Get-SqlInstance a rough draft

[zippy1981]

I'm working on the vector of gaining access to the sql data and backup files. I have the beginnings of a function to list all SQL instances by iterating through the registry. I need to parse the master database file to get the list of all databases on the server (they may not be in the SqlRoot\Data subfolder. I also need to clean up this function and add a -ComputerName paramater. What do you think of it so far? Is the function inside a function kosher with you? Coming from javascript, that's a totally normal thing to do.

Would you like a more refined version of this in PowerSploit?

[mattifestation]

Hey Justin,

Chris and I are certainly open to some MSSQL capabilities. Chris would be more of an authority on MSSQL though. Before considering this capability as an inclusion into PowerSploit, how would you envision such a script being used in a post exploitation environment or would this be more of a forensics capability? With the exception of some of the RE tools, we need to make sure that there's a compelling use case for everything that's added. Again, I'm fairly ignorant to MSSQL so please educate me.

Also, here's some feedback I had after checking out your script:

• No need to use .NET classes/methods for registry access. Using Get-Item and Get-ItemProperty with the reigstry PSProvider will get you everything you need.
• I would avoid relying on [IntPtr]::Size to validate the existence of the Wow64 subsystem. For example, you can install server 2012 R2 (which is 64-bit only) without the Wow64 subsystem.
• I'm not clear on the role of the Orca libraries. Bear in mind, I'm ignorant to MSSQL. Can the functionality you're trying to achieve be implemented without relying upon 3rd party libraries? In a post-exploitation scenario, I like to avoid relying on third party libs at all costs unless absolutely necessary.

Cheers, Matt

[zippy1981]

Matt,

The post exploit scenario would be to get a list off all the SQL instances on the system, then attempt to gain access to the data on them, or use xp_cmdshell as a method of privileged elevation if the proxy account is a SQL admin. I can't fully speak for the latter. I do everything in my power to not use xp_cmdshell.It's certainly a vector. However, let's concentrate on a post exploit scenario where the target is the data on the databases.

I would consider adding localdb instance scanning to the script, MSDE, and possibly sqlcompact edition support. Sometimes these are used in production, and sometimes they contain data worth exploiting.

As to your bullet points

• I can definitely use the registry PS Providers exclusively. As a C# dev I find them clunky, but I'm sure ops people prefer "pure" powershell syntax. I also realize that in certain cases (i.e. surface) you might not have access to the .NET library.
• I didn't know you could have an OS that only supports 64 bit binaries. I could certainly use test-path or more robust mechanisms.
• The idea behind the Orca Libraries is you could parse the MDF files without using the sql server engine. Perhaps you have a very locked down SQL instance, or perhaps you simply want to avoid tripping an intrusion detection system. You could use VSS to access the SQL MDFs and read the data without logging a connection to the SQL server.

[mattifestation]

If you get this working without relying upon a 3rd party library, feel free to submit a pull request.

Thanks, Matt