😎
Intruder
  • About Shantanu Khandelwal
  • Reporting
    • Excel Sheet to Word Report by PowerShell
    • Ghostwriter - Add report type
  • Red Team
    • HTTPS C2 Done Right NGINX
    • Domain Front
      • Firebase Domain Front - Hiding C2 as App traffic
    • GoLang
      • Red Team: How to embed Golang tools in C#
      • Red Team: Using SharpChisel to exfil internal network
      • Converting your GO bins to Shellcode and Using them in C#
    • ShellCode Injection
      • magic_mz_x86 and magic_mz_x64
      • Process Hollowing DInvoke
      • Shellcode Formatter
      • DLL Sideloading
      • InMemory Shellcode Encryption and Decryption using SystemFunction033
    • PowerShell
      • Enable Restricted Admin using powershell and use mimikatz for RDP
      • Powershell Custom Runspace
      • Using Reflection for AMSI Bypass
    • Database
      • Extract MSSQL Link Password
      • MSSQL Link Crawl - OpenQuery Quotes Calculator
    • DLL Sideloading
      • DLL Koppeling
      • DLL Sideloading not by DLLMain
    • Walking with Docker
      • Self-Hosting Havoc C2 / or any other C2 in Docker
    • Breach Attack Simulation - Starting With OpenBAS
  • Dealing with the Errors
    • Setting Up OPENVAS in KALI 2020.3
    • Page
      • Page 1
  • Phishing
    • Connecting GoPhish with Office365
    • SharpLoginPrompt - Success and a Curious Case
    • Gophish MODs
    • Long Live DMARC - Email Spoof issues
    • Error Solves (Random)
      • Rust OPENSSL install issues
  • Mobile Application Testing
    • How to Download APK from Huawei App Store
  • Talks I Like
  • Talks Worth Checking Out
  • Web Application Penetration Testing
    • Parsing Certificate Transparency Logs
Powered by GitBook
On this page

Was this helpful?

  1. Red Team
  2. Database

Extract MSSQL Link Password

PreviousDatabaseNextMSSQL Link Crawl - OpenQuery Quotes Calculator

Last updated 4 years ago

Was this helpful?

Step 1: Get Local Instances

Step 2 : Get the current User

Step 3: Get the version

Step 4: Check if you can impersonate sa

Step 5: Enable DAC

Step 6: Check if port 1434 is enabled

Step 7: If you dont see 1434 enabled see below

Step 8: Check if you have -T7806 in SQL Args. If you dont see below

Step 9 : Add SQLArg3 as -T7806

New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQLServer\Parameters\" -Name "SQLArg3" -Value "-T7806"  -PropertyType "String"

Step 10: Check if you have SQLBrowser running 

Get-Service | Where {$_.Name -Like "*SQLBROWSER*"}

Step 11: Check if you have named pipes enabled

Set-ItemProperty "HKLM:\Software\Microsoft\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQLServer\SuperSocketNetLib\Np\" -Name Enabled -Value 1 -Type DWord

Step 12: Restart the services

Step 13: Check if UDP port 1434 is now enabled

Extract the Link Password

Reference:

Create SA account

Troubleshooting the SQL Server Dedicated Administrator Connectionmssqltips
Logo
Enabling admin connection on SQL Server Express to fix logon triggerDatabase Administrators Stack Exchange
How to enable sa Account in SQL Server?SQL.... Still Learning
Automatically enable Named Pipes & TCP/IP protocols SQL Server 2008 R2Stack Overflow
Logo
Logo
Local Instances on the system
Getting the current user name
Logo