netspi / powerupsql Goto Github PK

There have been some reports that providing alternative domain credentials via the "-Username" flag in the "Get-SQLQuery" function fails...which is the core of most PowerUpSQL functions. For now, the work around is runas /netonly.

What am I doing wrong. Been at the for two days.

PS > Import-Module PowerUpSQL.psd1
ERROR: Import-Module : The specified module 'PowerUpSQL.psd1' was not loaded because no valid module file was found in any mod
ERROR: ule directory.
ERROR:
ERROR: At line:1 char:14
ERROR: + Import-Module <<<<  PowerUpSQL.psd1
ERROR:     + CategoryInfo          : ResourceUnavailable: (PowerUpSQL.psd1:String) [Import-Module], FileNotFoundException
ERROR:     + FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand

Large queries currently timeout even with the -timeout flag set, because you are missing the following line in the get-sqlquery function.

$Command.CommandTimeout=$TimeOut

Function Name: "Remove-SQLServerRole"
Function Description: Add a utility function to remove users from a provided server role.
Requested by: @aconite33
Reference: #16

Hi!

There is a hardcoded timeout of 1 in Get-SQLConnectionObject specified in line 184:

        # Set authentcation type - current windows user
        if(-not $Username){

            # Set authentication type
            $AuthenticationType = "Current Windows Credentials"

            # Set connection string
            $Connection.ConnectionString = "Server=$DacConn$Instance;Database=$Database;Integrated Security=SSPI;Connection Timeout=1$AppNameString$EncryptString$TrustCertString$WorkstationString"
        }

Clearly connection string should state the following:

            $Connection.ConnectionString = "Server=$DacConn$Instance;Database=$Database;Integrated Security=SSPI;Connection Timeout=$TimeOut$AppNameString$EncryptString$TrustCertString$WorkstationString"

Kind regards,
M.

Right now Invoke-SQLAuditRoleDbOwner only reviews configurations that apply to the current user.
Modify it to identify db ownership across all databases/logins.

Maybe I am missing something, but the audit seems to look for xp_dirtree and xp_fileexists but not for xp_cmdshell.
It is a critical part of the audit, if command execeution is directly possible for an user or it is allowed to enable the xp_cmdshell.

Also some other known procedures like "sp_execute_external_script" would be nice to get audited, to not miss them.
Is this possible to add?

Requester:
kevin @GuhnooPlusLinux

Question:
@nullbind Is there anything special you have to do for webdav auth in MSSQL? Tested all formats listed in the PowerUpSQL UNC path cheatsheet but no dice.

No default database is set, which is preventing PowerUpSQL from connecting in some instances.

When I try to install using Install-Module -Name PowerUpSQL, the error message reported is:

PackageManagement\Install-Package : A command with name 'Get-SqlAgentJob' is already available on this system. This module 'PowerUpSQL' may override the existing
commands. If you still want to install this module 'PowerUpSQL', use -AllowClobber parameter.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:1772 char:21
+ ...          $null = PackageManagement\Install-Package @PSBoundParameters
+                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Microsoft.Power....InstallPackage:InstallPackage) [Install-Package], Exception
    + FullyQualifiedErrorId : CommandAlreadyAvailable,Validate-ModuleCommandAlreadyAvailable,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackage

Does this supercede the command from the Microsoft SqlServer module?

Would it be possible to implement nested impersonation capabilities in the scenario in which you cannot go straight to sysadmin? If not, am I missing an understanding as to why it is not possible?

PS C:\Users#####\Documents\PowerUpSQL-master\PowerUpSQL-master> Get-SQLInstanceDomain -verbose
VERBOSE: Grabbing SPNs from the domain for SQL Servers (MSSQL*)...
VERBOSE: 0 SPNs found.
VERBOSE: Parsing SQL Server instances from SPNs...
You cannot call a method on a null-valued expression.
At C:\Users######\Documents\PowerUpSQL-master\PowerUpSQL-master\PowerUpSQL.ps1:9499 char:35

•         $Instance = $Spn.split <<<< ('/')[1].split(':')[1]
  

  • CategoryInfo : InvalidOperation: (split:String) [], RuntimeException
  • FullyQualifiedErrorId : InvokeMethodOnNull

VERBOSE: 1 instances were found.

ComputerName :
Instance :
DomainAccountSid :
DomainAccount :
DomainAccountCn :
Service :
Spn :
LastLogon :
Description :

So, I'm getting this error. Is this because it failed to query the proper DC to find the MSSQL SPNs? I know SQL SPNs exist in this domain; I've pulled them with other tools. Specifying the IP of the DC doesn't seem to help.

Im trying to connect from a non-domain joined machine with the following command:
Get-SQLInstanceDomain -DomainController dc1.domain.local -Username domain\username -Password password123

It does not show that there are any SQL servers, which there are.

VERBOSE: Grabbing SPNs from the domain for SQL Servers (MSSQL*)...
VERBOSE: 0 SPNs found.
VERBOSE: Parsing SQL Server instances from SPNs...
VERBOSE: 0 instances were found.

Also tried from running with runas the user but no luck.

I can't find Invoke-SQLImpersonateServiceCmd in this repository, only a description in the .psd file, was it removed?

In the cheatsheet the "Execute arbitrary query" entry is missing a '-' before the "Query" parameter name.
Currently we get a "No query provided" error.

how to fix this error

ComputerName : SQLServer1.aaa.local
Instance : SQLServer1.aaa.local,41112
Vulnerability : Weak Login Password
Description : One or more SQL Server logins is configured with a weak passwor
d. This may provide unauthorized access to resources the affec
ted logins have access to.
Remediation : Ensure all SQL Server logins are required to use a strong passw
ord. Consider inheriting the OS password policy.
Severity : High
IsVulnerable : Yes
IsExploitable : Yes
Exploited : No
ExploitCmd : Use the affected credentials to log into the SQL Server, or rer
un this command with -Exploit.
Details : The JDE (Sysadmin) principal is configured with the password JD
E.
Reference : https://msdn.microsoft.com/en-us/library/ms161959.aspx
Author : Scott Sutherland (@_nullbind), NetSPI 2016

then i try this command Invoke-SQLAuditWeakLoginPw -Verbose -Instance SQLServer1.aaa.local,41112 -Exploit

I Got this error

VERBOSE: SQLServer1.aaa.local,41112 : START VULNERABILITY CHECK: Weak Login Password
VERBOSE: SQLServer1.aaa.local,41112 : CONNECTION FAILED.
VERBOSE: SQLServer1.aaa.local,41112 : COMPLETED VULNERABILITY CHECK: Weak Login Password.

how to fix ?

Would it be possible to add additional functionality to put the system back in a state before exploitation?

E.g., in order to run a command via XP_CmdShell it needs to be enabled. Running Invoke-SQLOSCmd enables the XP_CmdShell, but doesn't disable it afterwards.

Also, doing the privesc (Invoke-SQLEscalatePriv) giving an account sysadm, have a descalation, to return the user to a normal, non-elevated state.

When there are multihops needed to privesc to sa, it appears the method is giving false positives, see screenshot for refference:

This check may result in false negatives - I had a MSSQLServer service account login which was not listed as a specific username on the server.

I think I used sys.fn_my_permissions to confirm my access.

I worry that false negatives may stop some of the other queries from executing... e.g.

          # Check if xp_cmdshell is enabled
                if($IsSysadmin -eq 'Yes')

Hi there,

When trying to import PowerUpSQL into a powershell -version 2 session, the user receives the following message:

ipmo 'E:\Pentest Tools\PowerUpSQL-master\PowerUpSQL.ps1'
- : You must provide a value expression on the right-hand side of the '-' operator.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : ExpectedValueExpression

I'll have a look at working out the exact error line, but first inspection seems to be PS interpreting a '-' as a mathematical symbol rather than a hyphen.

Thanks :)

Hello – I am not able to connect some of the MS SQL instances using PowerUpSQL script, however, I can connect and verify the script for another SQL instance using my ads credentials along with standard ads account. The status shows “Not Accessible”..I can ping the SQL instances and also can perform UDP scan using PowerupSQL.My ads credentials are added in SQL instance, could you please help me to understand what could be the issue, What the Not Accessible Below is the error message– thanks
While using my ADS ID
Error: Exception calling “Open” with “0” argument(s): “Connection Timeout Expired. The timeout period elapsed while attempting to consume the pre-login handshake acknowledgement. This could be because the pre-login handshake failed or the server was unable to respond back in time. The duration spent while attempting to connect to this server was – [Pre-Login] initialization=767; handshake=232; ”
While using my ADS service account id
VERBOSE: Error: Exception calling “Open” with “0” argument(s): “Cannot authenticate using Kerberos. Ensure Kerberos has been initialized on the client with ‘kinit’ and a Service Principal Name has been registered for the SQL Server to allow Kerberos authentication.

ErrorCode=InternalError, Exception=Interop+NetSecurityNative+GssApiException: GSSAPI operation failed with error – An unsupported mechanism was requested (unknown mech-code 0 for mech unknown)

It's super frustrating to get through a huge SQLAudit only to find out the directory it's going to try to write to isn't writable by the current user.

In the Invoke-SQLAuditWeakLoginPw function, the documentation describes the StartId and EndId parameters. They are used later in a message Write-Verbose -Message "$Instance - Fuzzing principal IDs $StartId to $EndId...".
However they are not used anymore. They seem to have been replaced by FuzzNum that is accepted as argument but not documented.

It seems as if a bitwise shift operator, -shl, is being used in Test-Subnet:

function Test-Subnet ([string]$cidr, [string]$ip)
{
    $network, [int]$subnetlen = $cidr.Split('/')
    $a = [uint32[]]$network.split('.')
    [uint32] $unetwork = ($a[0] -shl 24) + ($a[1] -shl 16) + ($a[2] -shl 8) + $a[3]

    $mask = (-bnot [uint32]0) -shl (32 - $subnetlen)

    $a = [uint32[]]$ip.split('.')
    [uint32] $uip = ($a[0] -shl 24) + ($a[1] -shl 16) + ($a[2] -shl 8) + $a[3]

    $unetwork -eq ($mask -band $uip)
}

This shift operator is PowerShell 3.0+ only. Which breaks PowerUpSQL on PowerShell v2.0 :(

Have a PR coming in shortly that should make this PowerShell v2.0 compliant :)

Invoke-SQLAudit flags false positives for "Excessive Privilege - Database Ownership Chaining" for the following databases

• master
• tempdb
• msdb

According to https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-database-transact-sql-set-options?view=sql-server-2017, the DB_CHAINING option cannot be set on the master, model, and tempdb system databases.

Another reference here which says these three system databases require cross-database ownership chaining to be turned on.

Invoke-SQLImpersonateService -Verbose -Instance MSSQLSvc/x
VERBOSE: MSSQLSvc/x: user has local admin privileges.
VERBOSE: MSSQLSvc/x: Impersonating SQL Server process:
VERBOSE: MSSQLSvc/x: No process running for provided instance...

Does this mean that it think that there are no SQL instances on that server?

Hello, is there any capability to enumerate the MSSQL service class instances of a specific domain thanks to a parameter like -Domain ?

Using -DomainController i need to provide explicit credentials and i can not benefit from the SSO.

Thanks,

Similar to the 3rd Party function Inveigh; request adding Internal Monologue https://github.com/eladshamir/Internal-Monologue in order to provide the ability to perform forced downgrade actions to collect the easier to crack NetNTLMv1 hashes.

Add the listening TCP port to the Get-SQLServerInfo function output.

Option #1:
https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/sys-dm-exec-connections-transact-sql?view=sql-server-2017

select local_tcp_port from sys.dm_exec_connections where local_net_address is not null

Option #2
xp_regread from the mssql service settings.

Large queries currently timeout even with the -timeout flag set, because you are missing the following line in the get-sqlquery function.

$Command.CommandTimeout=$TimeOut

Per Microsoft's documentation, specific verbs are to be used for Powershell cmdlets, in order to ensure some consistency between third-party modules/official functionality. This is echoed in the warning presented when importing PowerUpSQL:

PowerUpSQL uses Create as a verb for these cmdlets:

• Create-SQLFileXpDll
• Create-SQLFileCLRDll
• (internal function) Create-ProcessWithToken

To fix this, these cmdlets/functions should be refactored to use the New verb, which is recommended for use in instances when a new record/object is being created.

Function Name: "Invoke-SQLEscalatePriv"
Function Description: Update the "Invoke-SQLEscalatePriv" function so that user's can quickly remove their sysadmin role membership after they complete post exploitation tasks.
Requested by: @aconite33
Reference: #16

There are some comments that seem to have had a quote blow up... I noticed when trying to import into Empire; it doesn't deal with non-ascii characters.

Add Get-SQLFunction

When I execute 'Invoke-SQLEscalatePriv' I get the below errors.

VERBOSE: Instance_xyz : START VULNERABILITY CHECK: Excessive Privilege - xp_dirtree
VERBOSE: Instance_xyz : CONNECTION SUCCESS.
VERBOSE: Instance_xyz : - At least one principal has EXECUTE privileges on xp_dirtree.
VERBOSE: Instance_xyz : - You have Administrator rights. Inveigh will be loaded.
VERBOSE: Instance_xyz : - Inveigh loaded.
VERBOSE: Instance_xyz : - Start sniffing...
VERBOSE: Instance_xyz : - Inject UNC path to \\x.x.x.x\path...
VERBOSE: Instance_xyz : - Stopped sniffing.
Get-InveighCleartext : The term 'Get-InveighCleartext' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\path1\path2\PowerUpSQL-master\PowerUpSQL.ps1:12454 char:58
+ ...                         [string]$PassCleartext = Get-InveighCleartext
+                                                      ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-InveighCleartext:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Get-InveighNTLMv1 : The term 'Get-InveighNTLMv1' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of
the name, or if a path was included, verify that the path is correct and try again.
At C:\path1\path2\PowerUpSQL-master\PowerUpSQL.ps1:12461 char:58
+ ...                            [string]$PassNetNTLMv1 = Get-InveighNTLMv1
+                                                         ~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-InveighNTLMv1:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Get-InveighNTLMv2 : The term 'Get-InveighNTLMv2' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of
the name, or if a path was included, verify that the path is correct and try again.
At C:\path1\path2\PowerUpSQL-master\PowerUpSQL.ps1:12468 char:58
+ ...                            [string]$PassNetNTLMv2 = Get-InveighNTLMv2
+                                                         ~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-InveighNTLMv2:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

VERBOSE: Instance_xyz : - Inveigh loaded.
VERBOSE: Instance_xyz : - Start sniffing...
VERBOSE: Instance_xyz : - Inject UNC path to \\x.x.x.x\path...
VERBOSE: Instance_xyz : - Stopped sniffing.
Get-InveighCleartext : The term 'Get-InveighCleartext' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\path1\path2\PowerUpSQL-master\PowerUpSQL.ps1:12454 char:58
+ ...                         [string]$PassCleartext = Get-InveighCleartext
+                                                      ~~~~~~~~~~~~~~~~~~~~

when calling Invoke-SQLImpersonateService -Verbose -Instance [Instance-Name] on windows 10 I get the above error. Looks like Caldera had this issue as well and had a pretty good fix for it: mitre/caldera#38

This module is FANTASTIC. That's why you definitely add to https://github.com/EmpireProject/Empire.

Hey,

i just found out that Invoke-SQLUncPathInjection tries to load Inveigh every time via IEX from github. By executing this function on an engagement without internet connectivity the whole function is not usable because inveigh cannot be loaded. And the catch try catch block fails.

You could for example add another parameter for that function - ExternalCaptureIP - so that the function can be used in combination with another system and responder.py/ntlmrelayx.py.

Greetings

Get-SqlInstanceScanUDPThreaded verbose output doesn't show scanned computer.

Last week I used this tool to test my sql servers, and then I got the mail from antivirus system administrators that I used "HackTool" at that time, It would violate the policies for my organization.

I used VirusTotal to scan this project files, some antivirus software said there is HackTool or Trojan.

So I think it should be added some warning messages at Readme.md for users who had antivirus softwares and need to keep the organization security policies.

When I try to import the module, I got an error,

PS Z:\shm\PowerUpSQL-master> Import-Module .\PowerUpSQL.ps1
Import-Module : Cannot process the "#requires" statement at line 1 because it i
s not in the correct format.
The "#requires" statement must be in one of the following formats:
 "#requires -shellid <shellID>"
 "#requires -version <major.minor>"
 "#requires -pssnapin <psSnapInName> [-version <major.minor>]"
At line:1 char:14
+ Import-Module <<<<  .\PowerUpSQL.ps1
    + CategoryInfo          : NotSpecified: (:) [Import-Module], ScriptRequire
   sSyntaxException
    + FullyQualifiedErrorId : RuntimeException,Microsoft.PowerShell.Commands.I
   mportModuleCommand

It appears that when running Get-SQLServerLoginDefaultPw, errors arise in cases where instances that are found that have multiple sets of credentials that need to be tried. For instance. SQLEXPRESS instances have four sets of credentials to try. The issue is that these sets of values come out of $TblResultsTemp.username and $TblResultsTemp.password as arrays and then are assigned to $CurrentUsername and $CurrentPassword, respectively. The $CurrentUsername and $CurrentPassword variables are then used as strings even though they are actually arrays at this point.

The fix to this is just to unroll the values and test them pairwise one at a time. I have a quick fix for this and will try to get a PR done if nobody else hops on it first.

Thanks!

On my lab domain I have added a MSSQLSERVER machine with the default settings. (no named instance)
Then, I added 2 named instances on the same machine.

Get-SQLInstanceDomain run from another domain joined machine only identifies the first one and misses the two named instances that I added later.

Get-SQLInstanceLocal run on the MSSQLSERVER identifies all instances correctly, as expected.

Any clues what is going wrong?

In essence I want to scan another domain with Get-SQLInstanceDomain, but it doesn't seem to be an argument to target another domain. Is there any other way?

I spent some time trying to figure out the correct syntax to use with Get-SqlServerLinkCrawl to enabled xp_cmdshell and run system commands on all the DB on the links, but no luck. I gave up and switched to impacket mssql instead.

The commands I tried are as follows:

Get-SqlServerLinkCrawl -Instance "foobar\SQLEXPRESS" -Username "foo" -Password "bar" `
    -Query "EXECUTE('sp_configure ''show advanced options'', 1')"
Get-SqlServerLinkCrawl -Instance "foobar\SQLEXPRESS" -Username "foo" -Password "bar" `
    -Query "EXECUTE('RECONFIGURE')"
Get-SqlServerLinkCrawl -Instance "foobar\SQLEXPRESS" -Username "foo" -Password "bar" `
    -Query "EXECUTE('sp_configure xp_cmdshell, 1')"
Get-SqlServerLinkCrawl -Instance "foobar\SQLEXPRESS" -Username "foo" -Password "bar" `
    -Query "EXECUTE('RECONFIGURE')"
Get-SQLServerLinkCrawl -Instance "foobar\SQLEXPRESS" -Username "foo" -Password "bar" `
    -Query "EXECUTE('xp_cmdshell whoami')"

If someone could please let me know what is wrong with the above, that would be super!

I am directly connected to a VLAN where I found a MSSQL server. Is there a way I can use PowerUpSQL to audit the server? None of the discovery commands are finding it.
There are no domain controllers and I am basically just plugged in with a Kali machine to the network. Though I have a valid set of AD credentials if needed.

The hashs from Get-SQLServerPasswordHash aren't accepted directly by John The Ripper. The issue is that the hexadecimal letters aren't capitalized.
So I suggest doing it :)
Except if you usually use a different tool which has different requirements?

add challenge option to Invoke-SQLUncPathInjection so custom static challenge can be set.

In the cheatsheet there are two references to the Invoke-SQLAuditWeakPw command but it's missing from the module (I'm using the current master version).
It looks like the command is instead: Invoke-SQLAuditWeakLoginPw

how to add audit for
who call openqyer
and
what openquery did called