Skip to content

Several enhancements like encryption enforcement and default instance checks added#87

Open
LuemmelSec wants to merge 31 commits intoNetSPI:masterfrom
LuemmelSec:master
Open

Several enhancements like encryption enforcement and default instance checks added#87
LuemmelSec wants to merge 31 commits intoNetSPI:masterfrom
LuemmelSec:master

Conversation

@LuemmelSec
Copy link

@LuemmelSec LuemmelSec commented Mar 5, 2026

I was looking at https://github.com/CompassSecurity/mssqlrelay to see if it can extend my workflow when auditing MSSQL environments and indeed it had some nice additions to it.

Vibecoded a lot of new nice features to PowerUpSQL.

Encryption Enforcement Detection

Added ability to detect SQL Server instances that do not enforce encryption, making them vulnerable to NTLM relay attacks. Uses TDS pre-login packet inspection matching mssqlrelay methodology.

New Function: Get-SQLEncryptionStatus

Tests a specific SQL Server instance for encryption enforcement.

Get-SQLEncryptionStatus -Instance 'sqlserver.domain.com,1433' -TimeOut 10 -Verbose

Returns: EncryptionEnforced: Yes/No/Unknown

Enhanced Instance Discovery for Get-SQLInstanceDomain

Domain SPN queries often miss instances on default port 1433 and named instances on dynamic ports.

New Parameters

  • -CheckEncryption - Test encryption enforcement on discovered instances
  • -CheckDefaultInstance - Always test default port 1433 (catches instances not in SPNs)
  • -DiscoverDynamicPorts - Use UDP SQL Browser (port 1434) to discover all instances dynamically
  • -QuickAudit - Perform security audit (login, version, database, privileges, xp_ access)
  • -SQLUsername / -SQLPassword - SQL Server authentication for QuickAudit

QuickAudit Output Columns

When -QuickAudit is enabled, adds: LoginSuccess, Version, CurrentLogin, CurrentDatabase, IsSysadmin, HasXpDirtree, HasXpFileexist, HasXpCmdshell

Example Usage

All switches can be combined:

# Complete assessment with Windows Authentication
Get-SQLInstanceDomain -CheckDefaultInstance -DiscoverDynamicPorts -CheckEncryption -QuickAudit -Verbose

# Complete assessment with SQL Authentication
Get-SQLInstanceDomain -CheckDefaultInstance -DiscoverDynamicPorts -CheckEncryption -QuickAudit -SQLUsername 'auditor' -SQLPassword 'P@ssw0rd' -Verbose

# From non-domain system: use runas /netonly first
runas /netonly /user:DOMAIN\username PowerShell.exe
# Then run the command above

Excel Export

$Assessment = Get-SQLInstanceDomain -CheckDefaultInstance -DiscoverDynamicPorts -CheckEncryption -QuickAudit -SQLUsername 'user' -SQLPassword 'pass' -Verbose
$Assessment | Export-Excel -Path "SQL_Assessment.xlsx" -AutoSize -AutoFilter -FreezeTopRow

Implementation Notes

  • TDS pre-login packets for encryption detection (no authentication required)
  • xp_ checks use HAS_PERMS_BY_NAME() for permissions (no execution to avoid hangs)
  • 5-10 second timeouts on all network operations
  • Automatic deduplication of instances from multiple discovery sources
  • Works from non-domain systems via runas /netonly
image image

LuemmelSec added 30 commits March 5, 2026 09:33
@LuemmelSec
Added function to check encryption status
d3c3d34 
Added a -CheckEncryption switch to Get-SQLInstanceDomain
@LuemmelSec
Update PowerUpSQL.ps1
0c5caa2
@LuemmelSec
Add Get-SQLEncryptionStatus function to PowerUpSQL
d149719
@LuemmelSec
Enhance SQL connection tests for encryption status
3eea917
@LuemmelSec
Update PowerUpSQL.psd1
0e317cc
@LuemmelSec
Enhance encryption testing and result logging
66e8ffc
@LuemmelSec
Update PowerUpSQL.psd1
8dc4bd2
@LuemmelSec
Refactor encryption testing using TDS pre-login
36d516a
@LuemmelSec
Update PowerUpSQL.psd1
1222b50
@LuemmelSec
Refactor TCP client handling for encryption testing
0ec3aa4
@LuemmelSec
Implement timeout for TCP connection attempts
d28309c
@LuemmelSec
Improve TCP connection error handling and logging
db46074
@LuemmelSec
Fix end region comment in PowerUpSQL.ps1
aa67328
@LuemmelSec
Fix region end comment in PowerUpSQL.ps1
ff46742
@LuemmelSec
Enhance error handling and logging in PowerUpSQL
e8aed92
@LuemmelSec
Fix missing newline at end of PowerUpSQL.ps1
3ed41e3
@LuemmelSec
Fix formatting and add newline at end of file
0baeec2
@LuemmelSec
Update Pre-Login Payload offsets in PowerUpSQL.ps1
8004aef
@LuemmelSec
Fix end region comment in PowerUpSQL.ps1
aa1ebaa
@LuemmelSec
Refactor encryption handling in PowerUpSQL.ps1
6d906d2
@LuemmelSec
Increase connection and read timeouts in PowerUpSQL
bb445ac
@LuemmelSec
Update PowerUpSQL.psd1
565d256
@LuemmelSec
Refactor TDS pre-login packet construction
196053e
@LuemmelSec
Fix missing newline at end of PowerUpSQL.ps1
d9a8c04
@LuemmelSec
Refactor encryption status handling in PowerUpSQL.ps1
93098c5
@LuemmelSec
Add dynamic port discovery and default instance check
62e5134
@LuemmelSec
Update PowerUpSQL.psd1
c742d80
@LuemmelSec
Add QuickAudit parameters and functionality
d5e0364
@LuemmelSec
Update PowerUpSQL.psd1
3775742
@LuemmelSec
Refactor permission checks for SQL functions
908e386
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@LuemmelSec