Extract MSSQL Link Password

Step 1: Get Local Instances

Step 2 : Get the current User

Step 3: Get the version

Step 4: Check if you can impersonate sa

Step 5: Enable DAC

Step 6: Check if port 1434 is enabled

Step 7: If you dont see 1434 enabled see below

Step 8: Check if you have -T7806 in SQL Args. If you dont see below

Step 9 : Add SQLArg3 as -T7806

New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQLServer\Parameters\" -Name "SQLArg3" -Value "-T7806"  -PropertyType "String"

Step 10: Check if you have SQLBrowser running

Get-Service | Where {$_.Name -Like "*SQLBROWSER*"}

Step 11: Check if you have named pipes enabled

Set-ItemProperty "HKLM:\Software\Microsoft\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQLServer\SuperSocketNetLib\Np\" -Name Enabled -Value 1 -Type DWord

Step 12: Restart the services

Step 13: Check if UDP port 1434 is now enabled

Extract the Link Password

Reference:

Create SA account