• Complete refactor of code base.
  • Updated documentation (code comments, README, and wiki)
  • Execution against a linked SQL server chain. For example, if SQL01 has a link to SQL02, and SQL02, has a link to SQL03, and SQL03, has a link to PAYMENTS01. It is now possible to execute commands from SQL01 on PAYMENTS01 using the linked server chain (/link:SQL02,SQL03,PAYMENTS01 /chain). Credit to Azael Martin (n3rada).
  • Removed ‘l‘ and ‘i‘ modules, and introduced context logic so module names can be the same across standard, impersonation, linked and chained execution.
  • Added chain support to all linked modules.
  • Added support for debug (/debug), which will display various debugging information and all SQL queries that will be executed by a module, without executing them.
  • Added verbose (/verbose, /v), which will display all SQL queries that will be executed during module execution.
  • Added timeout (/timeout, /t), which takes an integer value for SQL server database connection timeout.
  • Improved links module to include detailed information. Credit to Azael Martin (n3rada).
  • Improved whoami module to include Windows principals and database users. Credit to Azael Martin (n3rada).
  • Improved impersonation module to include Windows principals and database users. Credit to Azael Martin (n3rada).
  • Added IP address retrieval into the sqlspns enumeration module. Credit to Azael Martin (n3rada).
  • Standardized console output to markdown where applicable. Credit to Azael Martin (n3rada).
  • Added DNS support to /enum:info module.
  • Added optional /subsystem argument to the olecmdexec module, which accepts execution using the CmdExec or PowerShell OLE automation subsystems.
  • Updated test harnesses to reflect CLI changes and new modules.
  • Changed AzureAD authentication to EntraID.

v3.6

  • Execution against multiple SQL servers supplied in the /host or /h flag is now supported using comma separated values.
  • Execution against multiple linked SQL servers supplied in the /link or /l flag is now supported using comma separated values.
  • Changed /lhost to /link.
  • Removed ‘s‘ modules and created the /s/sccm switch for SCCM modules.
  • Added impersonation support to all SCCM modules, with the exception of DecryptCredentials.
  • Added a new enumeration (/enum) module called info which is able to used an unauthenticated context to obtain SQL server information, including instance name and TCP port using the UDP protocol.
  • Moved argument logic into individual methods within ModuleHandler.cs to promote simplification and extensibility.
  • Moved all SQL queries to Queries.cs.
  • Created EnumerationModules.cs.
  • Created FormatQuery.cs.
  • Created SccmModules.cs.
  • Renamed ModuleHandler.cs to SqlModules.cs.

v3.5

  • Bug fix where linked adsi execution was not removing the LDAP server.
  • Removed agent job execution from linked adsi, in favor of openquery/rpc.
  • Changed /lhost to /adsi in in adsi module.
  • Changed /rhost to /unc in smb module.
  • Removed CaptureHash.cs and simplified logic.
  • Removed SetEnumerationType.cs and simplified logic.
  • Renamed Impersonation.cs to Impersonate.cs.
  • Renamed OleCmdExec.cs to OleAutomation.cs.
  • Renamed PrintUtils.cs to Print.cs.
  • Renamed SQLServerInfo.cs to Info.cs.

v3.4

  • Added impersonation support for smb module.
  • Added impersonation support for info module.
  • Added linked support for info module.

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here