose -Instance MSSQLSRV04\SQLSERVER2014 -LinkUsername 'demo\administrator' -LinkPassword 'BestPasswordEver!'
LDAP query will run as the provided domain user using a SQL Server link, but the SQL login provided must be a sysadmin.
Get-SQLDomainUser -Verbose -Instance MSSQLSRV04\SQLSERVER2014 -Username sa -Password 'Pass123!' -LinkUsername 'demo\administrator' -LinkPassword 'BestPasswordEver!'
Roadmap:
TBD
- PowerUpSQL Commands
- UNC Path Injection
- Connection Strings
- SQL Server SPN Formats
- SQL Server Detective Controls
- Code Templates
- Introduction to PowerUpSQL
- Blindly Discover SQL Server Instances
- Finding Sensitive Data on Domain SQL Servers
- Finding Weak Passwords for Domain SQL Servers on Scale
- Finding Default Passwords Associated with Application Specific Instances
- Get Sysadmin as Local Admin
- Get Windows Auto Login Passwords via SQL Server
- Establishing Registry Persistence via SQL Server
- Establishing Persistence via SQL Server Triggers
- Establishing Persistence via SQL Server Startup Procedures
- Crawling SQL Server Links
- Attacking SQL Server CLR
- Bypassing SQL Server Logon Trigger Restrictions
- SQL Server as a C2
- Dumping Active Directory Information with SQL Server
- Attacking Stored Procedures via SQLi
- Attacking Insecure Impersonation Configurations
- Attacking Trustworthy Databases
- Enumerating Logins and Domain Accounts via SQL Server
- Using SQL Server to Attack Forest Trusts
- Exploiting Global Temporary Tables
- Hijacking SQL Server Credentials using Agent Jobs for Domain Privilege Escalation
- 2020 May Troopers20 Video
- 2020 May Troopers20 Slides
- 2018 Aug BH Arsenal Video
- 2018 Aug BH Arsenal Slides
- 2017 SEPT DerbyCon7 Video
- 2017 SEPT DerbyCon7 Slides
- 2017 May Secure360 Slides
- 2017 May THOTCON Slides
- 2016 OCT Arcticcon Slides
- 2016 OCT PASS Webinar Video
- 2016 SEPT DerbyCon6 Slides
- 2016 SEPT DerbyCon6 Video
- 2015 APR OWASP Slides
- 2015 APR OWASP Video
- Discover SQL Server Instances
- Unauthenticated to SQL Login - Default Passwords
- Domain User to SQL Sysadmin - UNC Injection
- SQL Login to Sysadmin-Auto
- SQL Login to Sysadmin-LoginEnum+PwGuess
- SQL Login to Sysadmin-Link Crawling 1
- SQL Login to Sysadmin-Link Crawling 2
- SQL Login to OS Admin-UNC Path Injection
- OS Admin to Sysadmin-Impersonation
- Audit Configurations
- Find Sensitive Data
- Attacking SQL Server CLR Assemblies Webinar