-
Notifications
You must be signed in to change notification settings - Fork 462
SQL Server Notes
Examples of Common SPN Formats for 2005 and prior:
- Note: Many products will create both SPN records for a single instance.
- Default / named instance: MSSQLSvc/server:1433
- Default / named instance: MSSQLSvc/server.domain.com:1433
Note: The TCP port isn't required. The SPN may not have a port for instances configured with Named Pipes or Shared Memory.
However, all formats are supported and may be used by vendors.
- Default instance: MSSQLSvc/server
- Default instance: MSSQLSvc/server.domain.com
- Named instance: MSSQLSvc/server:InstanceName
- Named instance: MSSQLSvc/server.domain.com:InstanceName
- Optional format: MSSQLSvc/server:1433
- Optional format: MSSQLSvc/server.domain.com:1433
- setspn -s MSSQLSvc/server DOMAIN\SQLServiceAccount
- setspn -s MSSQLSvc/server:1433 DOMAIN\SQLServiceAccount
- setspn -s MSSQLSvc/server:InstanceName DOMAIN\SQLServiceAccount
- setspn -s MSSQLSvc/server.domain.com DOMAIN\SQLServiceAccount
- setspn -s MSSQLSvc/server.domain.com:1433 DOMAIN\SQLServiceAccount
- setspn -s MSSQLSvc/server.domain.com:InstanceName DOMAIN\SQLServiceAccount
Microsoft states that, "Upon startup, SQL Server Browser starts and claims UDP port 1434. SQL Server Browser reads the registry, identifies all instances of SQL Server on the computer, and notes the ports and named pipes that they use. When a server has two or more network cards, SQL Server Browser returns the first enabled port it encounters for SQL Server. SQL Server Browser support ipv6 and ipv4.
When SQL Server clients request SQL Server resources, the client network library sends a UDP message to the server using port 1434. SQL Server Browser responds with the TCP/IP port or named pipe of the requested instance. The network library on the client application then completes the connection by sending a request to the server using the port or named pipe of the desired instance."
The following fields can be parse from the SQL Server browser UDP responses:
- Instance Name
- IP Address
- TCP
- Version
- Clustered Status
- PowerUpSQL Commands
- UNC Path Injection
- Connection Strings
- SQL Server SPN Formats
- SQL Server Detective Controls
- Code Templates
- Introduction to PowerUpSQL
- Blindly Discover SQL Server Instances
- Finding Sensitive Data on Domain SQL Servers
- Finding Weak Passwords for Domain SQL Servers on Scale
- Finding Default Passwords Associated with Application Specific Instances
- Get Sysadmin as Local Admin
- Get Windows Auto Login Passwords via SQL Server
- Establishing Registry Persistence via SQL Server
- Establishing Persistence via SQL Server Triggers
- Establishing Persistence via SQL Server Startup Procedures
- Crawling SQL Server Links
- Attacking SQL Server CLR
- Bypassing SQL Server Logon Trigger Restrictions
- SQL Server as a C2
- Dumping Active Directory Information with SQL Server
- Attacking Stored Procedures via SQLi
- Attacking Insecure Impersonation Configurations
- Attacking Trustworthy Databases
- Enumerating Logins and Domain Accounts via SQL Server
- Using SQL Server to Attack Forest Trusts
- Exploiting Global Temporary Tables
- Hijacking SQL Server Credentials using Agent Jobs for Domain Privilege Escalation
- 2020 May Troopers20 Video
- 2020 May Troopers20 Slides
- 2018 Aug BH Arsenal Video
- 2018 Aug BH Arsenal Slides
- 2017 SEPT DerbyCon7 Video
- 2017 SEPT DerbyCon7 Slides
- 2017 May Secure360 Slides
- 2017 May THOTCON Slides
- 2016 OCT Arcticcon Slides
- 2016 OCT PASS Webinar Video
- 2016 SEPT DerbyCon6 Slides
- 2016 SEPT DerbyCon6 Video
- 2015 APR OWASP Slides
- 2015 APR OWASP Video
- Discover SQL Server Instances
- Unauthenticated to SQL Login - Default Passwords
- Domain User to SQL Sysadmin - UNC Injection
- SQL Login to Sysadmin-Auto
- SQL Login to Sysadmin-LoginEnum+PwGuess
- SQL Login to Sysadmin-Link Crawling 1
- SQL Login to Sysadmin-Link Crawling 2
- SQL Login to OS Admin-UNC Path Injection
- OS Admin to Sysadmin-Impersonation
- Audit Configurations
- Find Sensitive Data
- Attacking SQL Server CLR Assemblies Webinar