Attacking Active Directory
  • Reconnaissance
    • Enumerate Network
    • Enumerating Users With CME - Anonymously
    • Enumerate Users Anonymously - RPC
    • Enumerating User with Ldapsearch and enum4linux - Anonymously
    • Enumerate Guest Access on Shares - CME
  • Exploiting With Poison and Relay
    • Responder
    • NTLM relay
    • Secretsdump
    • Lsassy
    • DonPapi
    • Pass The Hash with Winpexec.py
    • Pass The Hash with Evil-Winrm
    • Pass the Hash with CrackMapExec
    • Coerced auth smb + ntlmrelayx to ldaps with drop the mic
  • User Enumeration Exploit
    • setup /etc/hosts and kerberos
    • Exploiting Username - ASREPRoast
    • Password Spraying
    • User listing with GetADUsers and ldapsearch
    • Kerberoasting
    • Powerview
      • Setting Up PowerView
      • Get-NetUser
      • Get-NetGroup
      • Get-NetComputer
      • Get-NetFileServer
      • Get-NetGPO
      • Get-ObjectAcl
      • Get-NetDomainTrust
      • Invoke-Portscan
    • Enumerate Shares with User Account
  • Exploiting with Users
    • SamAccountName (NoPac)
      • Semi Manual Exploit
      • From Linux With NoPAC.py
      • From Windows With noPAC.exe
    • PrintNightmare - Bronx
      • Check and Prepare
      • windows and linux
    • PrintNightmare - Baltimore
      • Exploit
  • WSUS Exploit
  • Active Directory Certificate Services (ADCS)
    • Bloodhound
      • Bloodhound - Install Neo4j
      • Run BloodHound
      • ADCS reconnaissance and enumeration (with certipy and bloodhound)
    • ESC8 - coerce to domain admin
    • ESC8 - with certipy
    • ADCS - ESC1
    • ADCS - ESC2 & ESC3
    • ADCS - ESC4
    • ADCS - ESC6
    • Certifried - CVE-2022–26923
    • Shadow Credentials
  • Metasploit
    • Initial Shell Shell Shell
    • Enumeration 1 - Users, Groups, Computers
    • Enumeration 2 - Arp, Tokens, Patches
    • Enumeration 3 - Shares, SMB, and More
    • Back Door Add User
    • Metasploit Exploit Suggester
    • HashDump With Metasploit
    • Lateral Movement With Metasploit
    • DsSync With Metasploit from NT Autority/System to Administrator
    • Golden Ticket with Metasploit
    • Using a Keylogger with Metasploit
    • BackDoor Meterpreter Service
  • Privilege Escalation
  • User ACL Exploits
    • Hunting with bloodhound
    • ACL With BloodHound
    • ForceChangePassword on User (Donald-> Hugo)
    • GenericWrite on User (Hugo -> Ramon)
    • WriteDacl on User (Ramon-> Nicolas)
    • Add self on Group (Nicolas-> RadioCity)
    • AddMember on Group (RadioCity -> EmpireState)
    • WriteOwner on Group (EmpireState -> CentralPark)
    • Generic all on user (CentralPark -> diego.Montenegro)
      • machine account to administrator shell
      • Silver ticket
    • GPO abuse
    • Read Laps password
  • MSSQL servers Exploitation
    • Enumerate the MSSQL servers
    • Enumerate MSSQL servers with GetUserSPNs & NMAP
    • Enumerate MSSQL servers with CrackMap & Impacket
    • impersonate - execute as login
    • MSSQL Coerce and relay
    • MSSQL trusted links
    • MSSQL Command execution to shell - Yonkers
    • MSSQL Command execution to shell - Salisbury
  • Delegations
    • Unconstrain
    • Constrain Delegation
      • With Protocol Transmition
      • Without protocol transition
    • Resource Based Constrained Delegation
    • Unconstrained delegation Enum
  • Trust
    • Enumerate Trust
    • Domain Trust - child/parent (north.newyork.local -> newyork.local)
      • RaiseMeUp - Escalate with impacket raiseChild
      • Golden ticket + ExtraSid
      • Trust ticket - forge inter-realm TGT
    • Forest Trust (newyork.local -> maryland.local)
      • Foreign group and users
      • Use unconstrained delegation
      • Mssql Trusted link
      • Golden ticket with external forest, sid history ftw ( Maryland-> NewYork)
      • Trust ticket with external forest ( maryland.local-> newyork.local)
      • Exploit acl with external trust golden ticket
  • Exploiting IIS & Privilege escalation
    • IIS - webshell
    • Privesc SeImpersonatePrivilege
    • winPeas without touching disk
    • SeImpersonatePrivilege to Authority\system
    • KrbRelay Up - Linux
    • KrbRelay Up - Windows - PowerPack
    • KrbRelay Up - Windows V2
  • Impacket
    • Install Impacket
    • Getting Initial Shell
Powered by GitBook
On this page
  1. MSSQL servers Exploitation

Enumerate MSSQL servers with GetUserSPNs & NMAP

PreviousEnumerate the MSSQL serversNextEnumerate MSSQL servers with CrackMap & Impacket

Last updated 2 years ago

Enumerate the MSSQL servers

Impacket GetUserSPNs.py

  • First let’s try to figure out the users with an SPN on an MSSQL server.

  • A Service Principal Name (SPN) is a name in Active Directory that a client uses to uniquely identify an instance of a service. An SPN combines a service name with a computer and user account to form a type of service ID.Nov 13, 2021

GetUserSPNs.py north.newyork.local/claudio.ortiz:babyboy

  • And on Maryland.local domain

GetUserSPNs.py -target-domain maryland.local north.newyork.local/claudio.ortiz:babyboy

Nmap

Two servers answer :

nmap -p 1433 -sV -sC 192.168.56.10-23

  • Yonkers.north.newyork.local

Nmap scan report for yonkers.north.newyork.local (192.168.56.22)
Host is up (0.00048s latency).
Scanned at 2023-02-27 20:16:02 EST for 12s

PORT     STATE SERVICE  VERSION
1433/tcp open  ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2023-02-28T01:16:14+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-02-22T20:07:08
| Not valid after:  2053-02-22T20:07:08
| MD5:   15c6 3b48 4af9 3ee5 3002 fe2b c006 09cb
| SHA-1: abcc 8fff ac8c 8907 c2c4 8f2a af0b 5ff1 b6da 3e4d
| -----BEGIN CERTIFICATE-----
| MIIDADCCAeigAwIBAgIQFvILH8b8eZpGxpjwNfUPTDANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjMwMjIyMjAwNzA4WhgPMjA1MzAyMjIyMDA3MDhaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMU+2Yw4
| /xY2a+zQ6VoXrwh/razw3axC+KVwEilwsjHx9ZDaVPNal88wpgt1V2elhAExlWTa
| /2QNBMrS2r2cjECyPSloAvapnEpa/PPEjtmXEg953zrgMrZIeGiaC2CSgSssgSic
| F5CM9H/plumoCGiewp6ZlzR0g5sYKIaTtu6rXUYe+PFVGZX97oDKPPMeNgT/ipXK
| TIBObq4xCN0W4JFFfAh3GSyY1Y4xhuMXRH29UpBJk5XdzN4qnuqGP6GzD75YoXQZ
| Tl5UqrBDoteE7fWnL6kf8KftLUagadFZ2l3ImBJTpqt22HbSPJdxL+5csJLHityg
| QeOgJIVZOWFAHYUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcJ+rk3zKNnV1CcCL
| X+z+wS7E2NEjCJ9TEhDSDLERp13mudEDatswYTHtNhFCT7cmMXDFJAeFWW1ffUek
| 7X9Wh7HireKrxoBXjSMO1Zb9KLPw8SyHWU07HmrxrTeSdpKTLyJFPM82R0zeSfOU
| xuPjQYGTDfZTYz9SVRI4wt3k1kwQ2bq0DhHkdIP5MJm3JeUzEiigrC3dwqH4SMgm
| 3D7Zfe3tUPb3uMMZ8li1l3N7BjrLUHY/wGeuumwpH/VCjpYt47zl6EjNeiO6walu
| lKUMPkj1ViXB0UawyWMGpKYIZRR60JoX3YUr9rHGyT81RNhh9VJ5gZ1IFvH4Y9up
| 4pe6Vw==
|_-----END CERTIFICATE-----
| ms-sql-ntlm-info: 
|   Target_Name: NORTH
|   NetBIOS_Domain_Name: NORTH
|   NetBIOS_Computer_Name: YONKERS
|   DNS_Domain_Name: north.newyork.local
|   DNS_Computer_Name: Yonkers.north.newyork.local
|   DNS_Tree_Name: newyork.local
|_  Product_Version: 10.0.17763

Host script results:
| ms-sql-info: 
|   192.168.56.22:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_clock-skew: mean: 0s, deviation: 0s, median: 0s



Nmap scan report for salisbury.maryland.local (192.168.56.23)
Host is up (0.00040s latency).
Scanned at 2023-02-27 20:16:02 EST for 12s

PORT     STATE SERVICE  VERSION
1433/tcp open  ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: maryland
|   NetBIOS_Domain_Name: maryland
|   NetBIOS_Computer_Name: SALISBURY
|   DNS_Domain_Name: maryland.local
|   DNS_Computer_Name: Salisbury.maryland.local
|   DNS_Tree_Name: maryland.local
|_  Product_Version: 10.0.14393
|_ssl-date: 2023-02-28T01:16:07+00:00; -7s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-02-22T20:07:10
| Not valid after:  2053-02-22T20:07:10
| MD5:   d765 e745 3ddc 0c7f 4fcb b26b 744b 35a7
| SHA-1: 28a8 5b18 8adb f162 6ac2 d136 6c16 1f08 1ef2 6804
| -----BEGIN CERTIFICATE-----
| MIIDADCCAeigAwIBAgIQVHR7vo2ccIZCblioBxQemTANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjMwMjIyMjAwNzEwWhgPMjA1MzAyMjIyMDA3MTBaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL8O3rya
| nMuF/Q4if1Nb7T15Un2/AXCFy5KgNAVbn/XgEqznkqEd6y1iVF2iPwuHU3dcsU1K
| oU5yfSAkEqyrDWltE1LvkpOZzhvlXLyc13Epp+GO4xtcXyqiRhu9L8HbtkctvGI+
| NyAtbKAcdeg9gOorhWiwcIMJoZ7ofYTLaBz+K0GGfqL18y8egYkVonH78/pTq2VV
| Zmxkyrd8lGTXMhGW6fyfnbE0zHg9QNrLf3jgaFHYPPT5n1svbPyxEDXCVk+i6Z5G
| 7Kfr2gCF9DLaqSIZ/ibltdSK+CFsRLGBpl22WSlDcj5lgULOHlt8z47Jx8xqyi5K
| Dt6VxDoKZ85ew10CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAVh1hgxEPIq4dxOTa
| DYYFqLFIX/9HAONYfK6Ir0h/hGvkXOWl43m/HFm+ZcFz49XzgsEDF++bP/+LXnyC
| 5pvjbnahXeoCgu+sXKnMAvt5sU2t0rUPX0/OXs8tEhG/QgvcAke3bf3UgZSowbw2
| AutbfQ6u36ywOhhfJrvBmlxJ7Np8U3ojG5c+oyl2Vijv2jrYN6kKc4FVnuO9N5bT
| NFqYXZ1K8500BXrYsuSiaN6+RRQbx3q6Aty1DaEMBqfccJW57e1+uHZ7L0ebKodL
| Hy3AVI5ijArVRhw83aH9UPQ7fVXXhyB0N2GuTKIIIJoEuGUvaf1U2FfNjQ5t/qZG
| i0uPIQ==
|_-----END CERTIFICATE-----

Host script results:
| ms-sql-info: 
|   192.168.56.23:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_clock-skew: mean: -7s, deviation: 0s, median: -7s