The Psnet assembly was created in the first three articles, it contains the port scan for the specified IP, the TCP message packet and the related functions of sending and receiving the UDP message packet, as this is the most basic detection of the network situation, subsequent articles will continue to expand the assembly to include more comprehensive functions. But it's not enough to have these simple network probes, and in order to be able to use PowerShell to detect network security more fully, a pssecurity assembly is created in this article to hold scripts related to passing PowerShell. Create a pssecurity assembly directory from the methods and directory structures that create the Psnet assembly in the previous articles to facilitate subsequent extensions of the assembly.
For detailed steps, see the previous articles, the directory structure and files after creating the Pssecurity assembly are as follows:
Copy Code code as follows:
+d:\my Documents\windowspowershell\modules
└─pssecurity
│pssecurity.psm1
│
└─sqlserver
Get-sqlsyslogin.ps1
Add in $profile:
Copy Code code as follows:
Import-module $env:P sspace\pssecurity #用于在PowerShell启动时自动加载PSSecurity程序集
The contents of the PSSECURITY.PSM1 are as follows:
Copy Code code as follows:
. $env:P sspace/pssecurity/sqlserver/get-sqlsyslogin.ps1 #导入Get-sqlsyslogin function
Write-host "pssecurity Module Added"-backgroundcolor green-foregroundcolor Blue #用于提示此模块已加载
Export-modulemember-function * #用于将函数导出为模块成员
And then there's the GET-SQLSYSLOGIN.PS1 content.
Copy Code code as follows:
===== FileName: get-sqlsyslogin.ps1=====
function Get-sqlsyslogin {
Param (
[Parameter (mandatory = $true,
Position = 0,
Valuefrompipeline= $true)]
[Alias ("Pscomputername", "CN", "MachineName", "IP", "IPAddress")]
[String] $ComputerName,
[Parameter (Position = 1)]
[String] $UserName,
[Parameter (Position = 2)]
[String] $Password
)
Process {
$Connection = New-object System.Data.SQLClient.SQLConnection
if ($userName) {
$Connection. ConnectionString = "Data source= $ComputerName; Initial catalog=master; User id= $userName; password= $password; "
} else {
$Connection. ConnectionString = "server= $computerName; Initial catalog=master;trusted_connection=true;"
}
Try {
$Connection. Open ()
$Command = New-object System.Data.SQLClient.SQLCommand #创建SQLClient对象
$Command. Connection = $Connection
$Command. CommandText = "select * FROM Master. Sys.syslogins "#从syslogin表读取SQLServer登录账户
$Reader = $Command. ExecuteReader ()
$Counter = $Reader. FieldCount
while ($Reader. Read ()) {
$SQLObject = @{}
for ($i = 0; $i-lt $Counter; $i + +) {
$SQLObject. ADD (
$Reader. GetName ($i),
$Reader. GetValue ($i)
);
}
# Get Login Type
$type =
if ($sqlObject. Isntname-eq 1) {
if ($sqlObject. Isntgroup-eq 1) {
"NT Group"
} else {
"NT User"
}
} else {
"SQL Server"
}
New-object Psobject-property @{
Name = $sqlObject. LoginName;
Created = $sqlObject. CreateDate;
Denylogin = [bool] $sqlObject. Denylogin;
hasaccess = [bool] $sqlObject. hasaccess;
Type = $type;
sysadmin = [bool] $sqlObject. sysadmin;
securityadmin = [bool] $sqlObject. securityadmin;
ServerAdmin = [Bool][bool] $sqlObject. ServerAdmin;
Setupadmin = [bool] $sqlObject. setupadmin;
Processadmin = [bool] $sqlObject. processadmin;
Diskadmin = [bool] $sqlObject. diskadmin;
dbcreator = [bool] $sqlObject. dbcreator;
NTUser = [bool] $sqlObject. Isntuser;
ComputerName = $ComputerName
} | Select-object Name, Created, Type, Denylogin, hasaccess, SysAdmin, securityadmin, ServerAdmin, setupadmin, Processadmin, Diskadmin, dbcreator, NTUser, ComputerName
}
$Connection. Close ()
}
Catch {
$error [0]
}
}
}
Start the PowerShell process, which can be invoked in the following two ways
Copy Code code as follows:
Get-sqlsyslogin-computername srv01-username Sa-password sa #单台主机登录尝试
"SQL01", "SQL02", "SQL03" | Get-sqlsyslogin-username Sa-password SA #多台主机登录尝试
where ComputerName represents the host name or IP of SQL Server; Username is the user name, and if not, use the default Windows authentication, and if you are using Windows authentication, you need to make sure that the current login allows you to log on through Windows Authentication; password is the password.
Copy Code code as follows:
PS c:\users\fuhj> get-sqlsyslogin-computername **.**.**.**-username sa-password ***********
Name:sa
created : 2003/4/8 9:10:35
type : SQL Server
denylogin : False
hasaccess : True
sysadmin : True
Securityadmin:false
serveradmin : False
setupadmin : False
processadmin : false
diskadmin : False< br> dbcreator : False
ntuser : false
computername : **.**.**.**
name : * * * * *
CREATED:2011/3/14 8:31:44
Type:sql Server
Denylogin:false
Hasaccess:true
Sysadmin:false
Securityadmin:false
Serveradmin:false
Setupadmin:false
Processadmin:false
Diskadmin:false
Dbcreator:false
Ntuser:false
ComputerName: **.**.**.**
Follow up: Here is a login attempt on a single SQL Server servers, if the relevant SQL Server servers are found by scanning for ports on a specified range of IP, and there is a fairly complete dictionary, The transformation of this function can be a dictionary mode brute force to crack SQL Server username, password (note: This article only provides security and defense ideas, do not try to force others system violence, otherwise the consequences of the attackers personally bear).
This article created the Pssecurity toolset, which describes the method of attempting to log on to SQL Server through PowerShell, which can be used for brute force cracking and poor account passwords, which need to be supported by a more comprehensive dictionary. In subsequent articles, the Psnet and pssecurity two toolset will be expanded and upgraded to meet the needs of the real environment.