Own an Active Directory Domain “Thanks” to MSSQL

Hacking MSSQL is one of my favorite topics in pentesting, largely because of my background as a former MSSQL DBA. A misconfigured MSSQL instance can serve as a gateway for malicious actors, potentially allowing them to compromise an entire domain in just minutes. In this blog, I’ll demonstrate how to leverage a misconfigured MSSQL instance to quickly perform lateral movement within a network.

Let’s start with an “assumed breach” scenario. This is one of the most common situations encountered in Active Directory (AD) pentesting. It is also the approach used in the updated OSCP+ exam for the AD portion. In an assumed breach scenario, we begin with valid credentials.

The very first step should be to identify existing MSSQL instances. This is relatively straightforward: we can scan the network for the default MSSQL port, which is 1433. DBAs sometimes change this port and use a different one. But this is a quick and easy starting point.

The following PowerShell script can be executed from a Windows box and helps us to discover MSSQL instances running on port 1433:

$ipRange = "10.10.10.0/24"
$port = 1433
foreach ($ip in (1..254)) {
    $address = "10.10.10.$ip"
    try {
        $tcpClient = New-Object System.Net.Sockets.TcpClient
        $tcpClient.Connect($address, $port)…