Created
September 25, 2016 13:22
-
-
Save nullbind/78546db8fefc2341186644e6fc51aa48 to your computer and use it in GitHub Desktop.
DerbyCon2016 - SQL Server Discovery Demo
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Import the module | |
| Import-Module C:\PowerUpSQL-master\PowerUpSQL.psd1 | |
| # Discover local SQL Server instances | |
| Get-SQLInstanceLocal -Verbose | |
| # Discover SQL Server instances on the domain | |
| Get-SQLInstanceDomain -Verbose | Format-Table -AutoSize | |
| # Discover shared SQL Server service accounts | |
| # This information is handy when targeting servers for smbrelay attacks | |
| Get-SQLInstanceDomain -Verbose | Group-Object DomainAccount | |
| # Discover SQL Server instances on the domain running with a specific service account | |
| Get-SQLInstanceDomain -Verbose -DomainAccount sqlsvc | |
| # Determine which SQL Server instances on the domain the current Windows account can log into | |
| Get-SQLInstanceDomain -Verbose | | |
| Get-SQLConnectionTestThreaded -Verbose -Threads 10 | | |
| Select-Object Instance,Status | |
| # Determine which SQL Server instances on the domain the current Windows account can log into | |
| # This time we store the discovery information as a variable so we can execute attacks against | |
| # accessible SQL Servers without having to go through discovery against | |
| $Targets = Get-SQLInstanceDomain -Verbose | | |
| Get-SQLConnectionTestThreaded -Verbose -Threads 10 | | |
| Where-Object {$_.Status -like "Accessible"} | |
| # Examples of how the variable containing accessible targets can be piped into other | |
| # PowerUpSQL functions | |
| $Targets | |
| $Targets | Get-SQLServerInfo -Verbose | |
| $Targets | Get-SQLDatabase | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment