As part on reconnaissance in any network, discovering SQL servers is an important exercise.
In this blog post, we will see what are different ways to find SQL Server instances in a network and enumerate further. There are multiple methods to find out the SQL servers in a domain, in this post we will use PowerShell tools to find SQL Server instances
What is SQL server?
SQL is a special-purpose programming language designed to handle data in a relational database management system. A database server is a computer program that provides database services to other programs or computers, as defined by the client-server model. Therefore, a SQL Server is a database server that implements the Structured Query Language (SQL).
Principles of SQL Server
Principles are used to access the resource from the SQL instances of the particular domain. All Principal has been acting as a Security Identifier.
SQL Server has a set of roles to given the normal user and the high privilege user. They are
- sysadmin (God Mode)
- security admin
- Public — Everyone who connect and view
Why Powershell?
Powershell provides access to almost everything in a Windows platform and Active Directory Environment, which could be useful for an attacker. In this, we are using some power scripts tools to scan the environment.
Discovery, Enumeration and Scanning on Domain
TCP/UDP Port Scan
It can be done by any user connected to the network to discover SQL Servers listening on a network port.
First, we need to scan TCP and UPD ports in the domain. For that, we are using Invoke-PortScan from nishang
https://github.com/samratashok/nishang.git
Invoke-Portscan.ps1
We need to import the module from nishang.
Import-Module .\Invoke-Portscan.ps1
By this portscan, we can set the start address and end address of the domain.
invoke-portscan -StartAddress 192.168.2.1 -endaddress 192.168.2.254 -scanport -Verbose
We can also scan for the whole subnet on the domain.
Invoke-Portscan -hosts 192.168.2.1/24 -ports “1433” -T 4
By using .net, we can find the ports running in the domain by this command.
[System.Data.Sql.SqlDataSourceEnumerator]::Instance. GetDataSources()
Local Enumeration
Local enumuration is used to scan local access to the SQL server. For that, we are using SQL PowerShell module (SQLPS). The SQLPS is the module used by SQL Agent to run agent jobs in agent job steps using the PowerShell subsystem and execute SQL cmdlets.
Using SQLPS module
Import the module to the PowerShell using this command
Import-Module –Name SQLPS
use the module by this below command
Get-ChildItem SQLSERVER:\SQL\ <machinename>
Example:
PS SQLSERVER:\> get-childitem SQLserver:\\SQL\
PowerUpSQL
Another way to scan the local machine for the SQL server is PowerUpSQL module. we are going to use Get-SQLInstanceLocal.ps1 script to get all the SQL server information within the domain. Use below command for listing information.
Get-SQLInstanceLocal
Domain Enumeration
Service Principal Name(SPN) scanning helps in discovering services quietly and reliably. It is possible to search user attributes and list all SQL servers in the domain.
Here is the command to list SQL servers
Get-SQLInstanceDomain
We saw multiple ways to enumerate SQL server in this blog post. Hope you had a good time reading this. Please post your comments below
References:
