Get-SQLServerLoginDefaultPw - Empire Module
This page contains detailed information about how to use the powershell/recon/get_sql_server_login_default_pw Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Get-SQLServerLoginDefaultPw
Module: powershell/recon/get_sql_server_login_default_pw
Source code [1]: empire/server/modules/powershell/recon/get_sql_server_login_default_pw.yaml
Source code [2]: empire/server/modules/powershell/recon/get_sql_server_login_default_pw.py
MITRE ATT&CK:
T1256
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: Yes
Based on the instance name, test if SQL Server is configured with default passwords.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the get_sql_server_login_default_pw module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the get_sql_server_login_default_pw module:
Agent
Agent to run module on.
Additional Module Options
This is a list of additional options that are supported by the get_sql_server_login_default_pw module:
CheckAll
Check all systems retrieved by Get-SQLInstanceDomain.
Instance
SQL Server instance to connection to.
Password
SQL Server or domain account password to authenticate with. Only used for CheckAll.
Username
SQL Server or domain account to authenticate with. Only used for CheckAll.
Get_sql_server_login_default_pw Example Usage
Here's an example of how to use the get_sql_server_login_default_pw module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/recon/get_sql_server_login_default_pw
Author @_nullbind
@0xbadjuju
Background True
Comments https://github.com/NetSPI/PowerUpSQL/blob/master/PowerUpSQL.ps1
https://github.com/pwnwiki/pwnwiki.github.io/blob/master/tech/db/mssql
.md
Description Based on the instance name, test if SQL Server is configured with
default passwords.
Language powershell
Name powershell/recon/get_sql_server_login_default_pw
NeedsAdmin False
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1256
,Record Options----,----------,-------------------------------------,
| Name | Value | Required | Description |
|----------|-------|----------|-------------------------------------|
| Agent | | True | Agent to run module on. |
|----------|-------|----------|-------------------------------------|
| CheckAll | | False | Check all systems retrieved by Get- |
| | | | SQLInstanceDomain. |
|----------|-------|----------|-------------------------------------|
| Instance | | False | SQL Server instance to connection |
| | | | to. |
|----------|-------|----------|-------------------------------------|
| Password | | False | SQL Server or domain account |
| | | | password to authenticate with. Only |
| | | | used for CheckAll |
|----------|-------|----------|-------------------------------------|
| Username | | False | SQL Server or domain account to |
| | | | authenticate with. Only used for |
| | | | CheckAll |
'----------'-------'----------'-------------------------------------'
(Empire: usemodule/powershell/recon/get_sql_server_login_default_pw) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/recon/get_sql_server_login_default_pw) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Authors
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/recon/get_sql_server_login_default_pw.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/recon/get_sql_server_login_default_pw.py
- https://github.com/NetSPI/PowerUpSQL/blob/master/PowerUpSQL.ps1
- https://github.com/pwnwiki/pwnwiki.github.io/blob/master/tech/db/mssql.md
- http://attack.mitre.org/techniques/T1256
See Also
Check also the following modules related to this module:
- powershell/recon/http_login
- powershell/recon/find_fruit
- powershell/recon/fetch_brute_local
- powershell/situational_awareness/host/hostrecon
- powershell/lateral_movement/invoke_sqloscmd
- powershell/situational_awareness/network/get_sql_server_info
- powershell/situational_awareness/network/get_sql_instance_domain
- powershell/collection/get_sql_query
- powershell/collection/get_sql_column_sample_data
- powershell/credentials/mimikatz/terminal_server
- powershell/situational_awareness/network/powerview/get_fileserver
- powershell/situational_awareness/host/dnsserver
- powershell/situational_awareness/network/smblogin
- python/situational_awareness/network/active_directory/get_fileservers
- python/trollsploit/osx/login_message
- python/persistence/osx/loginhook
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.