#
mssqlhound
Awsome tool to find cool attack paths via SQL!
#
Running enumeration at the domain level
.\MSSQLHound.ps1 -domain domain.com -Verbose
#
Running enumeration against a specific instance
.\MSSQLHound.ps1 -UserID SomeSQLAdminLocalAccount -password 'YourPass123!' -ServerList SQL07 -domain domain.com -Verbose- (I'm a newb with this but found even if I want to do enumeration with a LOCAL SA account, I still need to specify the
-domainflag or the enumeration doesn't work)*
#
To populate MSSQL visuals in BloodHound:
- Run this:
MSSQLHound.ps1 -OutputFormat BloodHound-customnodesYou can also copy this directly from the GitHub readme.
Log into BloodHound, and from the left menu click API Explorer then look for
POST /api/v2/custom-nodes, click on it to expand it, then click Try it out.In the Request body field, paste in the JSON output.
Click Execute.
In the upload area, upload the
seed_data.jsonfile (in the same place you upload Active Directory data)In the Explore area, click CYPHER and then click Saved Queries and then click Import and import everything in the
saved_queriesfolder.Back in the main upload area, upload your
.jsonfile that MSSQLHound gave you.
#
Queries to find SQL pwnage:
#
Find all MSSQL_Base nodes and returns every relationship/path going outbound from them (anything that MSSQL instances have connections TO)
MATCH p = (:MSSQL_Base)-[]->() RETURN p
#
Return all MSSQL_Base nodes by themselves with no relationship context
MATCH (n:MSSQL_Base) RETURN n