Skip to content

Password Recovery Functions

Scott Sutherland edited this page Jul 13, 2018 · 4 revisions

These functions are used for recovering authentication tokens of varous types. The roadmap for development is below. I've included a few links to standalone scripts that have not been integrated yet.

Function Name Description
Get-SQLRecoverPwAutoLogon Grab Windows auto login passwords from the registry through xp_regread.
Get-SQLServerPasswordHash Grab SQL Server login password hashes. This supports local admin privilege escalation via the -migrate switch.
Invoke-SQLUncPathInjection While running as a domain user this function will automatically do 4 things. 1. Identify SQL Servers on the domain via a LDAP query to a DC for SPNs. 2. Attempt to log into each. 3. Perform UNC path injection using various methods. 4. Attempt to capture the password hashes for the associated SQL Server service account.


Get-SQLRecoverPwCredential -	
Get-SQLRecoverPwServerLink -	
Get-SQLRecoverPWProxyAccount -	


Cheat Sheets

PowerUpSQL Blogs

PowerUpSQL Talks

PowerUpSQL Videos

Function Categories

Clone this wiki locally
You can’t perform that action at this time.