The PowerUpSQL module includes functions that support SQL Server discovery, auditing for common weak configurations, and privilege escalation. It is intended to be used during internal penetration tests and red team engagements. However, PowerUpSQL also includes many functions that could be used by administrators to inventory the SQL Servers on their ADS domain.
PowerUpSQL was designed with six objectives in mind:
Scalability: Multi-threading is supported on core functions so they can be executed against many SQL Servers quickly.
Portability: Default .net libraries are used and there are no dependencies on SQLPS or the SMO libraries. Functions have also been designed so they can be run independently. As a result, it’s easy to use on any Windows system with PowerShell v3 installed.
Flexibility: PowerUpSQL functions support the PowerShell pipeline so they can be used together, and with other scripts.
Easy Server Discovery: Discovery functions can be used to blindly identify local, domain, and non-domain SQL Server instances on scale.
Easy Server Auditing: The Invoke-SQLAudit function can be used to audit for common high impact vulnerabilities and weak configurations using the current login’s privileges. Also, Invoke-SQLDumpInfo can be used to quickly inventory databases, privileges, and other information.
Easy Server Exploitation: The Invoke-SQLEscalatePriv function attempts to obtain sysadmin privileges using identified vulnerabilities.
Installing the Module
Option 1: Install it from the PowerShell Gallery. This requires local administrative privileges and will permanently install the module.Install-Module -Name PowerUpSQL
Option 2: Download the project and import it. This does not require administrative privileges and will only be imported into the current session. However, it may be blocked by restrictive execution policies.
Option 3: Load it into a session via a download cradle. This does not require administrative privileges and will only be imported into the current session. It should not be blocked by executions policies.
To list functions from the module, type: Get-Command -Module PowerUpSQL
To list help for a function, type: Get-Help FunctionName
These functions can be used for enumerating SQL Server instances. Discovered instances can then be piped into other PowerUpSQL functions.
Returns SQL Server instances from a file. One per line.
Returns SQL Server instances from the local system based on a registry search.
Returns a list of SQL Server instances discovered by querying a domain controller for systems with registered MSSQL service principal names. The function will default to the current user’s domain and logon server, but an alternative domain controller can be provided. UDP scanning of management servers is optional.
Returns SQL Server instances from UDP scan results.
Returns SQL Server instances from UDP scan results and supports threading.
Primary Attack Functions
These are the functions used to quickly dump databse information, audit for common vulnerabilities, and attempt to obtain sysadmin privileges.
This can be used to dump SQL Server and database information to csv or xml files. This can be handy for doing a quick inventory of databases, logins, privileges etc.
This can be used to review the SQL Server and databases for common configuration weaknesses and provide a vulnerability report along with recommendations for each item.
This can be used to obtain sysadmin privileges via identified configuration weaknesses. Think of it like getsystem, but for SQL Server.
These functions are used to test connections, execute SQL Server queries, and execute OS commands. All other functions use these core functions. However, they can also be executed independently.
Tests if the current Windows account or provided SQL Server login can log into an SQL Server.
Tests if the current Windows account or provided SQL Server login can log into an SQL Server and supports threading.
Executes a query on target SQL servers.
Executes a query on target SQL servers and supports threading.
Execute command on the operating system as the SQL Server service account using xp_cmdshell. Supports threading, raw output, and table output.
Third Party Functions
A few PowerUpSQL functions use the third party functions below.
A PowerShell function created by Warren F. ( RamblingCookieMonster) for running multiple threads in PowerShell via runspaces.
A Windows PowerShell LLMNR/NBNS spoofer/man-in-the-middle tool create by Kevin Robertson.
Valdidate a number based on the Luhn Algorithm. Function written by Oyvind Kallstad.
These are essentially helper functions. Some of them are used by other PowerUpSQL functions, but all of them can be run independently.
Creates a object for connecting to SQL Server.
Enumerates objects based on object id using OBJECT_NAME() and only the Public role.
Enumerates databases based on database id using DB_NAME() and only the Public role.
Enumerates SQL Server Logins based on login id using SUSER_NAME() and only the Public role.
Enumerates domain groups, computer accounts, and user accounts based on domain RID using SUSER_SNAME() and only the Public role. Note: In a typical domain 10000 or more is recommended for the EndId.
Parses computer name from a provided instance.
Returns local SQL Server services.
Used to create CPP DLLs with exported functions that can be imported as extended stored procedures in SQL Server. Supports arbitrary command execution.
Returns a list of SPNs for the target domain. Supports authentication from non domain systems.
Used to query domain controllers via LDAP. Supports alternative credentials from non-domain system.
These functions are used for common information gathering tasks. Similar to core functions, the common functions can be executed by themselves, but are also used by other functions in the PowerUpSQL module.
Returns Audit database specifications from target SQL Servers.
Returns Audit server specifications from target SQL Servers.
Returns column information from target SQL Servers. Supports keyword search.
Returns column information from target SQL Servers. Supports search by keywords, sampling data, and validating credit card numbers.
Returns column information from target SQL Servers. Supports search by keywords, sampling data, and validating credit card numbers. Supports host threading.
Returns database information from target SQL Servers.
Returns database information from target SQL Servers. Supports host threading.
Returns database user privilege information from target SQL Servers.
Returns database role information from target SQL Servers.
Returns database role member information from target SQL Servers.
Returns schema information from target SQL Servers.
Returns database user information from target SQL Servers.
Returns configuration settings from sp_configure. Output includes advanced options if the connecting user is a sysadmin.
Returns credentials from target SQL Servers.
Returns basic server and user information from target SQL Servers.
Returns basic server and user information from target SQL Servers. Supports host threading.
Returns link servers from target SQL Servers.
Returns logins from target SQL Servers.
Returns SQL Server login privilege information from target SQL Servers.
Returns SQL Server role information from target SQL Servers.
Returns SQL Server role member information from target SQL Servers.
Returns a list of service account names for SQL Servers services by querying the registry with xp_regread. This can be executed against remote systems.
Returns active sessions from target SQL Servers.
Returns stored procedures from target SQL Servers.
Check if login is has sysadmin privilege on the target SQL Servers.
Returns table information from target SQL Servers.
Returns DDL trigger information from target SQL Servers. This includes logon triggers.
Returns DML trigger information from target SQL Servers.
Returns view information from target SQL Servers.
These functions are used for identifying weak configurations that can lead to unauthorized access. Invoke-SQLAudit can be used to run all of them at once. Also, all of the audit functions support an exploit flag. In most cases that means the script will try to add your login to the sysadmin server role.
Check if the current login has the CREATE PROCEDURE permission. Attempt to use permission to obtain sysadmin privileges.
Check if the current login has the IMPERSONATE permission on any sysadmin logins. Attempt to use permission to obtain sysadmin privileges.
Check if SQL Server links exist that are preconfigured with alternative credentials that can be impersonated. Provide example queries for execution on remote servers.
Check if database ownership chaining is enabled at the server or databases levels.
Check if any database have been flagged as trusted.
Checks if the xp_dirtree stored procedure is executable. Uses Inveigh to obtain password hash for the SQL Server service account. Note: Capture likelihood is better when longer timeouts are set.
Checks if the xp_fileexist stored procedure is executable. Uses Inveigh to obtain password hash for the SQL Server service account. Note: Capture likelihood is better when longer timeouts are set.
Check if the current login has the DB_DdlAdmin role in any databases. Attempt to use permission to obtain sysadmin privileges.
Check if the current login has the DB_OWNER role in any databases. Attempt to use permission to obtain sysadmin privileges.
Check if the current login can access any database columns that contain the word password. Supports column name keyword search and custom data sample size. For better data searches use Get-SQLColumnSampleData.
This can be used for online dictionary attacks. It also support auto-discovery of SQL Logins for testing if you already have a least privilege account.