Antisyphon KB

Basic Tests Checklist for PowerUpSQL

Nov 04, 20242 min read

PowerUpSQL - Basic Tests Checklist

Additional reference here: https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet

Rhino created a script that automates a bunch of this. See: https://github.com/Wh1t3Rh1n0/SQLAutoPwn

1. Discover SQL services:

  1. Get SQL servers from AD:
Get-SQLInstanceDomain -Verbose | ConvertTo-CSV | Add-Content ".\SQL_Discovery-AD.csv" -PassThru | ConvertFrom-CSV
  1. Optional - ID SQL servers via UDP broadcast
Get-SQLInstanceBroadcast -Verbose | ConvertTo-CSV | Add-Content ".\SQL_Discovery-UDP_Broadcast.csv" -PassThru | ConvertFrom-CSV
  1. Optional - Test a list of hosts for SQL services via threaded UDP port scan
Get-SQLInstanceFile -FilePath .\domain-computers.txt | Get-SQLInstanceScanUDPThreaded -Verbose -Threads 30 | ConvertTo-CSV | Add-Content ".\SQL_Discovery-UDP_Port_Scan.csv" -PassThru | ConvertFrom-CSV
  1. Import all the discovered hosts into the $sql_servers variable
$sql_servers = ( Get-Content ".\SQL_Discovery-AD.csv" | ConvertFrom-CSV )
$sql_servers += ( Get-Content ".\SQL_Discovery-UDP_Broadcast.csv" | ConvertFrom-CSV )
$sql_servers += ( Get-Content ".\SQL_Discovery-UDP_Port_Scan.csv" | ConvertFrom-CSV )
$sql_servers.count

2. Scan for credentialed access

  1. Scan for access with the current AD account:
$sql_servers | Get-SQLConnectionTestThreaded -Verbose -Threads 10 | Where-Object {$_.Status -like "Accessible"} | ConvertTo-Csv | Add-Content ".\SQL_ACCESSIBLE-Domain_User.csv" -PassThru | ConvertFrom-Csv
  1. (Draft - work in progress) Scan for access with default creds:
$sql_servers | Get-SQLConnectionTestThreaded -Verbose -Threads 10 -username 'sa' -password 'sa' | Where-Object {$_.Status -like "Accessible"}
 
$sql_servers | Get-SQLConnectionTestThreaded -Verbose -Threads 10 -username 'sa' -password '' | Where-Object {$_.Status -like "Accessible"}
  1. Import all accessible hosts into the $targets variable
$targets = ( Get-Content ".\SQL_ACCESSIBLE-Domain_User.csv" | ConvertFrom-CSV )
$targets.count

3. Scan accessible servers for vulnerabiltiies

mkdir "SQL_Audit_Output"
 
$targets | Invoke-SQLAudit -Verbose -OutFolder .\SQL_Audit_Output

Read the vulns…

get-content .SQL_Audit_Output\*.csv |convertfrom-csv |more

Find non-default Databases:

 $Targets | Get-SQLDatabaseThreaded -Verbose -Threads 10 -NoDefaults | ConvertTo-CSV|Add-Content .\non-default-databases.csv

Graph View

Backlinks