nullbind

# hacky ps script to convert ip,openport to ip,allopenports

# Container for final list
$FullList = New-Object System.Data.DataTable
$FullList.Columns.Add("Dest") | Out-Null
$FullList.Columns.Add("Port") | Out-Null

# import full list of open ports – one per line (dest,port)
$ImportList = import-csv C:\temp\open-ports-by-line.csv

nullbind

This outlines how to set the "is_ms_shipped" flag to one for custom stored procedures in SQL Server.

Note: The following has to be executed as a sysadmin

-- Create stored procedure 
CREATE PROCEDURE sp_example
AS
BEGIN
SELECT @@VERSION
END

nullbind

Below is a cheatsheet for creating SQL Server client connection strings and finding them in common configuration files.

------------------------------------------------------------------
CREATING CONNECTION STRINGS
------------------------------------------------------------------

----------------------
Authentication Options
----------------------

nullbind

source: http://stackoverflow.com/questions/7801651/powershell-and-stringbuilder

Function MyStringFunc([String]$line) {
    $r = New-Object -TypeName "System.Collections.Generic.List``1[[System.String]]";
    $sb = New-Object -TypeName "System.Text.StringBuilder";

    foreach ($c in $line) {
        [void]$sb.Append($c);
        $r.Add($sb.ToString());
    }

nullbind

# Import the PowerUpSQL module
Import-Module C:\PowerUpSQL-master\PowerUpSQL.psd1

# Import the Inveigh module
Import-Module C:\PowerUpSQL-master\Scripts\3rdparty\Inveigh.ps1 

# Download and import Get-SQLServiceAccountPwHashes.ps1
# Source: https://github.com/NetSPI/PowerUpSQL/blob/master/scripts/pending/Get-SQLServiceAccountPwHashes.ps1
Import-Module C:\PowerUpSQL-master\Scripts\Pending\Get-SQLServiceAccountPwHashes.ps1

nullbind

# One liner for finding potentially sensitive data in accessible databases based on column name
Get-SQLInstanceDomain -Verbose | 
Get-SQLColumnSampleDataThreaded –Verbose –Threads 10 –Keyword "credit,ssn,password" –SampleSize 2 –ValidateCC –NoDefaults |
Export-CSV –NoTypeInformation c:\temp\datasample.csv

# Get list of domain sql servers that can be logged into
$Targets = Get-SQLInstanceDomain -Verbose | 
Get-SQLConnectionTestThreaded -Verbose -Threads 10 | 
Where-Object {$_.Status -like "Accessible"} 

nullbind

# Determine which SQL Server instances on the domain the current Windows account can log into
# This time we store the discovery information as a variable so we can execute attacks against 
# accessible SQL Servers without having to go through discovery against
# Note you can also filter out the "$" character to remove machine service accounts from the list
$Targets = Get-SQLInstanceDomain -Verbose | 
Get-SQLConnectionTestThreaded -Verbose -Threads 10 | 
Where-Object {$_.Status -like "Accessible"} 

# Run operating commands as the service account.  
# Note: This requires sysadmin privileges

nullbind

# Import the module
Import-Module C:\PowerUpSQL-master\scripts\Get-SqlServerLinkCrawl.ps1

# Crawling Links - this show link paths in output
Get-SqlCrawl -Verbose -Instance MSSQLSRV04.demo.local\SQLSERVER2014 -Export |  Export-Clixml C:\PowerUpSQL-master\crawl2.xml

# Crawling Links - this will store link paths in an array so they can be used in differant ways
Get-SqlCrawl -Verbose -Instance MSSQLSRV04.demo.local\SQLSERVER2014 |  Export-Clixml C:\PowerUpSQL-master\crawl2.xml

# More Example commands below from Antti Rantasaari

nullbind

# Import the module
Import-Module C:\PowerUpSQL-master\PowerUpSQL.psd1


# Discover domain SQL Servers, test access as the current domain user, 
# and store a list of SQL Servers that they can log into
$Targets = Get-SQLInstanceDomain -Verbose | 
Get-SQLConnectionTestThreaded -Verbose -Threads 10 | 
Where-Object {$_.Status -like "Accessible"}

nullbind

# Import the module
Import-Module C:\PowerUpSQL-master\PowerUpSQL.psd1

# Discover local SQL Server instances
Get-SQLInstanceLocal -Verbose

# Discover SQL Server instances on the domain
Get-SQLInstanceDomain -Verbose | Format-Table -AutoSize

# Discover shared SQL Server service accounts