Export SqlServer credensqlserver to facilitate your intranet penetration

Export SqlServer credensqlserver to facilitate your intranet penetration

As mentioned in the netspi blog, you can export the creden。 added later in sqlserver after logging on to the DAC. According to msdn, these creden。 are generally windows user names and passwords, which may be useful during Intranet penetration.

The powershell script provided in the original article cannot be run in Chinese (or all multi-byte operating systems such as Ghost languages), so it was corrected and changed to the exe and AspxSpy plug-ins for convenient calling.

See the attachment for tools and source code, where the Get-MSSQLCredentialPasswords.psm1 is the modified powershell script, call method:

import-module Get-MSSQLCredentialPasswords.psm1Get-MSSQLCredentialPasswords

Note: Chinese characters are not displayed, and long passwords can only be displayed in part.

Lscredpwd.exe is a one-click Acquisition Tool and can be directly executed. Lscredpwd. js is the source code. Compile the command line:

jsc /r:system.xml.dll lspwd.js

GetMSSQLCredentialsPasswordPlugin. cs is the source code of the AspxSpy plug-in. Compile the command line:

Csc/t: library GetMSSQLCredentialsPasswordPlugin. csPluginDeflater GetMSSQLCredentialsPasswordPlugin. dll # compression plug-in to prevent Interception

Jsc and csc are under the. net installation directory. We recommend that you use the. net 2.0 compiler to ensure compatibility.

GetMSSQLCredentialsPasswordPlugin. GetMSSQLCredentialsPasswordPlugin. dll. Deflated are uncompress and compressed plug-ins respectively. The plugin information is as follows:

TypeName:Zcg.Test.AspxSpyPlugins.GetMSSQLCredentialsPasswordPluginMethodName:RunHTML Result:trueParams:null

Output: All creden in all sqlserver instances that can be successfully connected to the current server.

Test Environment setup:

Run the following SQL statement to add creden:

Create credential cred1 with identity = 'administrator 1a', SECRET = 'password asdc12xe1CVYR % # ^ BG (G * $ FW $ xszfdxtgfgfsrtx'; create credential cred2 with identity = 'administrator 1b ', SECRET = 'password asdc12x password SZFDXt password tx ';

One-click Acquisition Tool for testing: Execute lscredpwd.exe using xp_mongoshellin for non-dacconnection queries
Test the AspxSpy plug-in: Set the iis application domain to the same account (such as network service) as the SQL Server service process, and then load the plug-in AspxSpy.

Test:

Known error information:

A connection has been established with the server, but an error occurs during logon. (Provider: TCP provider, error: 0-the specified network name is no longer available .)
Cause: DAC only supports single users. If this error occurs, an active DAC connection exists.

 

The requested registry access is not allowed:

Cause: the current user is not an sqlserver service process user or administrator.