Version 3.7 – Comprehensive Enhancements And New Features In SQL Server Chain Execution Tool

• Complete refactor of code base.
• Updated documentation (code comments, README, and wiki)
• Execution against a linked SQL server chain. For example, if SQL01 has a link to SQL02, and SQL02, has a link to SQL03, and SQL03, has a link to PAYMENTS01. It is now possible to execute commands from SQL01 on PAYMENTS01 using the linked server chain (/link:SQL02,SQL03,PAYMENTS01 /chain). Credit to Azael Martin (n3rada).
• Removed ‘l‘ and ‘i‘ modules, and introduced context logic so module names can be the same across standard, impersonation, linked and chained execution.
• Added chain support to all linked modules.
• Added support for debug (/debug), which will display various debugging information and all SQL queries that will be executed by a module, without executing them.
• Added verbose (/verbose, /v), which will display all SQL queries that will be executed during module execution.
• Added timeout (/timeout, /t), which takes an integer value for SQL server database connection timeout.
• Improved links module to include detailed information. Credit to Azael Martin (n3rada).
• Improved whoami module to include Windows principals and database users. Credit to Azael Martin (n3rada).
• Improved impersonation module to include Windows principals and database users. Credit to Azael Martin (n3rada).
• Added IP address retrieval into the sqlspns enumeration module. Credit to Azael Martin (n3rada).
• Standardized console output to markdown where applicable. Credit to Azael Martin (n3rada).
• Added DNS support to /enum:info module.
• Added optional /subsystem argument to the olecmdexec module, which accepts execution using the CmdExec or PowerShell OLE automation subsystems.
• Updated test harnesses to reflect CLI changes and new modules.
• Changed AzureAD authentication to EntraID.

v3.6

• Execution against multiple SQL servers supplied in the /host or /h flag is now supported using comma separated values.
• Execution against multiple linked SQL servers supplied in the /link or /l flag is now supported using comma separated values.
• Changed /lhost to /link.
• Removed ‘s‘ modules and created the /s, /sccm switch for SCCM modules.
• Added impersonation support to all SCCM modules, with the exception of DecryptCredentials.
• Added a new enumeration (/enum) module called info which is able to used an unauthenticated context to obtain SQL server information, including instance name and TCP port using the UDP protocol.
• Moved argument logic into individual methods within ModuleHandler.cs to promote simplification and extensibility.
• Moved all SQL queries to Queries.cs.
• Created EnumerationModules.cs.
• Created FormatQuery.cs.
• Created SccmModules.cs.
• Renamed ModuleHandler.cs to SqlModules.cs.

v3.5

• Bug fix where linked adsi execution was not removing the LDAP server.
• Removed agent job execution from linked adsi, in favor of openquery/rpc.
• Changed /lhost to /adsi in in adsi module.
• Changed /rhost to /unc in smb module.
• Removed CaptureHash.cs and simplified logic.
• Removed SetEnumerationType.cs and simplified logic.
• Renamed Impersonation.cs to Impersonate.cs.
• Renamed OleCmdExec.cs to OleAutomation.cs.
• Renamed PrintUtils.cs to Print.cs.
• Renamed SQLServerInfo.cs to Info.cs.

v3.4

• Added impersonation support for smb module.
• Added impersonation support for info module.
• Added linked support for info module.