Closed zippy1981 closed 9 years ago
Hey Justin,
Chris and I are certainly open to some MSSQL capabilities. Chris would be more of an authority on MSSQL though. Before considering this capability as an inclusion into PowerSploit, how would you envision such a script being used in a post exploitation environment or would this be more of a forensics capability? With the exception of some of the RE tools, we need to make sure that there's a compelling use case for everything that's added. Again, I'm fairly ignorant to MSSQL so please educate me.
Also, here's some feedback I had after checking out your script:
Cheers, Matt
Matt,
The post exploit scenario would be to get a list off all the SQL instances on the system, then attempt to gain access to the data on them, or use xp_cmdshell as a method of privileged elevation if the proxy account is a SQL admin. I can't fully speak for the latter. I do everything in my power to not use xp_cmdshell.It's certainly a vector. However, let's concentrate on a post exploit scenario where the target is the data on the databases.
I would consider adding localdb instance scanning to the script, MSDE, and possibly sqlcompact edition support. Sometimes these are used in production, and sometimes they contain data worth exploiting.
As to your bullet points
If you get this working without relying upon a 3rd party library, feel free to submit a pull request.
Thanks, Matt
I'm working on the vector of gaining access to the sql data and backup files. I have the beginnings of a function to list all SQL instances by iterating through the registry. I need to parse the master database file to get the list of all databases on the server (they may not be in the SqlRoot\Data subfolder. I also need to clean up this function and add a -ComputerName paramater. What do you think of it so far? Is the function inside a function kosher with you? Coming from javascript, that's a totally normal thing to do.
Would you like a more refined version of this in PowerSploit?