You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+29-48Lines changed: 29 additions & 48 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -222,17 +222,13 @@ Each authentication below generates log entries on the target system.
222
222
| WinRM login | SQL Server host | NTLM or Basic auth | Logged as a Windows authentication event |**Only `test-epa-matrix` subcommand**|
223
223
| WMI/DCOM login | SQL Server host | Current user's Windows credentials | Logged as a DCOM authentication event |**Windows only**, during local group enumeration |
224
224
225
-
## Subprocesses Executed
226
-
227
-
MSSQLHound spawns local `powershell.exe` processes as fallbacks when native Go clients fail. All subprocesses run on the **operator's machine**, not on targets (except WinRM remote execution).
228
-
229
-
| Executable | Arguments | Purpose | Conditions |
230
-
|------------|-----------|---------|------------|
231
-
|`powershell.exe`|`-NoProfile -NonInteractive -Command <script>`| SQL query execution via `System.Data.SqlClient`| Windows only. Fallback when Go TDS driver fails with "untrusted domain" error. **Not used when `--proxy` is set.**|
232
-
|`powershell.exe`|`-NoProfile -NonInteractive -Command <script>`| SPN enumeration via `[adsisearcher]` (ADSI) | Windows only. Fallback when Go LDAP client fails. |
233
-
|`powershell.exe`|`-NoProfile -NonInteractive -Command <script>`| Domain computer enumeration via `[adsisearcher]` (ADSI) | Windows only. Fallback when Go LDAP client fails. |
234
-
|`powershell.exe`|`-NoProfile -NonInteractive -Command <script>`| SPN lookup by hostname via `[adsisearcher]` (ADSI) | Windows only. Fallback when Go LDAP client fails. |
235
-
|`powershell.exe`|`-NoProfile -NonInteractive -EncodedCommand <base64>`| Remote PowerShell via WinRM: EPA registry configuration and SQL service restart on target host |**Only `test-epa-matrix` subcommand.** Executes on the remote target via WinRM. |
225
+
## Subprocesses Executed
226
+
227
+
MSSQLHound does not spawn local `powershell.exe` processes as collection fallbacks. The only PowerShell command constructed by the Go binary is sent through WinRM for the EPA matrix workflow.
228
+
229
+
| Executable | Arguments | Purpose | Conditions |
230
+
|------------|-----------|---------|------------|
231
+
|`powershell.exe`|`-NoProfile -NonInteractive -EncodedCommand <base64>`| Remote PowerShell via WinRM: EPA registry configuration and SQL service restart on target host |**Only `test-epa-matrix` subcommand.** Executes on the remote target via WinRM. |
236
232
237
233
## SQL Queries Executed on Targets
238
234
@@ -359,9 +355,8 @@ The original MSSQLHound PowerShell script is an excellent tool for SQL Server se
359
355
-**Single Binary**: No dependencies, easy to deploy and run
360
356
-**No PowerShell Required**: Can run on systems without PowerShell installed
361
357
362
-
### Compatibility
363
-
-**PowerShell Fallback**: When the native Go SQL driver fails (e.g., certain SSPI configurations), automatically falls back to PowerShell's `System.Data.SqlClient` for maximum compatibility
-**Strongly Typed**: Go's type system catches errors at compile time
@@ -371,12 +366,11 @@ The original MSSQLHound PowerShell script is an excellent tool for SQL Server se
371
366
## Features
372
367
373
368
-**SQL Server Collection**: Enumerates server principals (logins, server roles), databases, database principals (users, roles), permissions, and role memberships
374
-
-**Linked Server Discovery**: Maps SQL Server linked server relationships
375
-
-**Active Directory Integration**: Resolves Windows logins to domain principals via LDAP
376
-
-**BloodHound Output**: Produces OpenGraph JSON format compatible with BloodHound CE
377
-
-**Streaming Output**: Memory-efficient streaming JSON writer for large environments
378
-
-**Automatic Fallback**: Falls back to PowerShell for servers with SSPI issues
379
-
-**LDAP Paging**: Handles large domains with thousands of computers/SPNs
369
+
-**Linked Server Discovery**: Maps SQL Server linked server relationships
370
+
-**Active Directory Integration**: Resolves Windows logins to domain principals via LDAP
371
+
-**BloodHound Output**: Produces OpenGraph JSON format compatible with BloodHound CE
372
+
-**Streaming Output**: Memory-efficient streaming JSON writer for large environments
373
+
-**LDAP Paging**: Handles large domains with thousands of computers/SPNs
If all native strategies fail, the connection error is returned directly.
763
755
764
756
### LDAP Connection Methods
765
757
766
758
The Go version tries multiple LDAP connection methods in order:
767
759
768
-
1.**LDAPS (port 636)** - TLS encrypted, most secure
769
-
2.**LDAP + StartTLS (port 389)** - Upgrade to TLS
770
-
3.**Plain LDAP (port 389)** - Unencrypted (may fail if DC requires signing)
771
-
4.**PowerShell/ADSI Fallback** - Windows COM-based fallback
760
+
1.**LDAPS (port 636)** - TLS encrypted, most secure
761
+
2.**LDAP + StartTLS (port 389)** - Upgrade to TLS
762
+
3.**Plain LDAP (port 389)** - Unencrypted (may fail if DC requires signing)
763
+
764
+
For `--scan-all-computers` on Windows with implicit LDAP authentication, computer enumeration may use in-process Go ADSI if LDAP computer enumeration fails. This path does not launch PowerShell.
772
765
773
766
## CVE Detection
774
767
@@ -827,18 +820,7 @@ Some SQL Server instances with specific SSPI configurations may fail to connect
827
820
Login failed. The login is from an untrusted domain and cannot be used with Windows authentication
828
821
```
829
822
830
-
**Automatic Handling:** The Go version detects this error and automatically retries using PowerShell's `System.Data.SqlClient`, which handles these edge cases more reliably. This fallback requires PowerShell to be available on the system.
831
-
832
-
### PowerShell Fallback Limitations
833
-
834
-
The PowerShell fallback for SQL connections and AD enumeration requires:
835
-
- Windows operating system
836
-
- PowerShell execution not blocked by security policy
837
-
- Access to `System.Data.SqlClient` (.NET Framework)
838
-
839
-
If PowerShell is blocked (e.g., `Access is denied` error), the fallback will not work. In this case:
840
-
- For SQL connections: Some servers may not be reachable
841
-
- For AD enumeration: Use explicit LDAP credentials instead
823
+
There is no local PowerShell retry path for this condition. Check domain trust, SPN selection, EPA settings, and the selected authentication method; use SQL authentication or explicit Kerberos material where appropriate.
842
824
843
825
### When to Use LDAP Credentials
844
826
@@ -872,11 +854,10 @@ Use `-v` or `--verbose` to see detailed connection attempts and errors:
0 commit comments