ποΈ Links β
In Microsoft SQL Server, databases can be linked together using linked servers, allowing for seamless querying and data integration across different SQL Server instances or even different database platforms. Enumerating these links can provide valuable insights during security assessments and pentesting activities.
π What are Linked Servers ? β
Linked servers allow SQL Server to execute commands against OLE DB data sources outside of the local instance. This capability is often used to run distributed queries, update, and merge operations across different data sources.
π° Enumerating Linked Servers β
Using the enum_links module, we can enumerate linked servers configured in a target MSSQL server. This enumeration can reveal additional targets and pivot points within the network.
enum_links;EXEC sp_linkedservers;EXEC sp_helpserver;π Switching Between Linked Servers β
After enumerating the linked servers, we can switch between them using the use_link command.
use_link [PRIMARY]However, permissions may prevent switching to certain linked servers. In such cases, itβs possible to access data from the linked server by querying it directly.
π Querying Linked Servers β
If weβre unable to switch to a linked server, we can still query its data directly by accessing its catalogs and databases. A catalog in SQL Server is essentially a collection of schemas and objects, such as tables and views, that belong to a specific database.
We can use the following command to access the catalogs on a specific server, such as datastore :
EXEC sp_catalogs @server_name = 'datastore';Once the catalogs are enumerated, we can query the linked server directly to list the tables within a specific database :
SELECT * FROM [datastore].[secretdb].INFORMATION_SCHEMA.TABLES;Finally, we can retrieve data from a linked table :
SELECT * FROM [datastore].[secretdb].[dbo].[users];