mssqlhound
Awsome tool to find cool attack paths via SQL!
Running enumeration at the domain level
.\MSSQLHound.ps1 -domain domain.com -VerboseRunning enumeration against a specific instance
.\MSSQLHound.ps1 -UserID SomeSQLAdminLocalAccount -password 'YourPass123!' -ServerList SQL07 -domain domain.com -Verbose- (I'm a newb with this but found even if I want to do enumeration with a LOCAL SA account, I still need to specify the
-domainflag or the enumeration doesn't work)*
To populate MSSQL visuals in BloodHound:
- Run this:
MSSQLHound.ps1 -OutputFormat BloodHound-customnodesYou can also copy this directly from the GitHub readme.
-
Log into BloodHound, and from the left menu click API Explorer then look for
POST /api/v2/custom-nodes, click on it to expand it, then click Try it out. -
In the Request body field, paste in the JSON output.
-
Click Execute.
-
In the upload area, upload the
seed_data.jsonfile (in the same place you upload Active Directory data) -
In the Explore area, click CYPHER and then click Saved Queries and then click Import and import everything in the
saved_queriesfolder. -
Back in the main upload area, upload your
.jsonfile that MSSQLHound gave you.
Queries to find SQL pwnage:
Find all MSSQL_Base nodes and returns every relationship/path going outbound from them (anything that MSSQL instances have connections TO)
MATCH p = (:MSSQL_Base)-[]->() RETURN pReturn all MSSQL_Base nodes by themselves with no relationship context
MATCH (n:MSSQL_Base) RETURN n