Skip to content

Commit

Permalink
Update Discover-PSMSSQLServers
Browse files Browse the repository at this point in the history 
Now includes service account associated with SQL server.
  • Loading branch information
@PyroTek3
PyroTek3 committed Jan 3, 2015
1 parent 50d319f commit 6e547a7
Showing 1 changed file with 60 additions and 5 deletions.
65 changes: 60 additions & 5 deletions Discover-PSMSSQLServers
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,20 +6,22 @@ function Discover-PSMSSQLServers
This script is used to discover Microsoft SQL servers without port scanning.
SQL discovery in the Active Directory Forest is performed by querying an Active Directory Gloabl Catalog via ADSI.

PowerSploit Function: Discover-PSMSSQLServers
Discover-PSMSSQLServers
Author: Sean Metcalf, Twitter: @PyroTek3
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None

Version: 1.7
Last Updated: 1/03/2015
Version: 2.2

.DESCRIPTION
This script is used to discover Microsoft SQL servers in the Active Directory Forest.

Currently, the script performs the following actions:
* Queries a Global Catalog in the Active Directory root domain for all Microsoft SQL SPNs in the forest
* Displays the Microsoft SQL server FQDNs ports and instances
* Identifies any service accounts associated with the SQL instance and includes the account info

REQUIRES: Active Directory user authentication. Standard user access is fine - admin access is not necessary.

Expand Down Expand Up @@ -52,7 +54,7 @@ $ADDomainInfoLGCDN = 'GC://' + $ADForestInfoRootDomainDN
Write-Verbose "Discovering Microsoft SQL Servers in the AD Forest $ADForestInfoRootDomainDN "
$root = [ADSI]$ADDomainInfoLGCDN
$ADSearcher = new-Object System.DirectoryServices.DirectorySearcher($root,"(serviceprincipalname=mssql*)")
$ADSearcher.PageSize = 500
$ADSearcher.PageSize = 50000
$AllADSQLServerSPNs = $ADSearcher.FindAll()

$AllADSQLServerSPNsCount = $AllADSQLServerSPNs.Count
Expand All @@ -61,6 +63,7 @@ Write-Output "Processing $AllADSQLServerSPNsCount (user and computer) accounts w

$AllMSSQLSPNs = $NULL
$AllMSSQLSPNHashTable =@{}
$AllMSSQLServiceAccountHashTable =@{}
ForEach ($AllADSQLServerSPNsItem in $AllADSQLServerSPNs)
{
$AllADSQLServerSPNsItemDomainName = $NULL
Expand All @@ -78,6 +81,10 @@ ForEach ($AllADSQLServerSPNsItem in $AllADSQLServerSPNs)
{
IF ( ($ADSISQLServersItemSPN -like "MSSQL*") -AND ($ADSISQLServersItemSPN -like "*:*") )
{
IF ($AllADSQLServerSPNsItem.properties.objectcategory -like "CN=Person*")
{
$AllMSSQLServiceAccountHashTable.Set_Item($ADSISQLServersItemSPNServerFQDN,$AllADSQLServerSPNsItem.properties.distinguishedname)
}
$ADSISQLServersItemSPNArray1 = $ADSISQLServersItemSPN -Split("/")
$ADSISQLServersItemSPNArray2 = $ADSISQLServersItemSPNArray1 -Split(":")
[string]$ADSISQLServersItemSPNServerFQDN = $ADSISQLServersItemSPNArray2[1]
Expand Down Expand Up @@ -108,6 +115,8 @@ ForEach ($AllMSSQLSPNsItem in $AllMSSQLSPNHashTable.GetEnumerator())
{
$AllMSSQLSPNsItemServerDomainName = $NULL
$AllMSSQLSPNsItemServerDomainDN = $NULL
$AllMSSQLSPNsItemServiceAccountDN = $NULL
$AllMSSQLSPNsItemServiceAccountDomainDN = $NULL

$AllMSSQLSPNsItemServerFQDN = $AllMSSQLSPNsItem.Name
#[array]$AllMSSQLServerFQDNs += $AllMSSQLSPNsItemServerFQDN
Expand All @@ -131,6 +140,42 @@ ForEach ($AllMSSQLSPNsItem in $AllMSSQLSPNHashTable.GetEnumerator())

$AllMSSQLSPNsItemServerName = $AllMSSQLSPNsItemServerFQDN -Replace(("."+$AllMSSQLSPNsItemServerDomainName),"")

$AllMSSQLSPNsItemServiceAccountDN = $AllMSSQLServiceAccountHashTable.Get_Item($AllMSSQLSPNsItemServerFQDN)
IF ($AllMSSQLSPNsItemServiceAccountDN)
{
$AllMSSQLSPNsItemServiceAccountDNArray = $AllMSSQLSPNsItemServiceAccountDN -Split(",")
ForEach ($AllMSSQLSPNsItemServiceAccountDNArrayItem in $AllMSSQLSPNsItemServiceAccountDNArray)
{
IF ($AllMSSQLSPNsItemServiceAccountDNArrayItem -like 'DC=*')
{ [string]$AllMSSQLSPNsItemServiceAccountDomainDN += "$AllMSSQLSPNsItemServiceAccountDNArrayItem," }

}
$AllMSSQLSPNsItemServiceAccountDomainDN = $AllMSSQLSPNsItemServiceAccountDomainDN.Substring(0,$AllMSSQLSPNsItemServiceAccountDomainDN.Length-1)

$AllMSSQLSPNsItemServiceAccountDomainLDAPDN = "LDAP://$AllMSSQLSPNsItemServiceAccountDomainDN"

$ADServiceAccountSearch = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$ADServiceAccountSearch.SearchRoot = $AllMSSQLSPNsItemServiceAccountDomainLDAPDN
$ADServiceAccountSearch.PageSize = 50000
$ADServiceAccountSearch.Filter = "distinguishedname=$AllMSSQLSPNsItemServiceAccountDN"
$ADServiceAccountSearchInfo = $ADServiceAccountSearch.FindAll()



[string]$ADServiceAccountSAMAccountName = $ADServiceAccountInfo[0].Properties.samaccountname
[string]$ADServiceAccountdescription = $ADServiceAccountSearchInfo[0].Properties.description
[string]$ADServiceAccountpwdlastset = $ADServiceAccountSearchInfo[0].Properties.pwdlastset
[string]$ADServiceAccountPasswordLastSetDate = [datetime]::FromFileTimeUTC($ADServiceAccountpwdlastset)
[string]$ADServiceAccountlastlogon = $ADServiceAccountSearchInfo[0].Properties.lastlogon
[string]$ADServiceAccountLastLogonDate = [datetime]::FromFileTimeUTC($ADServiceAccountlastlogon)

$ADServiceAccountadmincount = $ADServiceAccountSearchInfo[0].Properties.admincount

[string]$ADServiceAccountDistinguishedName = $ADServiceAccountSearchInfo[0].Properties.distinguishedname
$ADServiceAccountLDAPDN = "LDAP://"+$ADServiceAccountDistinguishedName
$ADServiceAccountInfo = ([adsi] $ADServiceAccountLDAPDN)

}
ForEach ($AllMSSQLSPNsItemInstancePortArrayItem in $AllMSSQLSPNsItemInstancePortArray)
{
$AllMSSQLSPNsItemServerPort = $NULL
Expand All @@ -147,20 +192,21 @@ ForEach ($AllMSSQLSPNsItem in $AllMSSQLSPNHashTable.GetEnumerator())

$SQLServerReport | Add-Member -MemberType NoteProperty -Name Port -Value $AllMSSQLSPNsItemServerPort
$SQLServerReport | Add-Member -MemberType NoteProperty -Name Instance -Value $AllMSSQLSPNsItemServerInstance
$SQLServerReport | Add-Member -MemberType NoteProperty -Name ServiceAccountDN -Value $AllMSSQLSPNsItemServiceAccountDN

TRY
{
$ADComputerSearch = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$ADComputerSearch.SearchRoot = $AllMSSQLSPNsItemServerDomainLDAPDN
$ADComputerSearch.PageSize = 500
$ADComputerSearch.PageSize = 50000
$ADComputerSearch.Filter = "(&(objectCategory=Computer)(name=$AllMSSQLSPNsItemServerName))"
$ADComputerSearchInfo = $ADComputerSearch.FindAll()

[string]$ComputerADInfoLastLogonTimestamp = ($ADComputerSearchInfo[0].properties.lastlogontimestamp)
TRY { [datetime]$ComputerADInfoLLT = [datetime]::FromFileTime($ComputerADInfoLastLogonTimestamp) }
CATCH { }

$ComputerADInfo.Values
#$ComputerADInfo.Values

$SQLServerReport | Add-Member -MemberType NoteProperty -Name OperatingSystem -Value ($ADComputerSearchInfo[0].properties.operatingsystem)
$SQLServerReport | Add-Member -MemberType NoteProperty -Name OSServicePack -Value ($ADComputerSearchInfo[0].properties.operatingsystemservicepack)
Expand All @@ -170,11 +216,20 @@ ForEach ($AllMSSQLSPNsItem in $AllMSSQLSPNHashTable.GetEnumerator())
}
CATCH { }

IF ($AllMSSQLSPNsItemServiceAccountDN)
{
$SQLServerReport | Add-Member -MemberType NoteProperty -Name SrvAcctUserID -Value $ADServiceAccountSAMAccountName
$SQLServerReport | Add-Member -MemberType NoteProperty -Name SrvAcctDescription -Value $ADServiceAccountdescription
#$SQLServerReport | Add-Member -MemberType NoteProperty -Name SrvAcctPasswordLastSet -Value $ADServiceAccountPasswordLastSetDate
#$SQLServerReport | Add-Member -MemberType NoteProperty -Name SAadmincount -Value $ADServiceAccountadmincount
}

[array]$ALLSQLServerReport += $SQLServerReport
}
}

# Find all SQL service account that may be a domain-level admin in the domain
# $ALLSQLServerReport | Where {$_.SAadmincount -eq 1} | select ServerName,SrvAcctUserID,SrvAcctPasswordLastSet,SrvAcctDescription | sort SrvAcctUserID -unique | format-table -auto
return $ALLSQLServerReport

}

0 comments on commit 6e547a7

Please sign in to comment.