Enumerate a specific domain using current logon session

[phackt]

Hello, is there any capability to enumerate the MSSQL service class instances of a specific domain thanks to a parameter like -Domain ?

Using -DomainController i need to provide explicit credentials and i can not benefit from the SSO.

Thanks,

[phackt]

Hi @nullbind, my purpose was to explicitely specify at least a server ip if i need to pivot (so as a the pivot machine ip).

[nullbind]

If you are logged in as a domain user on a domain joined system, the PowerUpSQL discovery function Get-SQLInstanceDomain can be used to enumerate SQL Server Instances for the domain of the current user without providing credentials. However, at the moment the function doesn't support a -domain flag. So in order to enumerate SQL Server Instances for a different domain you have to target a DC from that domain using the -DomainController, and (to your point) currently that requires that credentials are explicitly provided. I don't have plans to update the code to change that in the short term, but I open to pull requests :). I'm not sure if this helps in the meantime, but here is a common command cheat sheet for PowerUpSQL: https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet

[nullbind]

Ah, @phackt I think i see what your saying. I don't have time to fully vet the code right now, but here is a quick mod of PowerUpSQL that doesn't require credentials when -domaincontroller is used. Hopefully that will satisfy your use case. https://gist.github.com/nullbind/f57bd95150efc365d9a3ab43c82aa1bb

[phackt]

Yep @nullbind that's what i meant, thanks i will play with this one and if i have ideas / time, i will PR / merge code.