netspi / powerupsql Goto Github PK
View Code? Open in Web Editor NEWPowerUpSQL: A PowerShell Toolkit for Attacking SQL Server
License: Other
PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server
License: Other
Hello – I am not able to connect some of the MS SQL instances using PowerUpSQL script, however, I can connect and verify the script for another SQL instance using my ads credentials along with standard ads account. The status shows “Not Accessible”..I can ping the SQL instances and also can perform UDP scan using PowerupSQL.My ads credentials are added in SQL instance, could you please help me to understand what could be the issue, What the Not Accessible Below is the error message– thanks
While using my ADS ID
Error: Exception calling “Open” with “0” argument(s): “Connection Timeout Expired. The timeout period elapsed while attempting to consume the pre-login handshake acknowledgement. This could be because the pre-login handshake failed or the server was unable to respond back in time. The duration spent while attempting to connect to this server was – [Pre-Login] initialization=767; handshake=232; ”
While using my ADS service account id
VERBOSE: Error: Exception calling “Open” with “0” argument(s): “Cannot authenticate using Kerberos. Ensure Kerberos has been initialized on the client with ‘kinit’ and a Service Principal Name has been registered for the SQL Server to allow Kerberos authentication.
ErrorCode=InternalError, Exception=Interop+NetSecurityNative+GssApiException: GSSAPI operation failed with error – An unsupported mechanism was requested (unknown mech-code 0 for mech unknown)
The hashs from Get-SQLServerPasswordHash aren't accepted directly by John The Ripper. The issue is that the hexadecimal letters aren't capitalized.
So I suggest doing it :)
Except if you usually use a different tool which has different requirements?
Invoke-SQLAudit
flags false positives for "Excessive Privilege - Database Ownership Chaining" for the following databases
According to https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-database-transact-sql-set-options?view=sql-server-2017, the DB_CHAINING option cannot be set on the master, model, and tempdb system databases.
Another reference here which says these three system databases require cross-database ownership chaining to be turned on.
Add Get-SQLFunction
I am directly connected to a VLAN where I found a MSSQL server. Is there a way I can use PowerUpSQL to audit the server? None of the discovery commands are finding it.
There are no domain controllers and I am basically just plugged in with a Kali machine to the network. Though I have a valid set of AD credentials if needed.
In the cheatsheet the "Execute arbitrary query" entry is missing a '-' before the "Query" parameter name.
Currently we get a "No query provided" error.
When I try to import the module, I got an error,
PS Z:\shm\PowerUpSQL-master> Import-Module .\PowerUpSQL.ps1
Import-Module : Cannot process the "#requires" statement at line 1 because it i
s not in the correct format.
The "#requires" statement must be in one of the following formats:
"#requires -shellid <shellID>"
"#requires -version <major.minor>"
"#requires -pssnapin <psSnapInName> [-version <major.minor>]"
At line:1 char:14
+ Import-Module <<<< .\PowerUpSQL.ps1
+ CategoryInfo : NotSpecified: (:) [Import-Module], ScriptRequire
sSyntaxException
+ FullyQualifiedErrorId : RuntimeException,Microsoft.PowerShell.Commands.I
mportModuleCommand
It appears that when running Get-SQLServerLoginDefaultPw, errors arise in cases where instances that are found that have multiple sets of credentials that need to be tried. For instance. SQLEXPRESS instances have four sets of credentials to try. The issue is that these sets of values come out of $TblResultsTemp.username and $TblResultsTemp.password as arrays and then are assigned to $CurrentUsername and $CurrentPassword, respectively. The $CurrentUsername and $CurrentPassword variables are then used as strings even though they are actually arrays at this point.
The fix to this is just to unroll the values and test them pairwise one at a time. I have a quick fix for this and will try to get a PR done if nobody else hops on it first.
Thanks!
What am I doing wrong. Been at the for two days.
PS > Import-Module PowerUpSQL.psd1
ERROR: Import-Module : The specified module 'PowerUpSQL.psd1' was not loaded because no valid module file was found in any mod
ERROR: ule directory.
ERROR:
ERROR: At line:1 char:14
ERROR: + Import-Module <<<< PowerUpSQL.psd1
ERROR: + CategoryInfo : ResourceUnavailable: (PowerUpSQL.psd1:String) [Import-Module], FileNotFoundException
ERROR: + FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand
Hi!
There is a hardcoded timeout of 1
in Get-SQLConnectionObject
specified in line 184:
# Set authentcation type - current windows user
if(-not $Username){
# Set authentication type
$AuthenticationType = "Current Windows Credentials"
# Set connection string
$Connection.ConnectionString = "Server=$DacConn$Instance;Database=$Database;Integrated Security=SSPI;Connection Timeout=1$AppNameString$EncryptString$TrustCertString$WorkstationString"
}
Clearly connection string should state the following:
$Connection.ConnectionString = "Server=$DacConn$Instance;Database=$Database;Integrated Security=SSPI;Connection Timeout=$TimeOut$AppNameString$EncryptString$TrustCertString$WorkstationString"
Kind regards,
M.
Invoke-SQLImpersonateService -Verbose -Instance MSSQLSvc/x
VERBOSE: MSSQLSvc/x: user has local admin privileges.
VERBOSE: MSSQLSvc/x: Impersonating SQL Server process:
VERBOSE: MSSQLSvc/x: No process running for provided instance...
Does this mean that it think that there are no SQL instances on that server?
In essence I want to scan another domain with Get-SQLInstanceDomain, but it doesn't seem to be an argument to target another domain. Is there any other way?
There have been some reports that providing alternative domain credentials via the "-Username" flag in the "Get-SQLQuery" function fails...which is the core of most PowerUpSQL functions. For now, the work around is runas /netonly.
Large queries currently timeout even with the -timeout flag set, because you are missing the following line in the get-sqlquery function.
$Command.CommandTimeout=$TimeOut
how to fix this error
ComputerName : SQLServer1.aaa.local
Instance : SQLServer1.aaa.local,41112
Vulnerability : Weak Login Password
Description : One or more SQL Server logins is configured with a weak passwor
d. This may provide unauthorized access to resources the affec
ted logins have access to.
Remediation : Ensure all SQL Server logins are required to use a strong passw
ord. Consider inheriting the OS password policy.
Severity : High
IsVulnerable : Yes
IsExploitable : Yes
Exploited : No
ExploitCmd : Use the affected credentials to log into the SQL Server, or rer
un this command with -Exploit.
Details : The JDE (Sysadmin) principal is configured with the password JD
E.
Reference : https://msdn.microsoft.com/en-us/library/ms161959.aspx
Author : Scott Sutherland (@_nullbind), NetSPI 2016
then i try this command Invoke-SQLAuditWeakLoginPw -Verbose -Instance SQLServer1.aaa.local,41112 -Exploit
I Got this error
VERBOSE: SQLServer1.aaa.local,41112 : START VULNERABILITY CHECK: Weak Login Password
VERBOSE: SQLServer1.aaa.local,41112 : CONNECTION FAILED.
VERBOSE: SQLServer1.aaa.local,41112 : COMPLETED VULNERABILITY CHECK: Weak Login Password.
how to fix ?
When I execute 'Invoke-SQLEscalatePriv' I get the below errors.
VERBOSE: Instance_xyz : START VULNERABILITY CHECK: Excessive Privilege - xp_dirtree
VERBOSE: Instance_xyz : CONNECTION SUCCESS.
VERBOSE: Instance_xyz : - At least one principal has EXECUTE privileges on xp_dirtree.
VERBOSE: Instance_xyz : - You have Administrator rights. Inveigh will be loaded.
VERBOSE: Instance_xyz : - Inveigh loaded.
VERBOSE: Instance_xyz : - Start sniffing...
VERBOSE: Instance_xyz : - Inject UNC path to \\x.x.x.x\path...
VERBOSE: Instance_xyz : - Stopped sniffing.
Get-InveighCleartext : The term 'Get-InveighCleartext' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\path1\path2\PowerUpSQL-master\PowerUpSQL.ps1:12454 char:58
+ ... [string]$PassCleartext = Get-InveighCleartext
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-InveighCleartext:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Get-InveighNTLMv1 : The term 'Get-InveighNTLMv1' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of
the name, or if a path was included, verify that the path is correct and try again.
At C:\path1\path2\PowerUpSQL-master\PowerUpSQL.ps1:12461 char:58
+ ... [string]$PassNetNTLMv1 = Get-InveighNTLMv1
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-InveighNTLMv1:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Get-InveighNTLMv2 : The term 'Get-InveighNTLMv2' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of
the name, or if a path was included, verify that the path is correct and try again.
At C:\path1\path2\PowerUpSQL-master\PowerUpSQL.ps1:12468 char:58
+ ... [string]$PassNetNTLMv2 = Get-InveighNTLMv2
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Get-InveighNTLMv2:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
VERBOSE: Instance_xyz : - Inveigh loaded.
VERBOSE: Instance_xyz : - Start sniffing...
VERBOSE: Instance_xyz : - Inject UNC path to \\x.x.x.x\path...
VERBOSE: Instance_xyz : - Stopped sniffing.
Get-InveighCleartext : The term 'Get-InveighCleartext' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\path1\path2\PowerUpSQL-master\PowerUpSQL.ps1:12454 char:58
+ ... [string]$PassCleartext = Get-InveighCleartext
+ ~~~~~~~~~~~~~~~~~~~~
Per Microsoft's documentation, specific verbs are to be used for Powershell cmdlets, in order to ensure some consistency between third-party modules/official functionality. This is echoed in the warning presented when importing PowerUpSQL:
PowerUpSQL uses Create
as a verb for these cmdlets:
Create-SQLFileXpDll
Create-SQLFileCLRDll
Create-ProcessWithToken
To fix this, these cmdlets/functions should be refactored to use the New
verb, which is recommended for use in instances when a new record/object is being created.
Get-SqlInstanceScanUDPThreaded verbose output doesn't show scanned computer.
PS C:\Users#####\Documents\PowerUpSQL-master\PowerUpSQL-master> Get-SQLInstanceDomain -verbose
VERBOSE: Grabbing SPNs from the domain for SQL Servers (MSSQL*)...
VERBOSE: 0 SPNs found.
VERBOSE: Parsing SQL Server instances from SPNs...
You cannot call a method on a null-valued expression.
At C:\Users######\Documents\PowerUpSQL-master\PowerUpSQL-master\PowerUpSQL.ps1:9499 char:35
$Instance = $Spn.split <<<< ('/')[1].split(':')[1]
VERBOSE: 1 instances were found.
ComputerName :
Instance :
DomainAccountSid :
DomainAccount :
DomainAccountCn :
Service :
Spn :
LastLogon :
Description :
So, I'm getting this error. Is this because it failed to query the proper DC to find the MSSQL SPNs? I know SQL SPNs exist in this domain; I've pulled them with other tools. Specifying the IP of the DC doesn't seem to help.
Hello, is there any capability to enumerate the MSSQL service class instances of a specific domain thanks to a parameter like -Domain
?
Using -DomainController
i need to provide explicit credentials and i can not benefit from the SSO.
Thanks,
Right now Invoke-SQLAuditRoleDbOwner only reviews configurations that apply to the current user.
Modify it to identify db ownership across all databases/logins.
Im trying to connect from a non-domain joined machine with the following command:
Get-SQLInstanceDomain -DomainController dc1.domain.local -Username domain\username -Password password123
It does not show that there are any SQL servers, which there are.
VERBOSE: Grabbing SPNs from the domain for SQL Servers (MSSQL*)...
VERBOSE: 0 SPNs found.
VERBOSE: Parsing SQL Server instances from SPNs...
VERBOSE: 0 instances were found.
Also tried from running with runas the user but no luck.
In the Invoke-SQLAuditWeakLoginPw
function, the documentation describes the StartId
and EndId
parameters. They are used later in a message Write-Verbose -Message "$Instance - Fuzzing principal IDs $StartId to $EndId..."
.
However they are not used anymore. They seem to have been replaced by FuzzNum
that is accepted as argument but not documented.
Similar to the 3rd Party function Inveigh; request adding Internal Monologue https://github.com/eladshamir/Internal-Monologue in order to provide the ability to perform forced downgrade actions to collect the easier to crack NetNTLMv1 hashes.
add challenge option to Invoke-SQLUncPathInjection so custom static challenge can be set.
how to add audit for
who call openqyer
and
what openquery did called
Large queries currently timeout even with the -timeout flag set, because you are missing the following line in the get-sqlquery function.
$Command.CommandTimeout=$TimeOut
Would it be possible to add additional functionality to put the system back in a state before exploitation?
E.g., in order to run a command via XP_CmdShell it needs to be enabled. Running Invoke-SQLOSCmd enables the XP_CmdShell, but doesn't disable it afterwards.
Also, doing the privesc (Invoke-SQLEscalatePriv) giving an account sysadm, have a descalation, to return the user to a normal, non-elevated state.
It's super frustrating to get through a huge SQLAudit only to find out the directory it's going to try to write to isn't writable by the current user.
In the cheatsheet there are two references to the Invoke-SQLAuditWeakPw
command but it's missing from the module (I'm using the current master version).
It looks like the command is instead: Invoke-SQLAuditWeakLoginPw
Maybe I am missing something, but the audit seems to look for xp_dirtree and xp_fileexists but not for xp_cmdshell.
It is a critical part of the audit, if command execeution is directly possible for an user or it is allowed to enable the xp_cmdshell.
Also some other known procedures like "sp_execute_external_script" would be nice to get audited, to not miss them.
Is this possible to add?
when calling Invoke-SQLImpersonateService -Verbose -Instance [Instance-Name]
on windows 10 I get the above error. Looks like Caldera had this issue as well and had a pretty good fix for it: mitre/caldera#38
Function Name: "Remove-SQLServerRole"
Function Description: Add a utility function to remove users from a provided server role.
Requested by: @aconite33
Reference: #16
When I try to install using Install-Module -Name PowerUpSQL
, the error message reported is:
PackageManagement\Install-Package : A command with name 'Get-SqlAgentJob' is already available on this system. This module 'PowerUpSQL' may override the existing
commands. If you still want to install this module 'PowerUpSQL', use -AllowClobber parameter.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1772 char:21
+ ... $null = PackageManagement\Install-Package @PSBoundParameters
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package], Exception
+ FullyQualifiedErrorId : CommandAlreadyAvailable,Validate-ModuleCommandAlreadyAvailable,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackage
Does this supercede the command from the Microsoft SqlServer module?
Requester:
kevin @GuhnooPlusLinux
Question:
@nullbind Is there anything special you have to do for webdav auth in MSSQL? Tested all formats listed in the PowerUpSQL UNC path cheatsheet but no dice.
This module is FANTASTIC. That's why you definitely add to https://github.com/EmpireProject/Empire.
Hi there,
When trying to import PowerUpSQL into a powershell -version 2 session, the user receives the following message:
ipmo 'E:\Pentest Tools\PowerUpSQL-master\PowerUpSQL.ps1'
- : You must provide a value expression on the right-hand side of the '-' operator.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ExpectedValueExpression
I'll have a look at working out the exact error line, but first inspection seems to be PS interpreting a '-' as a mathematical symbol rather than a hyphen.
Thanks :)
This check may result in false negatives - I had a MSSQLServer service account login which was not listed as a specific username on the server.
I think I used sys.fn_my_permissions
to confirm my access.
I worry that false negatives may stop some of the other queries from executing... e.g.
# Check if xp_cmdshell is enabled
if($IsSysadmin -eq 'Yes')
Would it be possible to implement nested impersonation capabilities in the scenario in which you cannot go straight to sysadmin? If not, am I missing an understanding as to why it is not possible?
Function Name: "Invoke-SQLEscalatePriv"
Function Description: Update the "Invoke-SQLEscalatePriv" function so that user's can quickly remove their sysadmin role membership after they complete post exploitation tasks.
Requested by: @aconite33
Reference: #16
No default database is set, which is preventing PowerUpSQL from connecting in some instances.
On my lab domain I have added a MSSQLSERVER machine with the default settings. (no named instance)
Then, I added 2 named instances on the same machine.
Get-SQLInstanceDomain run from another domain joined machine only identifies the first one and misses the two named instances that I added later.
Get-SQLInstanceLocal run on the MSSQLSERVER identifies all instances correctly, as expected.
Any clues what is going wrong?
Add the listening TCP port to the Get-SQLServerInfo function output.
Option #1:
https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/sys-dm-exec-connections-transact-sql?view=sql-server-2017
select local_tcp_port from sys.dm_exec_connections where local_net_address is not null
Option #2
xp_regread from the mssql service settings.
I spent some time trying to figure out the correct syntax to use with Get-SqlServerLinkCrawl
to enabled xp_cmdshell
and run system commands on all the DB on the links, but no luck. I gave up and switched to impacket mssql
instead.
The commands I tried are as follows:
Get-SqlServerLinkCrawl -Instance "foobar\SQLEXPRESS" -Username "foo" -Password "bar" `
-Query "EXECUTE('sp_configure ''show advanced options'', 1')"
Get-SqlServerLinkCrawl -Instance "foobar\SQLEXPRESS" -Username "foo" -Password "bar" `
-Query "EXECUTE('RECONFIGURE')"
Get-SqlServerLinkCrawl -Instance "foobar\SQLEXPRESS" -Username "foo" -Password "bar" `
-Query "EXECUTE('sp_configure xp_cmdshell, 1')"
Get-SqlServerLinkCrawl -Instance "foobar\SQLEXPRESS" -Username "foo" -Password "bar" `
-Query "EXECUTE('RECONFIGURE')"
Get-SQLServerLinkCrawl -Instance "foobar\SQLEXPRESS" -Username "foo" -Password "bar" `
-Query "EXECUTE('xp_cmdshell whoami')"
If someone could please let me know what is wrong with the above, that would be super!
I can't find Invoke-SQLImpersonateServiceCmd
in this repository, only a description in the .psd
file, was it removed?
Hey,
i just found out that Invoke-SQLUncPathInjection tries to load Inveigh every time via IEX from github. By executing this function on an engagement without internet connectivity the whole function is not usable because inveigh cannot be loaded. And the catch try catch block fails.
You could for example add another parameter for that function - ExternalCaptureIP - so that the function can be used in combination with another system and responder.py/ntlmrelayx.py.
Greetings
It seems as if a bitwise shift operator, -shl
, is being used in Test-Subnet
:
function Test-Subnet ([string]$cidr, [string]$ip)
{
$network, [int]$subnetlen = $cidr.Split('/')
$a = [uint32[]]$network.split('.')
[uint32] $unetwork = ($a[0] -shl 24) + ($a[1] -shl 16) + ($a[2] -shl 8) + $a[3]
$mask = (-bnot [uint32]0) -shl (32 - $subnetlen)
$a = [uint32[]]$ip.split('.')
[uint32] $uip = ($a[0] -shl 24) + ($a[1] -shl 16) + ($a[2] -shl 8) + $a[3]
$unetwork -eq ($mask -band $uip)
}
This shift operator is PowerShell 3.0+ only. Which breaks PowerUpSQL on PowerShell v2.0 :(
Have a PR coming in shortly that should make this PowerShell v2.0 compliant :)
Last week I used this tool to test my sql servers, and then I got the mail from antivirus system administrators that I used "HackTool" at that time, It would violate the policies for my organization.
I used VirusTotal to scan this project files, some antivirus software said there is HackTool or Trojan.
So I think it should be added some warning messages at Readme.md for users who had antivirus softwares and need to keep the organization security policies.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.