Operator On The Wire
Join
← Back to Knowledge Base
RED TEAM / SQL / MSSQL

AD Enumeration

Check

SELECT SYSTEM_USER;

RID Brute

nxc mssql 10.129.181.153 -u kevin -p iNa2we6haRj2gaw! --rid-brute --local-auth

AD Enumeration

select system_user;select user_name();
SELECT r.name AS role,m.name AS member FROM sys.server_principals r JOIN sys.server_role_members rm ON r.principal_id=rm.role_principal_id JOIN sys.server_principals m ON rm.member_principal_id=m.principal_id WHERE r.name='sysadmin';
select default_domain();
select sys.fn_varbintohexstr(SUSER_SID('{domain}\\Administrator'));

SID Conversion (Python)

# Python hex SID converter
hexs=input("Enter hex sid:")
hexs="".join(c for c in hexs if c.lower() in "0123456789abcdef")
b=bytes.fromhex(hexs)
rev=b[0];subc=b[1]
ident=int.from_bytes(b[2:8],'big')
subs=[str(int.from_bytes(b[8+4*i:12+4*i],'little')) for i in range(subc)]
print("S-%d-%d%s"%(rev,ident,"".join("-"+s for s in subs)))