Issue with Get-SQLInstanceDomain

[cynicXer]

PS C:\Users#####\Documents\PowerUpSQL-master\PowerUpSQL-master> Get-SQLInstanceDomain -verbose VERBOSE: Grabbing SPNs from the domain for SQL Servers (MSSQL*)... VERBOSE: 0 SPNs found. VERBOSE: Parsing SQL Server instances from SPNs... You cannot call a method on a null-valued expression. At C:\Users######\Documents\PowerUpSQL-master\PowerUpSQL-master\PowerUpSQL.ps1:9499 char:35

• $Instance = $Spn.split <<<< ('/')[1].split(':')[1]
  • CategoryInfo : InvalidOperation: (split:String) [], RuntimeException
  • FullyQualifiedErrorId : InvokeMethodOnNull

VERBOSE: 1 instances were found.

ComputerName : Instance : DomainAccountSid : DomainAccount : DomainAccountCn : Service : Spn : LastLogon : Description :

So, I'm getting this error. Is this because it failed to query the proper DC to find the MSSQL SPNs? I know SQL SPNs exist in this domain; I've pulled them with other tools. Specifying the IP of the DC doesn't seem to help.

[nullbind]

Based on the error, it looks like your system isn't on an Active Directory domain, or at least not able to connect to a DC for the default domain associated with your computer.

If you're using alternative credentials, and targeting a Domain your system isn't associated with, try launching PowerShell with runas first. Example below.

runas /noprofile /netonly /user:domain\user PowerShell.exe import-module PowerUpSQL.psd1 Get-SQLInstanceDomain -Verbose

Also, it's worth noting that (at the moment) when you specify the DC you also have to provide a username and password. It's a known logic issue that I haven't fixed yet. Sorry 'bout that.

Example of use: Get-SQLInstanceDomain -Verbose -DomainControl ler 192.1.1.1 -Username Domain\User -Password Password123

Hopefully that helps, but let me know. Thanks for the feedback!

[nullbind]

@cynicXer Did my notes help at all?

[Sw4mpf0x]

Myself and several other pentesters I know have encountered this as well on domain joined systems. I am using PowerUpSQL and ran into it again this week. It may be an issue with PowerShell version 2, because it worked fine when run on a Server 2012 DC. I was able to track down the culprit this week through Cobalt Strike (troubleshooting through CS sucks BTW! :P). Line 9138 assigns null to the $Spn variable. I originally removed the '.split(',')' as there were no commas in $.properties.serviceprincipalname. That worked, but I talked to Will (@harmj0y) about the issue and he recommended specifying index 0 for $.properties.serviceprincipalname due to quirkiness he has encountered in the past with AD objects in Powershell. This worked for me this week. The final line is: $Spn = $_.properties.serviceprincipalname[0].split(',')

I went ahead and created a pull request for this.

[nullbind]

Awesome! Thanks for sharing! I'll test the fix in the lab and hopefully merge it later tonight.

[nullbind]

@cynicXer, it looks like @Sw4mpf0x was nice enough to help us out on this one - thanks again to both of you!