8000
  • Several enhancements like encryption enforcement and default instance checks added by LuemmelSec · Pull Request #87 · NetSPI/PowerUpSQL · GitHub
    [go: up one dir, main page]
    Skip to content

    Several enhancements like encryption enforcement and default instance checks added#87

    Open
    LuemmelSec wants to merge 31 commits intoNetSPI:masterfrom
    LuemmelSec:master
    Open

    Several enhancements like encryption enforcement and default instance checks added#87
    LuemmelSec wants to merge 31 commits intoNetSPI:masterfrom
    LuemmelSec:master

    Conversation

    @LuemmelSec
    Copy link
    @LuemmelSec LuemmelSec commented Mar 5, 2026

    I was looking at https://github.com/CompassSecurity/mssqlrelay to see if it can extend my workflow when auditing MSSQL environments and indeed it had some nice additions to it.

    Vibecoded a lot of new nice features to PowerUpSQL.

    Encryption Enforcement Detection

    Added ability to detect SQL Server instances that do not enforce encryption, making them vulnerable to NTLM relay attacks. Uses TDS pre-login packet inspection matching mssqlrelay methodology.

    New Function: Get-SQLEncryptionStatus

    Tests a specific SQL Server instance for encryption enforcement.

    Get-SQLEncryptionStatus -Instance 'sqlserver.domain.com,1433' -TimeOut 10 -Verbose

    Returns: EncryptionEnforced: Yes/No/Unknown

    Enhanced Instance Discovery for Get-SQLInstanceDomain

    Domain SPN queries often miss instances on default port 1433 and named instances on dynamic ports.

    New Parameters

    • -CheckEncryption - Test encryption enforcement on discovered instances
    • -CheckDefaultInstance - Always test default port 1433 (catches instances not in SPNs)
    • -DiscoverDynamicPorts - Use UDP SQL Browser (port 1434) to discover all instances dynamically
    • -QuickAudit - Perform security audit (login, version, database, privileges, xp_ access)
    • -SQLUsername / -SQLPassword - SQL Server authentication for QuickAudit

    QuickAudit Output Columns

    When -QuickAudit is enabled, adds: LoginSuccess, Version, CurrentLogin, CurrentDatabase, IsSysadmin, HasXpDirtree, HasXpFileexist, HasXpCmdshell

    Example Usage

    All switches can be combined:

    # Complete assessment with Windows Authentication
Get-SQLInstanceDomain -CheckDefaultInstance -DiscoverDynamicPorts -CheckEncryption -QuickAudit -Verbose

# Complete assessment with SQL Authentication
Get-SQLInstanceDomain -CheckDefaultInstance -DiscoverDynamicPorts -CheckEncryption -QuickAudit -SQLUsername 'auditor' -SQLPassword 'P@ssw0rd' -Verbose

# From non-domain system: use runas /netonly first
runas /netonly /user:DOMAIN\username PowerShell.exe
# Then run the command above

    Excel Export

    $Assessment = Get-SQLInstanceDomain -CheckDefaultInstance -DiscoverDynamicPorts -CheckEncryption -QuickAudit -SQLUsername 'user' -SQLPassword 'pass' -Verbose
$Assessment | Export-Excel -Path "SQL_Assessment.xlsx" -AutoSize -AutoFilter -FreezeTopRow

    Implementation Notes

    • TDS pre-login packets for encryption detection (no authentication required)
    • xp_ checks use HAS_PERMS_BY_NAME() for permissions (no execution to avoid hangs)
    • 5-10 second timeouts on all network operations
    • Automatic deduplication of instances from multiple discovery sources
    • Works from non-domain systems via runas /netonly
    image image

    LuemmelSec added 30 commits March 5, 2026 09:33
    @LuemmelSec
    Added function to check encryption status
    d3c3d34 
    Added a -CheckEncryption switch to Get-SQLInstanceDomain
    @LuemmelSec
    Update PowerUpSQL.ps1
    0c5caa2
    @LuemmelSec
    Add Get-SQLEncryptionStatus function to PowerUpSQL
    d149719
    @LuemmelSec
    Enhance SQL connection tests for encryption status
    3eea917
    @LuemmelSec
    Update PowerUpSQL.psd1
    0e317cc
    @LuemmelSec
    Enhance encryption testing and result logging
    66e8ffc
    @LuemmelSec
    Update PowerUpSQL.psd1
    8dc4bd2
    @LuemmelSec
    Refactor encryption testing using TDS pre-login
    36d516a
    @LuemmelSec
    Update PowerUpSQL.psd1
    1222b50
    @LuemmelSec
    Refactor TCP client handling for encryption testing
    0ec3aa4
    @LuemmelSec
    Implement timeout for TCP connection attempts
    d28309c
    @LuemmelSec
    Improve TCP connection error handling and logging
    db46074
    @LuemmelSec
    Fix end region comment in PowerUpSQL.ps1
    aa67328
    @LuemmelSec
    Fix region end comment in PowerUpSQL.ps1
    ff46742
    @LuemmelSec
    Enhance error handling and logging in PowerUpSQL
    e8aed92
    @LuemmelSec
    Fix missing newline at end of PowerUpSQL.ps1
    3ed41e3
    @LuemmelSec
    Fix formatting and add newline at end of file
    0baeec2
    @LuemmelSec
    Update Pre-Login Payload offsets in PowerUpSQL.ps1
    8004aef
    @LuemmelSec
    Fix end region comment in PowerUpSQL.ps1
    aa1ebaa
    @LuemmelSec
    Refactor encryption handling in PowerUpSQL.ps1
    6d906d2
    @LuemmelSec
    Increase connection and read timeouts in PowerUpSQL
    bb445ac
    @LuemmelSec
    Update PowerUpSQL.psd1
    565d256
    @LuemmelSec
    Refactor TDS pre-login packet construction
    196053e
    @LuemmelSec
    Fix missing newline at end of PowerUpSQL.ps1
    d9a8c04
    @LuemmelSec
    Refactor encryption status handling in PowerUpSQL.ps1
    93098c5
    @LuemmelSec
    Add dynamic port discovery and default instance check
    62e5134
    @LuemmelSec
    Update PowerUpSQL.psd1
    c742d80
    @LuemmelSec
    Add QuickAudit parameters and functionality
    d5e0364
    @LuemmelSec
    Update PowerUpSQL.psd1
    3775742
    @LuemmelSec
    Refactor permission checks for SQL functions
    908e386
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

    Reviewers

    No reviews

    Assignees

    No one assigned

    Labels

    None yet

    Projects

    None yet

    Milestone

    No milestone

    Development

    Successfully merging this pull request may close these issues.

    1 participant

    @LuemmelSec
    0