-
Notifications
You must be signed in to change notification settings - Fork 464
Password Recovery Functions
Scott Sutherland edited this page Jul 13, 2018
·
4 revisions
These functions are used for recovering authentication tokens of varous types. The roadmap for development is below. I've included a few links to standalone scripts that have not been integrated yet.
| Function Name | Description |
|---|---|
| Get-SQLRecoverPwAutoLogon | Grab Windows auto login passwords from the registry through xp_regread. |
| Get-SQLServerPasswordHash | Grab SQL Server login password hashes. This supports local admin privilege escalation via the -migrate switch. |
| Invoke-SQLUncPathInjection | While running as a domain user this function will automatically do 4 things. 1. Identify SQL Servers on the domain via a LDAP query to a DC for SPNs. 2. Attempt to log into each. 3. Perform UNC path injection using various methods. 4. Attempt to capture the password hashes for the associated SQL Server service account. |
Roadmap:
Get-SQLRecoverPwCredential - https://github.com/NetSPI/Powershell-Modules/blob/master/Get-MSSQLAllCredentials.psm1
Get-SQLRecoverPwServerLink - https://github.com/NetSPI/Powershell-Modules/blob/master/Get-MSSQLLinkPasswords.psm1
Get-SQLRecoverPWProxyAccount - https://github.com/NetSPI/Powershell-Modules/blob/master/Get-MSSQLAllCredentials.psm1
Get-SQLRecoverMasterKey
Get-SQLRecoverMachineKey
Get-SQLRecoverPwLsaSecrets
Get-SQLRecoverPwLogonOn
Get-SQLRecoverPwVNC
- PowerUpSQL Commands
- UNC Path Injection
- Connection Strings
- SQL Server SPN Formats
- SQL Server Detective Controls
- Code Templates
- Introduction to PowerUpSQL
- Blindly Discover SQL Server Instances
- Finding Sensitive Data on Domain SQL Servers
- Finding Weak Passwords for Domain SQL Servers on Scale
- Finding Default Passwords Associated with Application Specific Instances
- Get Sysadmin as Local Admin
- Get Windows Auto Login Passwords via SQL Server
- Establishing Registry Persistence via SQL Server
- Establishing Persistence via SQL Server Triggers
- Establishing Persistence via SQL Server Startup Procedures
- Crawling SQL Server Links
- Attacking SQL Server CLR
- Bypassing SQL Server Logon Trigger Restrictions
- SQL Server as a C2
- Dumping Active Directory Information with SQL Server
- Attacking Stored Procedures via SQLi
- Attacking Insecure Impersonation Configurations
- Attacking Trustworthy Databases
- Enumerating Logins and Domain Accounts via SQL Server
- Using SQL Server to Attack Forest Trusts
- Exploiting Global Temporary Tables
- Hijacking SQL Server Credentials using Agent Jobs for Domain Privilege Escalation
- 2020 May Troopers20 Video
- 2020 May Troopers20 Slides
- 2018 Aug BH Arsenal Video
- 2018 Aug BH Arsenal Slides
- 2017 SEPT DerbyCon7 Video
- 2017 SEPT DerbyCon7 Slides
- 2017 May Secure360 Slides
- 2017 May THOTCON Slides
- 2016 OCT Arcticcon Slides
- 2016 OCT PASS Webinar Video
- 2016 SEPT DerbyCon6 Slides
- 2016 SEPT DerbyCon6 Video
- 2015 APR OWASP Slides
- 2015 APR OWASP Video
- Discover SQL Server Instances
- Unauthenticated to SQL Login - Default Passwords
- Domain User to SQL Sysadmin - UNC Injection
- SQL Login to Sysadmin-Auto
- SQL Login to Sysadmin-LoginEnum+PwGuess
- SQL Login to Sysadmin-Link Crawling 1
- SQL Login to Sysadmin-Link Crawling 2
- SQL Login to OS Admin-UNC Path Injection
- OS Admin to Sysadmin-Impersonation
- Audit Configurations
- Find Sensitive Data
- Attacking SQL Server CLR Assemblies Webinar