📖
Building a Windows AD lab
  • Building a Windows AD lab
  • Lab-setup
    • Lab overview
    • Building the lab
      • Prerequisite
      • Creating images
        • Optional: Install software & Settings
      • Network setup
      • Cloning & Creating VM's
      • Creating bank.local
        • Creating Domain Controller - DC01
          • Enable RDP
        • Creating amsterdam.bank.local
          • Creating Domain Controller - DC02
            • Creating a AD structure
            • Create a CA
            • Configure LDAPS
          • Creating Fileserver - FILE01
            • File services
          • Creating W10 client - WS01
            • PSRemoting
          • Creating Webserver - WEB01
            • Web Services
            • SQL Server
              • Create database
      • Creating secure.local
        • Creating Domain Controller - DC03
        • Creating File/SQL Server - DATA01
          • SQL Server
            • Create database
    • Attack Paths
      • Attack path 1 (hard)
        • Configuring
        • Tasks
        • Manual
      • Attack path 2
        • Configuring
        • Task
        • Manual
    • Troubleshooting
    • To-Do
  • Vulnerabilities & Misconfigurations & Attacks
    • Initial Access Attacks
      • Username Enumeration
        • Password Spraying
        • AS-REP Roasting
        • Empty Password
      • SMB Relaying
      • SMB Null-Session (To-Do)
      • SQL Server default login
    • Active Directory Attacks
      • Password spraying
      • AS-REP Roasting
      • Empty password
      • Password in description
      • Kerberoasting
      • Delegation Attacks
        • Unconstrained Delegation
          • Printerbug
        • Constrained Delegation
        • Resource Based Constrained Delegation
          • Computeraccount Takeover
          • Change-LockScreen
          • Webclient Attack (todo)
      • DACL-Abuses
        • Write Owner
        • Owns
        • WriteDacl
        • GenericAll
        • GenericWrite (todo)
        • ForceChangePassword
        • Add user to group (todo)
        • Targeted Kerberoast (todo)
        • Get-Changes
      • Reused local administrator (todo)
      • SQL Server Attacks (todo)
        • Initial Access
          • SQL Server default login
          • Normal domain user access
        • Privilege Escalation
          • Impersonation
          • DB-Owner
          • Enumerate Logins
            • Weak passwords
        • Executing Commands
        • Database-Links
        • Capturing hashes & Relaying
      • Reading LAPS passwords (todo)
      • Priviliged Groups (todo)
        • DNS-Admins (todo)
        • Account Operators (todo)
        • Backup Operators
        • Server Operators (todo)
      • Hopping domains and forests
        • Child to parent domain
          • Krbtgt hash
          • Trust key
        • Cross forest Attacks (todo)
          • Foreign user
    • Misc
      • Reverse shell trick
      • Lateral Movement
        • PSRemoting
        • PsExec (todo)
      • Misconfigured Service (todo)
        • Unqouted Service Path
      • Discovering Shares
      • Password on shares
      • Different methods of dumping credentials
        • LSASS (todo)
        • Dumping DPAPI
          • Browser passwords
        • Scheduled tasks (todo)
        • Services (todo)
        • Vssadmin Shadow Copy
      • ms-ds-machineaccountquota (todo)
      • add DNS Records (todo)
      • Bypassing UAC
    • Template page
  • Defence
    • Detection
    • Hardening
      • LDAP
        • LDAP Signing
        • LDAPS Binding
      • Strong Password Policy
      • Change who can join computers to the domain
      • Protected users group
      • Account is sensitive and cannot be delegated
      • Powershell Execution Policy
      • Template page
Powered by GitBook
On this page
  • Create a SQL User
  • Installing SQL Server
  • Configuring Windows Firewall for SQL Server
  • Testing connectivity
Edit on GitHub
  1. Lab-setup
  2. Building the lab
  3. Creating secure.local
  4. Creating File/SQL Server - DATA01

SQL Server

PreviousCreating File/SQL Server - DATA01NextCreate database

Last updated 3 years ago

Create a SQL User

  1. Login to DC03 as the Administrator user with password Welcome01!.

  2. Open the "Server Manager" and open the "Active Directory Users and Computers" tool in the tool section.

3. Expand the "secure.local" directory, right click on "User" and select "New" and "User".

4. Create a user with the name sa_sql.

5. Set the password "Iloveyou2" and create the user.

6. Open the tab "Account" and select "Password never expires" under "Account options".

Installing SQL Server

  1. Login to DATA01 as the Administrator user with password Welcome01!.

3. When smartscreen comes up select "Run".

The SQL Server Installation may require internet access, temporally add a second adapter in the machine settings and select the NAT network. The machine should have internet access. (ps our first adapter is different since our lab runs on a ESXI host).

4. On "Select an installation type" select "Basic":

5. Accept the License Terms and click "Install".

6. Once the installation is finished, click on "Customize".

8. Click next till the "License Terms" step.

7. Check "Use Microsoft Update to check for updates" and click next till the step "License Terms" and accept them:

8. At the step "Feature Selection" choose the following options:

  • Database ENgine Services

  • SQL Server Replication

  • Client Tools Connectivity

  • Client Tools SDK

9. Click Next and fill in the Instance name data.

10. Change the "Startup Type" for the "SQL Server Agent" to "Automatic" and make sure all three are set to "Automatic". Then change the account name for "SQL Server agent" and "SQL Server Database Engine" to sa_sql and fill in the password Iloveyou2.

11. At the next step select "Windows authentication mode". Then select "Add" at the "Specify SQL Server administrators" and add secure\administrator then click "Next".

12. Click "Install" and wait for the installation to finish.

13. Open the "SQL Configuration Manager".

14. Expand "SQL Server Network Configuration" and select "Protocols for DATA". Double click on "TCP/IP" and select the "IP Addresses" tab. Fill in 1433 for "TCP Port".

15. Scroll to the bottom and also configure IPAll:

15. Then click "Apply".

16. Open "SQL Server services" and right click on "SQL Server (DATA)" and click "Restart".

17. Do the same for "SQL Server Agent".

Configuring Windows Firewall for SQL Server

  1. Search for "Windows Defender Firewall with Advanced Security" and select "Windows Defender Firewall with Advanced Security".

2. Right click on "Inbound Rules" and select "New rule".

3. Select "Port" and click "Next".

4. Make sure "TCP" is selected and fill in port 1433 and click "Next":

5. Click next at the step "Profile". Fill in the name "Allow TCP 1433 MSSQL Server for all" and click "Finish".

Testing connectivity

1. Open the Kali machine and run a quick Nmap to check if the port is open:

sudo nmap -p 1433 10.0.0.101 -Pn -n
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-14 18:14 CET
Nmap scan report for 10.0.0.101
Host is up (0.0100s latency).

PORT     STATE SERVICE
1433/tcp open  ms-sql-s

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

Download SQL Server 2019 from .

18. Download and Install . Just Click "Install" and reboot the system.

Microsoft Evaluation Center
SQL Server Mangement Studio