Finding Sensitive Data on Domain SQL Servers using PowerUpSQL
In this blog I’ll show how PowerUpSQL can be used to rapidly target and sample sensitive data stored in SQL Server databases associated with Active Directory domains.
Blindly Discover SQL Server Instances with PowerUpSQL
In this blog I’ll show how PowerUpSQL can be used to blindly discover SQL Server instances on a system, network, or domain.
PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server
The PowerUpSQL module supports SQL Server instance discovery, auditing for common weak configurations, and privilege escalation on scale.
Maintaining Persistence via SQL Server – Part 2: Triggers
In this blog, I’ll show how three types of SQL Server triggers can be abused to maintain access to Windows environments.
Maintaining Persistence via SQL Server – Part 1: Startup Stored Procedures
In this blog I show how to use SQL Server startup stored procedures to maintain access to Windows environments and share a PowerShell script to automate the attack…
PowerShell Remoting Cheatsheet
I have become a big fan of PowerShell Remoting. I find my self using it for both penetration testing and standard management tasks. In this blog I’ll share a basic PowerShell Remoting cheatsheet so you can too.
Auto-Dumping Domain Credentials using SPNs, PowerShell Remoting, and Mimikatz
In this blog I’ll cover some Mimikatz history and share my script “Invoke-MassMimikatz-PsRemoting.psm1”, which tries to expand on other people’s work.
A Faster Way to Identify High Risk Windows Assets
Thanks to the wonderfulness of Active Directory both red and blue teams can easily identify high risk Windows systems in their environments.
Hacking SQL Server Procedures – Part 4: Enumerating Domain Accounts
Introduction In SQL Server, security functions and views that allow SQL logins to enumerate domain objects should only be accessible to sysadmins. However, in this blog I’ll show how to enumerate Active Directory domain users, groups, and computers through native SQL Server functions using logins that only have the Public server role (everyone). I’ll also […]