SlideShare a Scribd company logo

2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)

Download as pptx, pdf
Scott Sutherland
Scott Sutherland

This is an updated version of the slides that I presented at DerbyCon 2016. It includes new slides related to some of the privilege escalation.

1 of 107
Downloaded 75 times
1
Hacking SQL Server on Scale with PowerShell v.2
2
Speaker Information Name: Scott Sutherland Job: Network & Application Pentester @ NetSPI Twitter: @_nullbind Slides: http://slideshare.net/nullbind http://slideshare.net/netspi Blogs: https://blog.netspi.com/author/scott-sutherland/ Code: https://github.com/netspi/PowerUpSQL https://github.com/nullbind
3
Presentation Overview ● Why SQL Server and PowerShell? ● PowerUpSQL Overview ● Finding & Accessing SQL Servers ● Privilege Escalation Scenarios o Domain user to SQL Server login o SQL Server Login to Sysadmin o Sysadmin to Windows Admin o Windows Admin to Sysadmin o Domain Escalation ● Post Exploitation Activities ● General Recommendations
4
Why SQL Server? ● Used in most enterprise environments ● Supports local Windows and Domain authentication ● Integrates with lots of Windows applications ● Generally has trust relationships that other don’t
5
Why PowerShell? ● Native to Windows ● Run commands in memory ● Run managed .net code ● Run unmanaged code ● Avoid detection by legacy Anti-virus ● Already flagged as "trusted" by most application whitelist solutions ● A medium used to write many open source Pentest toolkits
6
PowerUpSQL
7
PowerUpSQL Overview: Project Goals Project Goals (Get-Abilities)  ● Scalability via runspace threading ● Flexibility via pipeline support ● ps objects and data tables ● Portability o No SMO dependancies o .Net Framework libraries o PowerShell v.2 compliant (in theory) o Single file Functional Goals ● Discover SQL Servers from different attacker perspectives ● Inventory SQL Servers quickly ● Audit SQL Servers for common insecure configurations ● Escalate privileges quickly on SQL Servers ● Support authentication using SQL Login or Windows Credential
8
PowerUpSQL Overview: Functions Primary Attack Functions ● Invoke-SQLDumpInfo ● Invoke-SQLAudit ● Invoke-SQLEscalatePriv ● Invoke-SQLOsCmd https://github.com/NetSPI/PowerUpSQL/wikiCurrently about 60 Functions
9
PowerUpSQL Overview: Where can I get it? Github https://github.com/netspi/PowerUpSQL PowerShell Gallery https://www.powershellgallery.com/packages/PowerUpSQL/
10
PowerUpSQL Overview: How do I install it? Github Import-Module PowerUpSQL.psd1 IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/P owerUpSQL.ps1") Execution policy work arounds https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/ PowerShell Gallery Install-Module -Name PowerUpSQL
11
SQL Server Basics
12
SQL Server Basics What is SQL Server? ● A database platform ● An application ● A set of Windows services ● Each instance has its own set of services
13
SQL Server Basics: Account Types Account Types ● Windows Accounts o Used to login o Mapped to SQL Server login ● SQL Server Logins o Used to login o Mapped to database account ● Database Users o Used to access databases
14
SQL Server Basics: Common Roles Important SQL Server Roles ● Sysadmin role ○ Database administrator account ○ Think of it as the “Administrators” Windows group, but in SQL Server ● Public role ○ Only provides CONNECT permission ○ Think of it as the “Everyone” Windows group, but in SQL Server
15
Finding SQL Servers
16
Find SQL Servers: Techniques Attacker Perspective Attack Technique Unauthenticated ● List from file ● TCP port scan ● UDP port scan ● UDP broadcast ● Azure DNS dictionary attack (x.databases.windows.net) ● Azure DNS lookup via public resources Local User ● Services ● Registry entries Domain User ● Service Principal Names ● Azure Portal / PowerShell Modules
17
Find SQL Servers: PowerUpSQL Attacker Perspective PowerUpSQL Function Unauthenticated Get-SQLInstanceFile Unauthenticated Get-SQLInstanceUDPScan Local User Get-SQLInstanceLocal Domain User Get-SQLInstanceDomain Blog: https://blog.netspi.com/blindly-discover-sql-server-instances-powerupsql/
18
Escalating Privileges Unauthenticated / Domain User to SQL Login
19
Testing Login Access: Techniques What credentials can I use to log into discovered SQL Servers? Attacker Perspective Attack Technique Unauthenticated Dictionary attacks using common user names and passwords. Unauthenticated Default passwords based on the SQL Server instance names. Local Windows or ADS Domain Account Attempt to login using the current account.
20
Testing Login Access: PowerUpSQL CMDs What PowerUpSQL functions can I use to test for successful logins? Attack Technique PowerUpSQL Function Dictionary Attack Invoke-SQLAuditWeakLoginPw Default Password Test Invoke-SQLAuditDefaultLoginPw Get-SQLServerLoginDefaultPw Get-SQLInstanceDomain | Get-SQLServerLoginDefaultPw -Verbose Local Windows or ADS Domain Account Get-SQLConnectionTestThreaded
21
Testing Login Access: PowerUpSQL CMDs
22
Testing Login Access: Login CMD Examples Attacker Perspective Command Example Unauthenticated Get-SQLInstanceUDPScan | Get-SQLConnectionTestThreaded -Verbose -Threads 15 -Username testuser -Password testpass Local User Get-SQLInstanceLocal | Get-SQLConnectionTestThreaded -Verbose Domain User Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose -Threads 15 Alternative Domain User runas /noprofile /netonly /user:domainuser PowerShell.exe Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose -Threads 15
23
Testing Login Access: Reusing Result Lists Process Command Example Enumerate Accessible Servers $Accessible = Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose -Threads 15 | Where-Object {$_.Status –like “Accessible”} Get server information $Acessible | Get-SQLServerInfo -Verbose Get database list $Acessible | Get-SQLDatabase -Verbose Perform audit $Acessible | Invoke-SQLAudit -Verbose Do I have to rerun instance discovery every time I want to run a command? No.
24
Testing Login Access: Domain User Access DEMO
25
Testing Login Access: Demo DEMO
26
Escalating Privileges: Domain User Why can Domain Users login into so many SQL Servers? ● Admins give them access ● Privilege inheritance issue on domain systems = Public role access
27
Escalating Privileges: Domain User Why can Domain Users login into so many SQL Servers? ● Admins give them access ● Privilege inheritance issue on domain systems = Public role access
28
Escalating Privileges: Domain User Why can Domain Users login into so many SQL Servers? ● Admins give them access ● Privilege inheritance issue on domain systems = Public role access
29
Escalating Privileges SQL Login to SysAdmin
30
Escalating Privileges: Weak Passwords Didn’t we just cover this? Yes, but there’s more… Technique PowerUpSQL Function Dictionary Attack Invoke-SQLAuditWeakLoginPw Default Password Test Invoke-SQLAuditDefaultLoginPw Local Windows or ADS Domain Account Get-SQLConnectionTestThreaded
31
Escalating Privileges: Weak Passwords …we can also enumerate SQL Server logins and Domain Accounts  Technique PowerUpSQL Function Blind Login Enumeration + Dictionary Attack = Super Cool! Invoke-SQLAuditWeakLoginPw • Enumerate all SQL Server logins with the Public role • Enumerate all domain accounts with the Public role
32
Escalating Privileges: Weak Passwords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail.
33
Escalating Privileges: Weak Passwords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail. 2. Get principal id for the sa account with “suser_id”
34
Escalating Privileges: Weak Passwords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail. 2. Get principal id for the sa account with “suser_id” 3. Use “suser_name” to get SQL logins using just principal ID
35
Escalating Privileges: Weak Passwords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail. 2. Get principal id for the sa account with “suser_id” 3. Use “suser_name” to get SQL logins using just principal ID 4. Increment number and repeat
36
Escalating Privileges: Weak Passwords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail. 2. Get principal id for the sa account with “suser_id” 3. Use “suser_name” to get SQL logins using just principal ID 4. Increment number and repeat select n [id], SUSER_NAME(n) [user_name] from ( select top 10000 row_number() over(order by t1.number) as N from master..spt_values t1 cross join master..spt_values t2 ) a where SUSER_NAME(n) is not null Code gifted from @mobileck Source: https://gist.github.com/ConstantineK/c6de5d398ec43bab1a29ef07e8c21ec7
37
Escalating Privileges: Weak Passwords select n [id], SUSER_NAME(n) [user_name] from ( select top 10000 row_number() over(order by t1.number) as N from master..spt_values t1 cross join master..spt_values t2 ) a where SUSER_NAME(n) is not null Code gifted from @mobileck Source: https://gist.github.com/ConstantineK/c6de5d3 98ec43bab1a29ef07e8c21ec7
38
Escalating Privileges: Weak Passwords Enumerating Domain Users 1. Get the domain Domain of SQL Server
39
Escalating Privileges: Weak Passwords Enumerating Domain Users 1. Get the domain 2. GID RID of default group Full RID of Domain Admins group
40
Escalating Privileges: Weak Passwords Enumerating Domain Users 1. Get the domain 2. GID RID of default group 3. Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
41
Escalating Privileges: Weak Passwords Enumerating Domain Users 1. Get the domain 2. GID RID of default group 3. Grab the first 48 Bytes of the full RID 4. Create new RID with by appending a hex number value and the SID 1. Start with number, 500 2. Convert to hex, F401 3. Pad with 0 to 8 bytes, F4010000 4. Concatenate the SID and the new RID SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0 RID = 0x0105000000000005150000009CC30DD479441EDEB31027D0F4010000
42
Escalating Privileges: Weak Passwords Enumerating Domain Users 1. Get the domain 2. GID RID of default group 3. Grab the first 48 Bytes of the full RID 4. Create new RID with by appending a hex number value and the SID 5. Use “suser_name” function to get domain object name 1. Start with number, 500 2. Convert to hex, F401 3. Pad with 0 to 8 bytes, F4010000 4. Concatenate the SID and the new RID SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0 RID = 0x0105000000000005150000009CC30DD479441EDEB31027D0F4010000
43
Escalating Privileges: Weak Passwords Enumerating Domain Users 1. Get the domain 2. GID RID of default group 3. Grab the first 48 Bytes of the full RID 4. Create new RID with by appending a hex number value and the SID 5. Use “suser_name” function to get domain object name 6. Increment and repeat 1. Start with number, 500 2. Convert to hex, F401 3. Pad with 0 to 8 bytes, F4010000 4. Concatenate the SID and the new RID SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0 RID = 0x0105000000000005150000009CC30DD479441EDEB31027D0F4010000
44
Escalating Privileges: DEMO DEMO Get-SQLFuzzServerLogin Invoke-SQLAuditWeakLoginPw Get-SQLFuzzDomainAccount
45
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
46
Escalating Privileges: Impersonation 1. Impersonate Privilege a. Server: EXECUTE AS LOGIN b. Database: EXECUTE AS USER 2. Stored Procedure and Trigger Creation / Injection Issues a. EXECUTE AS OWNER b. Signed with cert login 3. Automatic Execution of Stored Procedures 4. Agent Jobs 5. xp_cmdshell proxy acount 6. Create Databse Link to File or Server 7. Import / Install Custom Assemblies 8. Ad-Hoc Queries 9. Shared Service Accounts 10. Database Links 11. UNC Path Injection
47
Escalating Privileges: Impersonation Impersonate Privilege • Can be used at server layer o EXECUTE AS LOGIN • Can be used at database layer o EXECUTE AS USER Pros • Execute queries/commands in another user context Cons • Requires database to be configured as trustworthy for OS command execution • Commands and queries are not limited in any way
48
Escalating Privileges: Impersonation Impersonate Privilege • Can be used at server layer o EXECUTE AS LOGIN • Can be used at database layer o EXECUTE AS USER
49
Escalating Privileges: Impersonation Impersonate Privilege • Can be used at server layer o EXECUTE AS LOGIN • Can be used at database layer o EXECUTE AS USER
50
Escalating Privileges: Impersonation Stored Procedure and Trigger Creation / Injection Issues • EXECUTE AS OWNER can be used to execute a stored procedure as another login Pros • Can execute queries/commands in another user context • Limit commands and queries • Don’t have to grant IMPERSONATE Cons • No granular control over the database owner’s privileges • DB_OWNER role can EXECUTE AS OWNER of the DB, which is often a sysadmin • Requires database to be configured as trustworthy for OS command execution • Impersonation can be done via SQL injection under specific conditions • Impersonation can be done via command injection under specific conditions
51
Escalating Privileges: Impersonation Stored Procedure and Trigger Creation / Injection Issues • EXECUTE AS OWNER can be used to execute a stored procedure as another login • DB_OWNER role can impersonate the actual database owner USE MyAppDb GO CREATE PROCEDURE sp_escalate_me WITH EXECUTE AS OWNER AS EXEC sp_addsrvrolemember 'MyAppUser','sysadmin' GO
52
Escalating Privileges: Impersonation Stored Procedure and Trigger Creation / Injection Issues • EXECUTE AS OWNER can be used to execute a stored procedure as another login • DB_OWNER role can impersonate the actual database owner USE MyAppDb GO CREATE PROCEDURE sp_escalate_me WITH EXECUTE AS OWNER AS EXEC sp_addsrvrolemember 'MyAppUser','sysadmin' GO SYSADMIN is often the OWNER
53
Escalating Privileges: Impersonation Stored Procedure and Trigger Creation / Injection Issues • Use signed Procedures o Create stored procedure o Create a database master key o Create a certificate o Create a login from the certificate o Configure login privileges o Sign stored procedure with certifiate o GRANT EXECUTE to User Pros • Can execute queries/commands in another user context • Limit commands and queries • Don’t have to grant IMPERSONATE • Granular control over permissions • Database does NOT have to be configured as trustworthy for OS command execution Cons • Impersonation can be done via SQL injection under specific conditions • Impersonation can be done via command injection under specific conditions
54
Escalating Privileges: Impersonation SQL Injection Example CREATE PROCEDURE sp_sqli2 @DbName varchar(max) AS BEGIN Declare @query as varchar(max) SET @query = ‘ SELECT name FROM master..sysdatabases WHERE name like ''%'+ @DbName+'%'' OR name=''tempdb'''; EXECUTE(@query) END GO https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
55
Escalating Privileges: Impersonation SQL Injection Example CREATE PROCEDURE sp_sqli2 @DbName varchar(max) AS BEGIN Declare @query as varchar(max) SET @query = ‘ SELECT name FROM master..sysdatabases WHERE name like ''%'+ @DbName+'%'' OR name=''tempdb'''; EXECUTE(@query) END GO PURE EVIL https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
56
Escalating Privileges: Impersonation SQL Injection Example EXEC MASTER.dbo.sp_sqli2 'master'';EXEC master..xp_cmdshell ''whoami''--'; https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
57
Escalating Privileges: Impersonation SQL Injection Example
58
Escalating Privileges: Impersonation Automatic Execution of Stored Procedure • Stored procedures ca be configured to execute when the SQL Server service restarts Pros • Marking a stored procedure to run when the SQL Server service restarts has many use cases • Only stored procedures in the master database can be marked for auto execution Cons • No granular control over what context the startup command is executed in • All stored procedures marked for auto execution are executed as ‘sa’, even if ‘sa’ is disabled • Any non sysadmin access to stored procedures can lead to execution as ‘sa’
59
Escalating Privileges: DEMO DEMO Invoke-SQLAudit
60
Escalating Privileges: Invoke-SQLPrivEsc Whooray for Automation Demo!
61
Escalating Privileges: DEMO DEMO Invoke-SQLEscalatePriv
62
Escalating Privileges: Invoke-SQLPrivEsc DEMO
63
Escalating Privileges SysAdmin to Service Account
64
Escalating Privileges: SysAdmin to Service Account OS Command Execution = Service Account Impersonation Executing OS Commands: ● xp_cmdshell ● Custom Assemblies (.net) ● Custom Extended Stored Procedures (C++) ● Agent Jobs o ActiveX: Vbscript, Jscript, and Other o CmdExec o PowerShell o SSIS Package ● Registry Autoruns ● File Autoruns
65
Escalating Privileges: SysAdmin to Service Account OS Command Execution = Service Account Impersonation You don’t need to know the password, crack a hash, or PTH Service Account Types ● Local User ● Local System ● Network Service ● Local managed service account ● Domain managed service account ● Domain User ● Domain Admin
66
Escalating Privileges: SysAdmin to Service Account But wait, there’s more…RottenPotato @ DerbyCon 2016 - Authors: Chris Mallz (@vvalien1) & Steve Breen (@breenmachine) - We can now escalation from service account to LocalSystem! - No patch that I’m aware of. Check out their blog for details: https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege- escalation-from-service-accounts-to-system/
67
Escalating Privileges: Invoke-SQLOSCmd Invoke-SQLOSCMD can be used for basic command execution. PS C:>$Accessible | Invoke-SQLOSCmd –Verbose –Command “whoami” –Threads 10 ComputerName Instance CommandResults --------------------- ----------- -------------- SQLServer1 SQLServer1SQLEXPRESS nt servicemssql$sqlexpress SQLServer1 SQLServer1STANDARDDEV2014 nt authoritysystem SQLServer1 SQLServer1 DomainSQLSvc
68
Escalating Privileges Shared Service Accounts
69
Escalating Privileges: Shared Service Accounts Why should I care about shared service accounts? 1. SysAdmins can execute OS commands 2. OS commands run as the SQL Server service account 3. Service accounts have sysadmin privileges by default 4. Companies often use a single domain account to run hundreds of SQL Servers 5. So if you get sysadmin on one server you have it on all of them! One account to rule them all!
70
InternetDMZIntranet LRA HVA LVA ADS LVA Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Key HVA = High Value Application LVA = Low Value Application Leveraging Shared MS SQL Server Service Accounts
71
InternetDMZIntranet LRA HVA LVA ADS LVA Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Key HVA = High Value Application LVA = Low Value Application Leveraging Shared MS SQL Server Service Accounts
72
InternetDMZIntranet LRA HVA LVA ADS LVA Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Execute Local Command via xp_cmdshell 2 Key HVA = High Value Application LVA = Low Value Application Leveraging Shared MS SQL Server Service Accounts
73
InternetDMZIntranet LRA HVA LVA ADS LVA Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Execute Local Command via xp_cmdshell 2 Access to HVA with shared domain service account Key HVA = High Value Application LVA = Low Value Application Execute commands and gather data from other database servers via osql 3 Leveraging Shared MS SQL Server Service Accounts
74
Escalating Privileges Crawling Server Links
75
Escalating Privileges: Crawling Server Links What’s a database link? ● Database links are basically persistent database connections for SQL Servers. Why should I care? ● Short answer = privilege escalation ● Public role can use links to execute queries on remote servers (impersonation) SELECT * FROM OpenQuery([SQLSERVER2],’SELECT @@Version’) ● Stored procedures can be executed (xp_cmdshell) ● Links can be crawled
76
InternetDMZIntranet LRA HVA LVA ADS Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain EvilKey HVA = High Value Application LVA = Low Value Application Leveraging MS SQL Database links DB1 LVA
77
InternetDMZIntranet LRA HVA LVA ADS Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Key HVA = High Value Application LVA = Low Value Application Leveraging MS SQL Database links DB1 LVA
78
InternetDMZIntranet LRA HVA LVA ADS Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Key HVA = High Value Application LVA = Low Value Application Leveraging MS SQL Database links D B Link w ith LeastPrivileges DB1 LVA
79
InternetDMZIntranet LRA HVA LVA ADS Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Key HVA = High Value Application LVA = Low Value Application Leveraging MS SQL Database links D B Link w ith LeastPrivileges DB Link with SA account DB1 LVA Execute SQL queries and local commands on database servers via nested linked services 2
80
Escalating Privileges: Crawling Server Links Penetration Test Stats ● Database links exist (and can be crawled) in about 50% of environments we’ve seen ● The max number of hops we’ve seen is 12 ● The max number of servers crawled is 226
81
Escalating Privileges: Crawling Server Links Old Script ● 2012 - https://www.rapid7.com/db/modules/exploit/windows/mssql/mssql_linkcrawler New Script ● /scripts/pending/Get-SqlServerLinkCrawl.ps1 ● Author: Antti Rantasaari
82
Escalating Privileges: Crawling Server Links DEMO
83
Escalating Privileges: Database Links DEMO
84
Escalating Privileges: Crawling Server Links
85
Escalating Privileges UNC Path Injection
86
Escalating Privileges: UNC Path Injection UNC Path Injection Summary ● UNC paths are used for accessing remote file servers like so 192.168.1.4file ● Almost all procedures that accept a file path in SQL Server, support UNC paths ● UNC paths can be used to force the SQL Server service account to authenticate to an attacker ● An attacker can then capture the NetNTLM password hash and crack or relay it ● Relay becomes pretty easy when you know which SQL Servers are using shared accounts
87
Escalating Privileges: UNC Path Injection
88
Escalating Privileges: UNC Path Injection Oh yeah… By DEFAULT, the PUBLIC role can execute (at least) two procedures that accept a file path xp_dirtree xp_fileexists
89
Escalating Privileges: UNC Path Injection So, in summary… The PUBLIC role can access the SQL Server service account NetNTLM password hash by default!!
90
Escalating Privileges: UNC Path Injection But who really has PUBLIC role access? Oh yeah, a ton of domain users 
91
Escalating Privileges: DEMO DEMO Get-SQLServiceAccountPwHashes …what? It’s self descriptive 
92
Escalating Privileges: UNC Path Injection DEMO
93
Escalating Privileges OS Admin to SysAdmin
94
Escalating Privileges: OS Admin to SysAdmin Two things to know… 1. Different SQL Server versions can be abused in different ways 2. All SQL Server versions provide the service account with sysadmin privileges.
95
Escalating Privileges: OS Admin to SysAdmin Approach 2000 2005 2008 2012 2014 2016 LSA Secrets x x x x x x Local Administrator x x LocalSystem x x x Process Migration x x x x x x Token Stealing x x x x x X Single User Mode ? x x x x x Below are some options for leveraging that knowledge...
96
Escalating Privileges: OS Admin to SysAdmin Here are some tool options... Approach Common Tools Access as Local Administrator Management Studio, sqlcmd, and other native SQL client tools. Access as LocalSystem Psexec, accessibility options, debugger with native SQL client tools. Recover SQL Server service account password from LSA Secrets Mimikatz, Metasploit, lsadump. Inject shellcode or DLL into the SQL Server service process Metasploit, Empire, Python, Powershell, C, C++ (LoadLibrary,CreateRemoteThread, and similar functions) Steal Authentication Token From SQL Server service process Metasploit, Incognito, Invoke-TokenManipulation Single User Mode DBATools
97
Common Post Exploitation Activities
98
Post Exploitation: Overview Common Post Exploitation Activities 1. Establish Persistence • SQL Server Layer: startup procedures, agent jobs, triggers, modified code • OS Layer: Registry & file auto runs, tasks, services, etc. 2. Identify Sensitive Data • Target large databases • Locate transparently encrypted databases • Search columns based on keywords and sample data • Use regular expressions and the Luhn formula against data samples 3. Exfiltrate Sensitive Data • All standard methods: Copy database, TCP ports, UDP ports, DNS tunneling, ICMP tunneling, email, HTTP, shares, links, etc. (No exfil in PowerUpSQL yet)
99
Post Exploitation: Persistence Task Command Example Registry Autorun Persistence Get-SQLPersistRegRun -Verbose -Name EvilSauce -Command "EvilBoxEvilSandwich.exe" -Instance "SQLServer1STANDARDDEV2014" Debugger Backdoor Persistence Get-SQLPersistRegDebugger -Verbose -FileName utilman.exe -Command 'c:windowssystem32cmd.exe' -Instance "SQLServer1STANDARDDEV2014"
100
Post Exploitation: Persistence
101
Post Exploitation: Finding Sensitive Data Task Command Example Locate Encrypted Databases Get-SQLInstanceDomain -Verbose | Get-SQLDatabaseThreaded –Verbose –Threads 10 -NoDefaults | Where-Object {$_.is_encrypted –eq “TRUE”} Locate and Sample Sensitive Columns and Export to CSV Get-SQLInstanceDomain -Verbose | Get-SQLColumnSampleDataThreaded –Verbose –Threads 10 –Keyword “credit,ssn,password” –SampleSize 2 –ValidateCC –NoDefaults | Export-CSV –NoTypeInformation c:tempdatasample.csv
102
Post Exploitation: Finding Sensitive Data DEMO
103
Post Exploitation: Finding Sensitive Data DEMO
104
General Recommendations
105
General Recommendations Things to do… 1. Enforce least privilege everywhere! 2. Disable dangerous default stored procedures. 3. Audit and fix insecure configurations. 4. Use policy based management for standardizing configurations. 5. Enable auditing at the server and database levels, and monitor for potentially malicious activity.
106
PowerUpSQL Overview: Thanks! Individual Third Party Code / Direct Contributors Boe Prox Runspace blogs Warren F. ( RamblingCookieMonster) Invoke-Parallel function Oyvind Kallstad Test-IsLuhnValid function Kevin Robertson Invoke-Inveigh Joe Bialek Invoke-TokenManipulation Antti Rantasaari, Eric Gruber, and Alexander Leary, @leoloobeek, and @ktaranov Contributions and QA Khai Tran Design advice NetSPI assessment team and dev team Design advice
107
Speaker Information Name: Scott Sutherland Job: Network & Application Pentester @ NetSPI Twitter: @_nullbind Slides: http://slideshare.net/nullbind http://slideshare.net/netspi Blogs: https://blog.netspi.com/author/scott-sutherland/ Code: https://github.com/netspi/PowerUpSQL https://github.com/nullbind
Hacking SQL Server on Scale with PowerShell v.2
Speaker Information Name: Scott Sutherland Job: Network & Application Pentester @ NetSPI Twitter: @_nullbind Slides: http://slideshare.net/nullbind http://slideshare.net/netspi Blogs: https://blog.netspi.com/author/scott-sutherland/ Code: https://github.com/netspi/PowerUpSQL https://github.com/nullbind
Presentation Overview ● Why SQL Server and PowerShell? ● PowerUpSQL Overview ● Finding & Accessing SQL Servers ● Privilege Escalation Scenarios o Domain user to SQL Server login o SQL Server Login to Sysadmin o Sysadmin to Windows Admin o Windows Admin to Sysadmin o Domain Escalation ● Post Exploitation Activities ● General Recommendations
Why SQL Server? ● Used in most enterprise environments ● Supports local Windows and Domain authentication ● Integrates with lots of Windows applications ● Generally has trust relationships that other don’t
Why PowerShell? ● Native to Windows ● Run commands in memory ● Run managed .net code ● Run unmanaged code ● Avoid detection by legacy Anti-virus ● Already flagged as "trusted" by most application whitelist solutions ● A medium used to write many open source Pentest toolkits
PowerUpSQL
PowerUpSQL Overview: Project Goals Project Goals (Get-Abilities)  ● Scalability via runspace threading ● Flexibility via pipeline support ● ps objects and data tables ● Portability o No SMO dependancies o .Net Framework libraries o PowerShell v.2 compliant (in theory) o Single file Functional Goals ● Discover SQL Servers from different attacker perspectives ● Inventory SQL Servers quickly ● Audit SQL Servers for common insecure configurations ● Escalate privileges quickly on SQL Servers ● Support authentication using SQL Login or Windows Credential
PowerUpSQL Overview: Functions Primary Attack Functions ● Invoke-SQLDumpInfo ● Invoke-SQLAudit ● Invoke-SQLEscalatePriv ● Invoke-SQLOsCmd https://github.com/NetSPI/PowerUpSQL/wikiCurrently about 60 Functions
PowerUpSQL Overview: Where can I get it? Github https://github.com/netspi/PowerUpSQL PowerShell Gallery https://www.powershellgallery.com/packages/PowerUpSQL/
PowerUpSQL Overview: How do I install it? Github Import-Module PowerUpSQL.psd1 IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/P owerUpSQL.ps1") Execution policy work arounds https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/ PowerShell Gallery Install-Module -Name PowerUpSQL
SQL Server Basics
SQL Server Basics What is SQL Server? ● A database platform ● An application ● A set of Windows services ● Each instance has its own set of services
SQL Server Basics: Account Types Account Types ● Windows Accounts o Used to login o Mapped to SQL Server login ● SQL Server Logins o Used to login o Mapped to database account ● Database Users o Used to access databases
SQL Server Basics: Common Roles Important SQL Server Roles ● Sysadmin role ○ Database administrator account ○ Think of it as the “Administrators” Windows group, but in SQL Server ● Public role ○ Only provides CONNECT permission ○ Think of it as the “Everyone” Windows group, but in SQL Server
Finding SQL Servers
Find SQL Servers: Techniques Attacker Perspective Attack Technique Unauthenticated ● List from file ● TCP port scan ● UDP port scan ● UDP broadcast ● Azure DNS dictionary attack (x.databases.windows.net) ● Azure DNS lookup via public resources Local User ● Services ● Registry entries Domain User ● Service Principal Names ● Azure Portal / PowerShell Modules
Find SQL Servers: PowerUpSQL Attacker Perspective PowerUpSQL Function Unauthenticated Get-SQLInstanceFile Unauthenticated Get-SQLInstanceUDPScan Local User Get-SQLInstanceLocal Domain User Get-SQLInstanceDomain Blog: https://blog.netspi.com/blindly-discover-sql-server-instances-powerupsql/
Escalating Privileges Unauthenticated / Domain User to SQL Login
Testing Login Access: Techniques What credentials can I use to log into discovered SQL Servers? Attacker Perspective Attack Technique Unauthenticated Dictionary attacks using common user names and passwords. Unauthenticated Default passwords based on the SQL Server instance names. Local Windows or ADS Domain Account Attempt to login using the current account.
Testing Login Access: PowerUpSQL CMDs What PowerUpSQL functions can I use to test for successful logins? Attack Technique PowerUpSQL Function Dictionary Attack Invoke-SQLAuditWeakLoginPw Default Password Test Invoke-SQLAuditDefaultLoginPw Get-SQLServerLoginDefaultPw Get-SQLInstanceDomain | Get-SQLServerLoginDefaultPw -Verbose Local Windows or ADS Domain Account Get-SQLConnectionTestThreaded
Testing Login Access: PowerUpSQL CMDs
Testing Login Access: Login CMD Examples Attacker Perspective Command Example Unauthenticated Get-SQLInstanceUDPScan | Get-SQLConnectionTestThreaded -Verbose -Threads 15 -Username testuser -Password testpass Local User Get-SQLInstanceLocal | Get-SQLConnectionTestThreaded -Verbose Domain User Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose -Threads 15 Alternative Domain User runas /noprofile /netonly /user:domainuser PowerShell.exe Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose -Threads 15
Testing Login Access: Reusing Result Lists Process Command Example Enumerate Accessible Servers $Accessible = Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose -Threads 15 | Where-Object {$_.Status –like “Accessible”} Get server information $Acessible | Get-SQLServerInfo -Verbose Get database list $Acessible | Get-SQLDatabase -Verbose Perform audit $Acessible | Invoke-SQLAudit -Verbose Do I have to rerun instance discovery every time I want to run a command? No.
Testing Login Access: Domain User Access DEMO
Testing Login Access: Demo DEMO
Escalating Privileges: Domain User Why can Domain Users login into so many SQL Servers? ● Admins give them access ● Privilege inheritance issue on domain systems = Public role access
Escalating Privileges: Domain User Why can Domain Users login into so many SQL Servers? ● Admins give them access ● Privilege inheritance issue on domain systems = Public role access
Escalating Privileges: Domain User Why can Domain Users login into so many SQL Servers? ● Admins give them access ● Privilege inheritance issue on domain systems = Public role access
Escalating Privileges SQL Login to SysAdmin
Escalating Privileges: Weak Passwords Didn’t we just cover this? Yes, but there’s more… Technique PowerUpSQL Function Dictionary Attack Invoke-SQLAuditWeakLoginPw Default Password Test Invoke-SQLAuditDefaultLoginPw Local Windows or ADS Domain Account Get-SQLConnectionTestThreaded
Escalating Privileges: Weak Passwords …we can also enumerate SQL Server logins and Domain Accounts  Technique PowerUpSQL Function Blind Login Enumeration + Dictionary Attack = Super Cool! Invoke-SQLAuditWeakLoginPw • Enumerate all SQL Server logins with the Public role • Enumerate all domain accounts with the Public role
Escalating Privileges: Weak Passwords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail.
Escalating Privileges: Weak Passwords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail. 2. Get principal id for the sa account with “suser_id”
Escalating Privileges: Weak Passwords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail. 2. Get principal id for the sa account with “suser_id” 3. Use “suser_name” to get SQL logins using just principal ID
Escalating Privileges: Weak Passwords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail. 2. Get principal id for the sa account with “suser_id” 3. Use “suser_name” to get SQL logins using just principal ID 4. Increment number and repeat
Escalating Privileges: Weak Passwords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail. 2. Get principal id for the sa account with “suser_id” 3. Use “suser_name” to get SQL logins using just principal ID 4. Increment number and repeat select n [id], SUSER_NAME(n) [user_name] from ( select top 10000 row_number() over(order by t1.number) as N from master..spt_values t1 cross join master..spt_values t2 ) a where SUSER_NAME(n) is not null Code gifted from @mobileck Source: https://gist.github.com/ConstantineK/c6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges: Weak Passwords select n [id], SUSER_NAME(n) [user_name] from ( select top 10000 row_number() over(order by t1.number) as N from master..spt_values t1 cross join master..spt_values t2 ) a where SUSER_NAME(n) is not null Code gifted from @mobileck Source: https://gist.github.com/ConstantineK/c6de5d3 98ec43bab1a29ef07e8c21ec7
Escalating Privileges: Weak Passwords Enumerating Domain Users 1. Get the domain Domain of SQL Server
Escalating Privileges: Weak Passwords Enumerating Domain Users 1. Get the domain 2. GID RID of default group Full RID of Domain Admins group
Escalating Privileges: Weak Passwords Enumerating Domain Users 1. Get the domain 2. GID RID of default group 3. Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges: Weak Passwords Enumerating Domain Users 1. Get the domain 2. GID RID of default group 3. Grab the first 48 Bytes of the full RID 4. Create new RID with by appending a hex number value and the SID 1. Start with number, 500 2. Convert to hex, F401 3. Pad with 0 to 8 bytes, F4010000 4. Concatenate the SID and the new RID SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0 RID = 0x0105000000000005150000009CC30DD479441EDEB31027D0F4010000
Escalating Privileges: Weak Passwords Enumerating Domain Users 1. Get the domain 2. GID RID of default group 3. Grab the first 48 Bytes of the full RID 4. Create new RID with by appending a hex number value and the SID 5. Use “suser_name” function to get domain object name 1. Start with number, 500 2. Convert to hex, F401 3. Pad with 0 to 8 bytes, F4010000 4. Concatenate the SID and the new RID SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0 RID = 0x0105000000000005150000009CC30DD479441EDEB31027D0F4010000
Escalating Privileges: Weak Passwords Enumerating Domain Users 1. Get the domain 2. GID RID of default group 3. Grab the first 48 Bytes of the full RID 4. Create new RID with by appending a hex number value and the SID 5. Use “suser_name” function to get domain object name 6. Increment and repeat 1. Start with number, 500 2. Convert to hex, F401 3. Pad with 0 to 8 bytes, F4010000 4. Concatenate the SID and the new RID SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0 RID = 0x0105000000000005150000009CC30DD479441EDEB31027D0F4010000
Escalating Privileges: DEMO DEMO Get-SQLFuzzServerLogin Invoke-SQLAuditWeakLoginPw Get-SQLFuzzDomainAccount
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
Escalating Privileges: Impersonation 1. Impersonate Privilege a. Server: EXECUTE AS LOGIN b. Database: EXECUTE AS USER 2. Stored Procedure and Trigger Creation / Injection Issues a. EXECUTE AS OWNER b. Signed with cert login 3. Automatic Execution of Stored Procedures 4. Agent Jobs 5. xp_cmdshell proxy acount 6. Create Databse Link to File or Server 7. Import / Install Custom Assemblies 8. Ad-Hoc Queries 9. Shared Service Accounts 10. Database Links 11. UNC Path Injection
Escalating Privileges: Impersonation Impersonate Privilege • Can be used at server layer o EXECUTE AS LOGIN • Can be used at database layer o EXECUTE AS USER Pros • Execute queries/commands in another user context Cons • Requires database to be configured as trustworthy for OS command execution • Commands and queries are not limited in any way
Escalating Privileges: Impersonation Impersonate Privilege • Can be used at server layer o EXECUTE AS LOGIN • Can be used at database layer o EXECUTE AS USER
Escalating Privileges: Impersonation Impersonate Privilege • Can be used at server layer o EXECUTE AS LOGIN • Can be used at database layer o EXECUTE AS USER
Escalating Privileges: Impersonation Stored Procedure and Trigger Creation / Injection Issues • EXECUTE AS OWNER can be used to execute a stored procedure as another login Pros • Can execute queries/commands in another user context • Limit commands and queries • Don’t have to grant IMPERSONATE Cons • No granular control over the database owner’s privileges • DB_OWNER role can EXECUTE AS OWNER of the DB, which is often a sysadmin • Requires database to be configured as trustworthy for OS command execution • Impersonation can be done via SQL injection under specific conditions • Impersonation can be done via command injection under specific conditions
Escalating Privileges: Impersonation Stored Procedure and Trigger Creation / Injection Issues • EXECUTE AS OWNER can be used to execute a stored procedure as another login • DB_OWNER role can impersonate the actual database owner USE MyAppDb GO CREATE PROCEDURE sp_escalate_me WITH EXECUTE AS OWNER AS EXEC sp_addsrvrolemember 'MyAppUser','sysadmin' GO
Escalating Privileges: Impersonation Stored Procedure and Trigger Creation / Injection Issues • EXECUTE AS OWNER can be used to execute a stored procedure as another login • DB_OWNER role can impersonate the actual database owner USE MyAppDb GO CREATE PROCEDURE sp_escalate_me WITH EXECUTE AS OWNER AS EXEC sp_addsrvrolemember 'MyAppUser','sysadmin' GO SYSADMIN is often the OWNER
Escalating Privileges: Impersonation Stored Procedure and Trigger Creation / Injection Issues • Use signed Procedures o Create stored procedure o Create a database master key o Create a certificate o Create a login from the certificate o Configure login privileges o Sign stored procedure with certifiate o GRANT EXECUTE to User Pros • Can execute queries/commands in another user context • Limit commands and queries • Don’t have to grant IMPERSONATE • Granular control over permissions • Database does NOT have to be configured as trustworthy for OS command execution Cons • Impersonation can be done via SQL injection under specific conditions • Impersonation can be done via command injection under specific conditions
Escalating Privileges: Impersonation SQL Injection Example CREATE PROCEDURE sp_sqli2 @DbName varchar(max) AS BEGIN Declare @query as varchar(max) SET @query = ‘ SELECT name FROM master..sysdatabases WHERE name like ''%'+ @DbName+'%'' OR name=''tempdb'''; EXECUTE(@query) END GO https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
Escalating Privileges: Impersonation SQL Injection Example CREATE PROCEDURE sp_sqli2 @DbName varchar(max) AS BEGIN Declare @query as varchar(max) SET @query = ‘ SELECT name FROM master..sysdatabases WHERE name like ''%'+ @DbName+'%'' OR name=''tempdb'''; EXECUTE(@query) END GO PURE EVIL https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
Escalating Privileges: Impersonation SQL Injection Example EXEC MASTER.dbo.sp_sqli2 'master'';EXEC master..xp_cmdshell ''whoami''--'; https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
Escalating Privileges: Impersonation SQL Injection Example
Escalating Privileges: Impersonation Automatic Execution of Stored Procedure • Stored procedures ca be configured to execute when the SQL Server service restarts Pros • Marking a stored procedure to run when the SQL Server service restarts has many use cases • Only stored procedures in the master database can be marked for auto execution Cons • No granular control over what context the startup command is executed in • All stored procedures marked for auto execution are executed as ‘sa’, even if ‘sa’ is disabled • Any non sysadmin access to stored procedures can lead to execution as ‘sa’
Escalating Privileges: DEMO DEMO Invoke-SQLAudit
Escalating Privileges: Invoke-SQLPrivEsc Whooray for Automation Demo!
Escalating Privileges: DEMO DEMO Invoke-SQLEscalatePriv
Escalating Privileges: Invoke-SQLPrivEsc DEMO
Escalating Privileges SysAdmin to Service Account
Escalating Privileges: SysAdmin to Service Account OS Command Execution = Service Account Impersonation Executing OS Commands: ● xp_cmdshell ● Custom Assemblies (.net) ● Custom Extended Stored Procedures (C++) ● Agent Jobs o ActiveX: Vbscript, Jscript, and Other o CmdExec o PowerShell o SSIS Package ● Registry Autoruns ● File Autoruns
Escalating Privileges: SysAdmin to Service Account OS Command Execution = Service Account Impersonation You don’t need to know the password, crack a hash, or PTH Service Account Types ● Local User ● Local System ● Network Service ● Local managed service account ● Domain managed service account ● Domain User ● Domain Admin
Escalating Privileges: SysAdmin to Service Account But wait, there’s more…RottenPotato @ DerbyCon 2016 - Authors: Chris Mallz (@vvalien1) & Steve Breen (@breenmachine) - We can now escalation from service account to LocalSystem! - No patch that I’m aware of. Check out their blog for details: https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege- escalation-from-service-accounts-to-system/
Escalating Privileges: Invoke-SQLOSCmd Invoke-SQLOSCMD can be used for basic command execution. PS C:>$Accessible | Invoke-SQLOSCmd –Verbose –Command “whoami” –Threads 10 ComputerName Instance CommandResults --------------------- ----------- -------------- SQLServer1 SQLServer1SQLEXPRESS nt servicemssql$sqlexpress SQLServer1 SQLServer1STANDARDDEV2014 nt authoritysystem SQLServer1 SQLServer1 DomainSQLSvc
Escalating Privileges Shared Service Accounts
Escalating Privileges: Shared Service Accounts Why should I care about shared service accounts? 1. SysAdmins can execute OS commands 2. OS commands run as the SQL Server service account 3. Service accounts have sysadmin privileges by default 4. Companies often use a single domain account to run hundreds of SQL Servers 5. So if you get sysadmin on one server you have it on all of them! One account to rule them all!
InternetDMZIntranet LRA HVA LVA ADS LVA Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Key HVA = High Value Application LVA = Low Value Application Leveraging Shared MS SQL Server Service Accounts
InternetDMZIntranet LRA HVA LVA ADS LVA Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Key HVA = High Value Application LVA = Low Value Application Leveraging Shared MS SQL Server Service Accounts
InternetDMZIntranet LRA HVA LVA ADS LVA Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Execute Local Command via xp_cmdshell 2 Key HVA = High Value Application LVA = Low Value Application Leveraging Shared MS SQL Server Service Accounts
InternetDMZIntranet LRA HVA LVA ADS LVA Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Execute Local Command via xp_cmdshell 2 Access to HVA with shared domain service account Key HVA = High Value Application LVA = Low Value Application Execute commands and gather data from other database servers via osql 3 Leveraging Shared MS SQL Server Service Accounts
Escalating Privileges Crawling Server Links
Escalating Privileges: Crawling Server Links What’s a database link? ● Database links are basically persistent database connections for SQL Servers. Why should I care? ● Short answer = privilege escalation ● Public role can use links to execute queries on remote servers (impersonation) SELECT * FROM OpenQuery([SQLSERVER2],’SELECT @@Version’) ● Stored procedures can be executed (xp_cmdshell) ● Links can be crawled
InternetDMZIntranet LRA HVA LVA ADS Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain EvilKey HVA = High Value Application LVA = Low Value Application Leveraging MS SQL Database links DB1 LVA
InternetDMZIntranet LRA HVA LVA ADS Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Key HVA = High Value Application LVA = Low Value Application Leveraging MS SQL Database links DB1 LVA
InternetDMZIntranet LRA HVA LVA ADS Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Key HVA = High Value Application LVA = Low Value Application Leveraging MS SQL Database links D B Link w ith LeastPrivileges DB1 LVA
InternetDMZIntranet LRA HVA LVA ADS Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Key HVA = High Value Application LVA = Low Value Application Leveraging MS SQL Database links D B Link w ith LeastPrivileges DB Link with SA account DB1 LVA Execute SQL queries and local commands on database servers via nested linked services 2
Escalating Privileges: Crawling Server Links Penetration Test Stats ● Database links exist (and can be crawled) in about 50% of environments we’ve seen ● The max number of hops we’ve seen is 12 ● The max number of servers crawled is 226
Escalating Privileges: Crawling Server Links Old Script ● 2012 - https://www.rapid7.com/db/modules/exploit/windows/mssql/mssql_linkcrawler New Script ● /scripts/pending/Get-SqlServerLinkCrawl.ps1 ● Author: Antti Rantasaari
Escalating Privileges: Crawling Server Links DEMO
Escalating Privileges: Database Links DEMO
Escalating Privileges: Crawling Server Links
Escalating Privileges UNC Path Injection
Escalating Privileges: UNC Path Injection UNC Path Injection Summary ● UNC paths are used for accessing remote file servers like so 192.168.1.4file ● Almost all procedures that accept a file path in SQL Server, support UNC paths ● UNC paths can be used to force the SQL Server service account to authenticate to an attacker ● An attacker can then capture the NetNTLM password hash and crack or relay it ● Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges: UNC Path Injection
Escalating Privileges: UNC Path Injection Oh yeah… By DEFAULT, the PUBLIC role can execute (at least) two procedures that accept a file path xp_dirtree xp_fileexists
Escalating Privileges: UNC Path Injection So, in summary… The PUBLIC role can access the SQL Server service account NetNTLM password hash by default!!
Escalating Privileges: UNC Path Injection But who really has PUBLIC role access? Oh yeah, a ton of domain users 
Escalating Privileges: DEMO DEMO Get-SQLServiceAccountPwHashes …what? It’s self descriptive 
Escalating Privileges: UNC Path Injection DEMO
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges: OS Admin to SysAdmin Two things to know… 1. Different SQL Server versions can be abused in different ways 2. All SQL Server versions provide the service account with sysadmin privileges.
Escalating Privileges: OS Admin to SysAdmin Approach 2000 2005 2008 2012 2014 2016 LSA Secrets x x x x x x Local Administrator x x LocalSystem x x x Process Migration x x x x x x Token Stealing x x x x x X Single User Mode ? x x x x x Below are some options for leveraging that knowledge...
Escalating Privileges: OS Admin to SysAdmin Here are some tool options... Approach Common Tools Access as Local Administrator Management Studio, sqlcmd, and other native SQL client tools. Access as LocalSystem Psexec, accessibility options, debugger with native SQL client tools. Recover SQL Server service account password from LSA Secrets Mimikatz, Metasploit, lsadump. Inject shellcode or DLL into the SQL Server service process Metasploit, Empire, Python, Powershell, C, C++ (LoadLibrary,CreateRemoteThread, and similar functions) Steal Authentication Token From SQL Server service process Metasploit, Incognito, Invoke-TokenManipulation Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation: Overview Common Post Exploitation Activities 1. Establish Persistence • SQL Server Layer: startup procedures, agent jobs, triggers, modified code • OS Layer: Registry & file auto runs, tasks, services, etc. 2. Identify Sensitive Data • Target large databases • Locate transparently encrypted databases • Search columns based on keywords and sample data • Use regular expressions and the Luhn formula against data samples 3. Exfiltrate Sensitive Data • All standard methods: Copy database, TCP ports, UDP ports, DNS tunneling, ICMP tunneling, email, HTTP, shares, links, etc. (No exfil in PowerUpSQL yet)
Post Exploitation: Persistence Task Command Example Registry Autorun Persistence Get-SQLPersistRegRun -Verbose -Name EvilSauce -Command "EvilBoxEvilSandwich.exe" -Instance "SQLServer1STANDARDDEV2014" Debugger Backdoor Persistence Get-SQLPersistRegDebugger -Verbose -FileName utilman.exe -Command 'c:windowssystem32cmd.exe' -Instance "SQLServer1STANDARDDEV2014"
Post Exploitation: Persistence
Post Exploitation: Finding Sensitive Data Task Command Example Locate Encrypted Databases Get-SQLInstanceDomain -Verbose | Get-SQLDatabaseThreaded –Verbose –Threads 10 -NoDefaults | Where-Object {$_.is_encrypted –eq “TRUE”} Locate and Sample Sensitive Columns and Export to CSV Get-SQLInstanceDomain -Verbose | Get-SQLColumnSampleDataThreaded –Verbose –Threads 10 –Keyword “credit,ssn,password” –SampleSize 2 –ValidateCC –NoDefaults | Export-CSV –NoTypeInformation c:tempdatasample.csv
Post Exploitation: Finding Sensitive Data DEMO
Post Exploitation: Finding Sensitive Data DEMO
General Recommendations
General Recommendations Things to do… 1. Enforce least privilege everywhere! 2. Disable dangerous default stored procedures. 3. Audit and fix insecure configurations. 4. Use policy based management for standardizing configurations. 5. Enable auditing at the server and database levels, and monitor for potentially malicious activity.
PowerUpSQL Overview: Thanks! Individual Third Party Code / Direct Contributors Boe Prox Runspace blogs Warren F. ( RamblingCookieMonster) Invoke-Parallel function Oyvind Kallstad Test-IsLuhnValid function Kevin Robertson Invoke-Inveigh Joe Bialek Invoke-TokenManipulation Antti Rantasaari, Eric Gruber, and Alexander Leary, @leoloobeek, and @ktaranov Contributions and QA Khai Tran Design advice NetSPI assessment team and dev team Design advice
Speaker Information Name: Scott Sutherland Job: Network & Application Pentester @ NetSPI Twitter: @_nullbind Slides: http://slideshare.net/nullbind http://slideshare.net/netspi Blogs: https://blog.netspi.com/author/scott-sutherland/ Code: https://github.com/netspi/PowerUpSQL https://github.com/nullbind

Recommended

DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
Scott Sutherland
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
Scott Sutherland
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
Scott Sutherland
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
Scott Sutherland
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
Scott Sutherland
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
Scott Sutherland
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
Scott Sutherland
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Scott Sutherland
 
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
Beyond XP_CMDSHELL: Owning the Empire Through SQL ServerBeyond XP_CMDSHELL: Owning the Empire Through SQL Server
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
NetSPI
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
Scott Sutherland
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
Scott Sutherland
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
Scott Sutherland
 
Slides Cassandra
Slides CassandraSlides Cassandra
Slides Cassandra
hamidd77
 
Codemotion 2013: Feliz 15 aniversario, SQL Injection
Codemotion 2013: Feliz 15 aniversario, SQL InjectionCodemotion 2013: Feliz 15 aniversario, SQL Injection
Codemotion 2013: Feliz 15 aniversario, SQL Injection
Chema Alonso
 
How to do everything with PowerShell
How to do everything with PowerShellHow to do everything with PowerShell
How to do everything with PowerShell
Juan Carlos Gonzalez
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
Will Schroeder
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
Continuent
 
The Play Framework at LinkedIn
The Play Framework at LinkedInThe Play Framework at LinkedIn
The Play Framework at LinkedIn
Yevgeniy Brikman
 
Nagios Conference 2014 - Jeff Mendoza - Monitoring Microsoft Azure with Nagios
Nagios Conference 2014 - Jeff Mendoza - Monitoring Microsoft Azure with NagiosNagios Conference 2014 - Jeff Mendoza - Monitoring Microsoft Azure with Nagios
Nagios Conference 2014 - Jeff Mendoza - Monitoring Microsoft Azure with Nagios
Nagios
 
How to scheduled jobs in a cloudera cluster without oozie
How to scheduled jobs in a cloudera cluster without oozieHow to scheduled jobs in a cloudera cluster without oozie
How to scheduled jobs in a cloudera cluster without oozie
Tiago Simões
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016
zznate
 
Nagios Conference 2014 - Troy Lea - Monitoring VMware Virtualization Using vMA
Nagios Conference 2014 - Troy Lea - Monitoring VMware Virtualization Using vMANagios Conference 2014 - Troy Lea - Monitoring VMware Virtualization Using vMA
Nagios Conference 2014 - Troy Lea - Monitoring VMware Virtualization Using vMA
Nagios
 
How to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architectureHow to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architecture
Tiago Simões
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
Sean Chittenden
 
Oracle security 02-administering user security
Oracle security 02-administering user securityOracle security 02-administering user security
Oracle security 02-administering user security
Zhaoyang Wang
 
Software Development with Apache Cassandra
Software Development with Apache CassandraSoftware Development with Apache Cassandra
Software Development with Apache Cassandra
zznate
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Scott Sutherland
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 

More Related Content

What's hot (20)

2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
Scott Sutherland
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Scott Sutherland
 
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
Beyond XP_CMDSHELL: Owning the Empire Through SQL ServerBeyond XP_CMDSHELL: Owning the Empire Through SQL Server
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
NetSPI
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
Scott Sutherland
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
Scott Sutherland
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
Scott Sutherland
 
Slides Cassandra
Slides CassandraSlides Cassandra
Slides Cassandra
hamidd77
 
Codemotion 2013: Feliz 15 aniversario, SQL Injection
Codemotion 2013: Feliz 15 aniversario, SQL InjectionCodemotion 2013: Feliz 15 aniversario, SQL Injection
Codemotion 2013: Feliz 15 aniversario, SQL Injection
Chema Alonso
 
How to do everything with PowerShell
How to do everything with PowerShellHow to do everything with PowerShell
How to do everything with PowerShell
Juan Carlos Gonzalez
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
Will Schroeder
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
Continuent
 
The Play Framework at LinkedIn
The Play Framework at LinkedInThe Play Framework at LinkedIn
The Play Framework at LinkedIn
Yevgeniy Brikman
 
Nagios Conference 2014 - Jeff Mendoza - Monitoring Microsoft Azure with Nagios
Nagios Conference 2014 - Jeff Mendoza - Monitoring Microsoft Azure with NagiosNagios Conference 2014 - Jeff Mendoza - Monitoring Microsoft Azure with Nagios
Nagios Conference 2014 - Jeff Mendoza - Monitoring Microsoft Azure with Nagios
Nagios
 
How to scheduled jobs in a cloudera cluster without oozie
How to scheduled jobs in a cloudera cluster without oozieHow to scheduled jobs in a cloudera cluster without oozie
How to scheduled jobs in a cloudera cluster without oozie
Tiago Simões
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016
zznate
 
Nagios Conference 2014 - Troy Lea - Monitoring VMware Virtualization Using vMA
Nagios Conference 2014 - Troy Lea - Monitoring VMware Virtualization Using vMANagios Conference 2014 - Troy Lea - Monitoring VMware Virtualization Using vMA
Nagios Conference 2014 - Troy Lea - Monitoring VMware Virtualization Using vMA
Nagios
 
How to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architectureHow to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architecture
Tiago Simões
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
Sean Chittenden
 
Oracle security 02-administering user security
Oracle security 02-administering user securityOracle security 02-administering user security
Oracle security 02-administering user security
Zhaoyang Wang
 
Software Development with Apache Cassandra
Software Development with Apache CassandraSoftware Development with Apache Cassandra
Software Development with Apache Cassandra
zznate
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
Scott Sutherland
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Scott Sutherland
 
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
Beyond XP_CMDSHELL: Owning the Empire Through SQL ServerBeyond XP_CMDSHELL: Owning the Empire Through SQL Server
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
NetSPI
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
Scott Sutherland
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
Scott Sutherland
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
Scott Sutherland
 
Slides Cassandra
Slides CassandraSlides Cassandra
Slides Cassandra
hamidd77
 
Codemotion 2013: Feliz 15 aniversario, SQL Injection
Codemotion 2013: Feliz 15 aniversario, SQL InjectionCodemotion 2013: Feliz 15 aniversario, SQL Injection
Codemotion 2013: Feliz 15 aniversario, SQL Injection
Chema Alonso
 
How to do everything with PowerShell
How to do everything with PowerShellHow to do everything with PowerShell
How to do everything with PowerShell
Juan Carlos Gonzalez
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
Will Schroeder
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
Continuent
 
The Play Framework at LinkedIn
The Play Framework at LinkedInThe Play Framework at LinkedIn
The Play Framework at LinkedIn
Yevgeniy Brikman
 
Nagios Conference 2014 - Jeff Mendoza - Monitoring Microsoft Azure with Nagios
Nagios Conference 2014 - Jeff Mendoza - Monitoring Microsoft Azure with NagiosNagios Conference 2014 - Jeff Mendoza - Monitoring Microsoft Azure with Nagios
Nagios Conference 2014 - Jeff Mendoza - Monitoring Microsoft Azure with Nagios
Nagios
 
How to scheduled jobs in a cloudera cluster without oozie
How to scheduled jobs in a cloudera cluster without oozieHow to scheduled jobs in a cloudera cluster without oozie
How to scheduled jobs in a cloudera cluster without oozie
Tiago Simões
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016
zznate
 
Nagios Conference 2014 - Troy Lea - Monitoring VMware Virtualization Using vMA
Nagios Conference 2014 - Troy Lea - Monitoring VMware Virtualization Using vMANagios Conference 2014 - Troy Lea - Monitoring VMware Virtualization Using vMA
Nagios Conference 2014 - Troy Lea - Monitoring VMware Virtualization Using vMA
Nagios
 
How to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architectureHow to implement a gdpr solution in a cloudera architecture
How to implement a gdpr solution in a cloudera architecture
Tiago Simões
 
Dynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency PlanningDynamic Database Credentials: Security Contingency Planning
Dynamic Database Credentials: Security Contingency Planning
Sean Chittenden
 
Oracle security 02-administering user security
Oracle security 02-administering user securityOracle security 02-administering user security
Oracle security 02-administering user security
Zhaoyang Wang
 
Software Development with Apache Cassandra
Software Development with Apache CassandraSoftware Development with Apache Cassandra
Software Development with Apache Cassandra
zznate
 

Viewers also liked (11)

Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Scott Sutherland
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
Databases
DatabasesDatabases
Databases
Scott Sutherland
 
Windows: Having its ass kicked by Puppet and Powershell since 2012 #PuppetConf
Windows: Having its ass kicked by Puppet and Powershell since 2012 #PuppetConfWindows: Having its ass kicked by Puppet and Powershell since 2012 #PuppetConf
Windows: Having its ass kicked by Puppet and Powershell since 2012 #PuppetConf
Paul Stack
 
PASS VC: SQL Server Performance Monitoring and Baselining
PASS VC: SQL Server Performance Monitoring and BaseliningPASS VC: SQL Server Performance Monitoring and Baselining
PASS VC: SQL Server Performance Monitoring and Baselining
PARIKSHIT SAVJANI
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Right
enigma0x3
 
Hadoop Security
Hadoop SecurityHadoop Security
Hadoop Security
Timothy Spann
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
Will Schroeder
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
CTruncer
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Scott Sutherland
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
Databases
DatabasesDatabases
Databases
Scott Sutherland
 
Windows: Having its ass kicked by Puppet and Powershell since 2012 #PuppetConf
Windows: Having its ass kicked by Puppet and Powershell since 2012 #PuppetConfWindows: Having its ass kicked by Puppet and Powershell since 2012 #PuppetConf
Windows: Having its ass kicked by Puppet and Powershell since 2012 #PuppetConf
Paul Stack
 
PASS VC: SQL Server Performance Monitoring and Baselining
PASS VC: SQL Server Performance Monitoring and BaseliningPASS VC: SQL Server Performance Monitoring and Baselining
PASS VC: SQL Server Performance Monitoring and Baselining
PARIKSHIT SAVJANI
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
Up is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and RightUp is Down, Black is White: Using SCCM for Wrong and Right
Up is Down, Black is White: Using SCCM for Wrong and Right
enigma0x3
 
Hadoop Security
Hadoop SecurityHadoop Security
Hadoop Security
Timothy Spann
 
The Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
Will Schroeder
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
CTruncer
 

Similar to 2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates) (20)

Hackers Paradise SQL Injection Attacks
Hackers Paradise SQL Injection AttacksHackers Paradise SQL Injection Attacks
Hackers Paradise SQL Injection Attacks
amiable_indian
 
Dealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NETDealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NET
Fernando G. Guerrero
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Abhinav Nair
 
MySQL crash course by moshe kaplan
MySQL crash course by moshe kaplanMySQL crash course by moshe kaplan
MySQL crash course by moshe kaplan
Moshe Kaplan
 
Demo for Why Use PowerShell
Demo for Why Use PowerShellDemo for Why Use PowerShell
Demo for Why Use PowerShell
SirajJamdar
 
Flash And The City 2010
Flash And The City 2010Flash And The City 2010
Flash And The City 2010
Steven Peeters
 
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...
ThomasElling1
 
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLReconDEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
Sanjiv Kawa
 
Dealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NETDealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NET
Fernando G. Guerrero
 
SQL Server R Services: What Every SQL Professional Should Know
SQL Server R Services: What Every SQL Professional Should KnowSQL Server R Services: What Every SQL Professional Should Know
SQL Server R Services: What Every SQL Professional Should Know
Bob Ward
 
Introduction to Threading in .Net
Introduction to Threading in .NetIntroduction to Threading in .Net
Introduction to Threading in .Net
webhostingguy
 
Performance testing as part of Agile - Continius Delivery solution
Performance testing as part of Agile - Continius Delivery solutionPerformance testing as part of Agile - Continius Delivery solution
Performance testing as part of Agile - Continius Delivery solution
Sergey Radov
 
Brief introduction into SQL injection attack scenarios
Brief introduction into SQL injection attack scenariosBrief introduction into SQL injection attack scenarios
Brief introduction into SQL injection attack scenarios
Payampardaz
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
jemond
 
common_schema, DBA's framework for MySQL
common_schema, DBA's framework for MySQLcommon_schema, DBA's framework for MySQL
common_schema, DBA's framework for MySQL
Shlomi Noach
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
webhostingguy
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
PowerShellForDBDevelopers
PowerShellForDBDevelopersPowerShellForDBDevelopers
PowerShellForDBDevelopers
Bryan Cafferky
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
Kevin Kline
 
Hackers Paradise SQL Injection Attacks
Hackers Paradise SQL Injection AttacksHackers Paradise SQL Injection Attacks
Hackers Paradise SQL Injection Attacks
amiable_indian
 
Dealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NETDealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NET
Fernando G. Guerrero
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Abhinav Nair
 
MySQL crash course by moshe kaplan
MySQL crash course by moshe kaplanMySQL crash course by moshe kaplan
MySQL crash course by moshe kaplan
Moshe Kaplan
 
Demo for Why Use PowerShell
Demo for Why Use PowerShellDemo for Why Use PowerShell
Demo for Why Use PowerShell
SirajJamdar
 
Flash And The City 2010
Flash And The City 2010Flash And The City 2010
Flash And The City 2010
Steven Peeters
 
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...
WWHF 2018 - Using PowerUpSQL and goddi for Active Directory Information Gathe...
ThomasElling1
 
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLReconDEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
Sanjiv Kawa
 
Dealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NETDealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NET
Fernando G. Guerrero
 
SQL Server R Services: What Every SQL Professional Should Know
SQL Server R Services: What Every SQL Professional Should KnowSQL Server R Services: What Every SQL Professional Should Know
SQL Server R Services: What Every SQL Professional Should Know
Bob Ward
 
Introduction to Threading in .Net
Introduction to Threading in .NetIntroduction to Threading in .Net
Introduction to Threading in .Net
webhostingguy
 
Performance testing as part of Agile - Continius Delivery solution
Performance testing as part of Agile - Continius Delivery solutionPerformance testing as part of Agile - Continius Delivery solution
Performance testing as part of Agile - Continius Delivery solution
Sergey Radov
 
Brief introduction into SQL injection attack scenarios
Brief introduction into SQL injection attack scenariosBrief introduction into SQL injection attack scenarios
Brief introduction into SQL injection attack scenarios
Payampardaz
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
jemond
 
common_schema, DBA's framework for MySQL
common_schema, DBA's framework for MySQLcommon_schema, DBA's framework for MySQL
common_schema, DBA's framework for MySQL
Shlomi Noach
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
webhostingguy
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
PowerShellForDBDevelopers
PowerShellForDBDevelopersPowerShellForDBDevelopers
PowerShellForDBDevelopers
Bryan Cafferky
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
Kevin Kline
 

More from Scott Sutherland (10)

Hunting SMB Shares with Data, Graphs, Charts, and LLMs (SO-CON 2025)
Hunting SMB Shares with Data, Graphs, Charts, and LLMs (SO-CON 2025)Hunting SMB Shares with Data, Graphs, Charts, and LLMs (SO-CON 2025)
Hunting SMB Shares with Data, Graphs, Charts, and LLMs (SO-CON 2025)
Scott Sutherland
 
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Scott Sutherland
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
Scott Sutherland
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
Scott Sutherland
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
Scott Sutherland
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Scott Sutherland
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
Scott Sutherland
 
Hunting SMB Shares with Data, Graphs, Charts, and LLMs (SO-CON 2025)
Hunting SMB Shares with Data, Graphs, Charts, and LLMs (SO-CON 2025)Hunting SMB Shares with Data, Graphs, Charts, and LLMs (SO-CON 2025)
Hunting SMB Shares with Data, Graphs, Charts, and LLMs (SO-CON 2025)
Scott Sutherland
 
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Scott Sutherland
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
Scott Sutherland
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
Scott Sutherland
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
Scott Sutherland
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Scott Sutherland
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
Scott Sutherland
 

Recently uploaded (20)

AI Agents in Logistics and Supply Chain Applications Benefits and Implementation
AI Agents in Logistics and Supply Chain Applications Benefits and ImplementationAI Agents in Logistics and Supply Chain Applications Benefits and Implementation
AI Agents in Logistics and Supply Chain Applications Benefits and Implementation
Christine Shepherd
 
National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...
National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...
National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...
Safe Software
 
Bridging the divide: A conversation on tariffs today in the book industry - T...
Bridging the divide: A conversation on tariffs today in the book industry - T...Bridging the divide: A conversation on tariffs today in the book industry - T...
Bridging the divide: A conversation on tariffs today in the book industry - T...
BookNet Canada
 
Domino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
Domino IQ – Was Sie erwartet, erste Schritte und AnwendungsfälleDomino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
Domino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
panagenda
 
“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...
“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...
“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...
Edge AI and Vision Alliance
 
FME Beyond Data Processing Creating A Dartboard Accuracy App
FME Beyond Data Processing Creating A Dartboard Accuracy AppFME Beyond Data Processing Creating A Dartboard Accuracy App
FME Beyond Data Processing Creating A Dartboard Accuracy App
Safe Software
 
Trends Artificial Intelligence - Mary Meeker
Trends Artificial Intelligence - Mary MeekerTrends Artificial Intelligence - Mary Meeker
Trends Artificial Intelligence - Mary Meeker
Clive Dickens
 
Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...
Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...
Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...
Anish Kumar
 
What is Oracle EPM A Guide to Oracle EPM Cloud Everything You Need to Know
What is Oracle EPM A Guide to Oracle EPM Cloud Everything You Need to KnowWhat is Oracle EPM A Guide to Oracle EPM Cloud Everything You Need to Know
What is Oracle EPM A Guide to Oracle EPM Cloud Everything You Need to Know
SMACT Works
 
cnc-drilling-dowel-inserting-machine-drillteq-d-510-english.pdf
cnc-drilling-dowel-inserting-machine-drillteq-d-510-english.pdfcnc-drilling-dowel-inserting-machine-drillteq-d-510-english.pdf
cnc-drilling-dowel-inserting-machine-drillteq-d-510-english.pdf
AmirStern2
 
Oracle Cloud Infrastructure AI Foundations
Oracle Cloud Infrastructure AI FoundationsOracle Cloud Infrastructure AI Foundations
Oracle Cloud Infrastructure AI Foundations
VICTOR MAESTRE RAMIREZ
 
Creating an Accessible Future-How AI-powered Accessibility Testing is Shaping...
Creating an Accessible Future-How AI-powered Accessibility Testing is Shaping...Creating an Accessible Future-How AI-powered Accessibility Testing is Shaping...
Creating an Accessible Future-How AI-powered Accessibility Testing is Shaping...
Impelsys Inc.
 
Murdledescargadarkweb.pdfvolumen1 100 elementary
Murdledescargadarkweb.pdfvolumen1 100 elementaryMurdledescargadarkweb.pdfvolumen1 100 elementary
Murdledescargadarkweb.pdfvolumen1 100 elementary
JorgeSemperteguiMont
 
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptxISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
AyilurRamnath1
 
Introduction to Typescript - GDG On Campus EUE
Introduction to Typescript - GDG On Campus EUEIntroduction to Typescript - GDG On Campus EUE
Introduction to Typescript - GDG On Campus EUE
Google Developer Group On Campus European Universities in Egypt
 
FCF- Getting Started in Cybersecurity 3.0
FCF- Getting Started in Cybersecurity 3.0FCF- Getting Started in Cybersecurity 3.0
FCF- Getting Started in Cybersecurity 3.0
RodrigoMori7
 
Developing Schemas with FME and Excel - Peak of Data & AI 2025
Developing Schemas with FME and Excel - Peak of Data & AI 2025Developing Schemas with FME and Excel - Peak of Data & AI 2025
Developing Schemas with FME and Excel - Peak of Data & AI 2025
Safe Software
 
GIS and FME: The Foundation to Improve the Locate Process of Utilities
GIS and FME: The Foundation to Improve the Locate Process of UtilitiesGIS and FME: The Foundation to Improve the Locate Process of Utilities
GIS and FME: The Foundation to Improve the Locate Process of Utilities
Safe Software
 
Introduction to Internet of things .ppt.
Introduction to Internet of things .ppt.Introduction to Internet of things .ppt.
Introduction to Internet of things .ppt.
hok12341073
 
Integration of Utility Data into 3D BIM Models Using a 3D Solids Modeling Wor...
Integration of Utility Data into 3D BIM Models Using a 3D Solids Modeling Wor...Integration of Utility Data into 3D BIM Models Using a 3D Solids Modeling Wor...
Integration of Utility Data into 3D BIM Models Using a 3D Solids Modeling Wor...
Safe Software
 
AI Agents in Logistics and Supply Chain Applications Benefits and Implementation
AI Agents in Logistics and Supply Chain Applications Benefits and ImplementationAI Agents in Logistics and Supply Chain Applications Benefits and Implementation
AI Agents in Logistics and Supply Chain Applications Benefits and Implementation
Christine Shepherd
 
National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...
National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...
National Fuels Treatments Initiative: Building a Seamless Map of Hazardous Fu...
Safe Software
 
Bridging the divide: A conversation on tariffs today in the book industry - T...
Bridging the divide: A conversation on tariffs today in the book industry - T...Bridging the divide: A conversation on tariffs today in the book industry - T...
Bridging the divide: A conversation on tariffs today in the book industry - T...
BookNet Canada
 
Domino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
Domino IQ – Was Sie erwartet, erste Schritte und AnwendungsfälleDomino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
Domino IQ – Was Sie erwartet, erste Schritte und Anwendungsfälle
panagenda
 
“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...
“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...
“State-space Models vs. Transformers for Ultra-low-power Edge AI,” a Presenta...
Edge AI and Vision Alliance
 
FME Beyond Data Processing Creating A Dartboard Accuracy App
FME Beyond Data Processing Creating A Dartboard Accuracy AppFME Beyond Data Processing Creating A Dartboard Accuracy App
FME Beyond Data Processing Creating A Dartboard Accuracy App
Safe Software
 
Trends Artificial Intelligence - Mary Meeker
Trends Artificial Intelligence - Mary MeekerTrends Artificial Intelligence - Mary Meeker
Trends Artificial Intelligence - Mary Meeker
Clive Dickens
 
Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...
Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...
Scaling GenAI Inference From Prototype to Production: Real-World Lessons in S...
Anish Kumar
 
What is Oracle EPM A Guide to Oracle EPM Cloud Everything You Need to Know
What is Oracle EPM A Guide to Oracle EPM Cloud Everything You Need to KnowWhat is Oracle EPM A Guide to Oracle EPM Cloud Everything You Need to Know
What is Oracle EPM A Guide to Oracle EPM Cloud Everything You Need to Know
SMACT Works
 
cnc-drilling-dowel-inserting-machine-drillteq-d-510-english.pdf
cnc-drilling-dowel-inserting-machine-drillteq-d-510-english.pdfcnc-drilling-dowel-inserting-machine-drillteq-d-510-english.pdf
cnc-drilling-dowel-inserting-machine-drillteq-d-510-english.pdf
AmirStern2
 
Oracle Cloud Infrastructure AI Foundations
Oracle Cloud Infrastructure AI FoundationsOracle Cloud Infrastructure AI Foundations
Oracle Cloud Infrastructure AI Foundations
VICTOR MAESTRE RAMIREZ
 
Creating an Accessible Future-How AI-powered Accessibility Testing is Shaping...
Creating an Accessible Future-How AI-powered Accessibility Testing is Shaping...Creating an Accessible Future-How AI-powered Accessibility Testing is Shaping...
Creating an Accessible Future-How AI-powered Accessibility Testing is Shaping...
Impelsys Inc.
 
Murdledescargadarkweb.pdfvolumen1 100 elementary
Murdledescargadarkweb.pdfvolumen1 100 elementaryMurdledescargadarkweb.pdfvolumen1 100 elementary
Murdledescargadarkweb.pdfvolumen1 100 elementary
JorgeSemperteguiMont
 
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptxISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
ISOIEC 42005 Revolutionalises AI Impact Assessment.pptx
AyilurRamnath1
 
Introduction to Typescript - GDG On Campus EUE
Introduction to Typescript - GDG On Campus EUEIntroduction to Typescript - GDG On Campus EUE
Introduction to Typescript - GDG On Campus EUE
Google Developer Group On Campus European Universities in Egypt
 
FCF- Getting Started in Cybersecurity 3.0
FCF- Getting Started in Cybersecurity 3.0FCF- Getting Started in Cybersecurity 3.0
FCF- Getting Started in Cybersecurity 3.0
RodrigoMori7
 
Developing Schemas with FME and Excel - Peak of Data & AI 2025
Developing Schemas with FME and Excel - Peak of Data & AI 2025Developing Schemas with FME and Excel - Peak of Data & AI 2025
Developing Schemas with FME and Excel - Peak of Data & AI 2025
Safe Software
 
GIS and FME: The Foundation to Improve the Locate Process of Utilities
GIS and FME: The Foundation to Improve the Locate Process of UtilitiesGIS and FME: The Foundation to Improve the Locate Process of Utilities
GIS and FME: The Foundation to Improve the Locate Process of Utilities
Safe Software
 
Introduction to Internet of things .ppt.
Introduction to Internet of things .ppt.Introduction to Internet of things .ppt.
Introduction to Internet of things .ppt.
hok12341073
 
Integration of Utility Data into 3D BIM Models Using a 3D Solids Modeling Wor...
Integration of Utility Data into 3D BIM Models Using a 3D Solids Modeling Wor...Integration of Utility Data into 3D BIM Models Using a 3D Solids Modeling Wor...
Integration of Utility Data into 3D BIM Models Using a 3D Solids Modeling Wor...
Safe Software
 

2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)

  • 1. Hacking SQL Server on Scale with PowerShell v.2
  • 2. Speaker Information Name: Scott Sutherland Job: Network & Application Pentester @ NetSPI Twitter: @_nullbind Slides: http://slideshare.net/nullbind http://slideshare.net/netspi Blogs: https://blog.netspi.com/author/scott-sutherland/ Code: https://github.com/netspi/PowerUpSQL https://github.com/nullbind
  • 3. Presentation Overview ● Why SQL Server and PowerShell? ● PowerUpSQL Overview ● Finding & Accessing SQL Servers ● Privilege Escalation Scenarios o Domain user to SQL Server login o SQL Server Login to Sysadmin o Sysadmin to Windows Admin o Windows Admin to Sysadmin o Domain Escalation ● Post Exploitation Activities ● General Recommendations
  • 4. Why SQL Server? ● Used in most enterprise environments ● Supports local Windows and Domain authentication ● Integrates with lots of Windows applications ● Generally has trust relationships that other don’t
  • 5. Why PowerShell? ● Native to Windows ● Run commands in memory ● Run managed .net code ● Run unmanaged code ● Avoid detection by legacy Anti-virus ● Already flagged as "trusted" by most application whitelist solutions ● A medium used to write many open source Pentest toolkits
  • 7. PowerUpSQL Overview: Project Goals Project Goals (Get-Abilities)  ● Scalability via runspace threading ● Flexibility via pipeline support ● ps objects and data tables ● Portability o No SMO dependancies o .Net Framework libraries o PowerShell v.2 compliant (in theory) o Single file Functional Goals ● Discover SQL Servers from different attacker perspectives ● Inventory SQL Servers quickly ● Audit SQL Servers for common insecure configurations ● Escalate privileges quickly on SQL Servers ● Support authentication using SQL Login or Windows Credential
  • 8. PowerUpSQL Overview: Functions Primary Attack Functions ● Invoke-SQLDumpInfo ● Invoke-SQLAudit ● Invoke-SQLEscalatePriv ● Invoke-SQLOsCmd https://github.com/NetSPI/PowerUpSQL/wikiCurrently about 60 Functions
  • 9. PowerUpSQL Overview: Where can I get it? Github https://github.com/netspi/PowerUpSQL PowerShell Gallery https://www.powershellgallery.com/packages/PowerUpSQL/
  • 10. PowerUpSQL Overview: How do I install it? Github Import-Module PowerUpSQL.psd1 IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/P owerUpSQL.ps1") Execution policy work arounds https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/ PowerShell Gallery Install-Module -Name PowerUpSQL
  • 12. SQL Server Basics What is SQL Server? ● A database platform ● An application ● A set of Windows services ● Each instance has its own set of services
  • 13. SQL Server Basics: Account Types Account Types ● Windows Accounts o Used to login o Mapped to SQL Server login ● SQL Server Logins o Used to login o Mapped to database account ● Database Users o Used to access databases
  • 14. SQL Server Basics: Common Roles Important SQL Server Roles ● Sysadmin role ○ Database administrator account ○ Think of it as the “Administrators” Windows group, but in SQL Server ● Public role ○ Only provides CONNECT permission ○ Think of it as the “Everyone” Windows group, but in SQL Server
  • 16. Find SQL Servers: Techniques Attacker Perspective Attack Technique Unauthenticated ● List from file ● TCP port scan ● UDP port scan ● UDP broadcast ● Azure DNS dictionary attack (x.databases.windows.net) ● Azure DNS lookup via public resources Local User ● Services ● Registry entries Domain User ● Service Principal Names ● Azure Portal / PowerShell Modules
  • 17. Find SQL Servers: PowerUpSQL Attacker Perspective PowerUpSQL Function Unauthenticated Get-SQLInstanceFile Unauthenticated Get-SQLInstanceUDPScan Local User Get-SQLInstanceLocal Domain User Get-SQLInstanceDomain Blog: https://blog.netspi.com/blindly-discover-sql-server-instances-powerupsql/
  • 19. Testing Login Access: Techniques What credentials can I use to log into discovered SQL Servers? Attacker Perspective Attack Technique Unauthenticated Dictionary attacks using common user names and passwords. Unauthenticated Default passwords based on the SQL Server instance names. Local Windows or ADS Domain Account Attempt to login using the current account.
  • 20. Testing Login Access: PowerUpSQL CMDs What PowerUpSQL functions can I use to test for successful logins? Attack Technique PowerUpSQL Function Dictionary Attack Invoke-SQLAuditWeakLoginPw Default Password Test Invoke-SQLAuditDefaultLoginPw Get-SQLServerLoginDefaultPw Get-SQLInstanceDomain | Get-SQLServerLoginDefaultPw -Verbose Local Windows or ADS Domain Account Get-SQLConnectionTestThreaded
  • 21. Testing Login Access: PowerUpSQL CMDs
  • 22. Testing Login Access: Login CMD Examples Attacker Perspective Command Example Unauthenticated Get-SQLInstanceUDPScan | Get-SQLConnectionTestThreaded -Verbose -Threads 15 -Username testuser -Password testpass Local User Get-SQLInstanceLocal | Get-SQLConnectionTestThreaded -Verbose Domain User Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose -Threads 15 Alternative Domain User runas /noprofile /netonly /user:domainuser PowerShell.exe Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose -Threads 15
  • 23. Testing Login Access: Reusing Result Lists Process Command Example Enumerate Accessible Servers $Accessible = Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose -Threads 15 | Where-Object {$_.Status –like “Accessible”} Get server information $Acessible | Get-SQLServerInfo -Verbose Get database list $Acessible | Get-SQLDatabase -Verbose Perform audit $Acessible | Invoke-SQLAudit -Verbose Do I have to rerun instance discovery every time I want to run a command? No.
  • 24. Testing Login Access: Domain User Access DEMO
  • 26. Escalating Privileges: Domain User Why can Domain Users login into so many SQL Servers? ● Admins give them access ● Privilege inheritance issue on domain systems = Public role access
  • 27. Escalating Privileges: Domain User Why can Domain Users login into so many SQL Servers? ● Admins give them access ● Privilege inheritance issue on domain systems = Public role access
  • 28. Escalating Privileges: Domain User Why can Domain Users login into so many SQL Servers? ● Admins give them access ● Privilege inheritance issue on domain systems = Public role access
  • 30. Escalating Privileges: Weak Passwords Didn’t we just cover this? Yes, but there’s more… Technique PowerUpSQL Function Dictionary Attack Invoke-SQLAuditWeakLoginPw Default Password Test Invoke-SQLAuditDefaultLoginPw Local Windows or ADS Domain Account Get-SQLConnectionTestThreaded
  • 31. Escalating Privileges: Weak Passwords …we can also enumerate SQL Server logins and Domain Accounts  Technique PowerUpSQL Function Blind Login Enumeration + Dictionary Attack = Super Cool! Invoke-SQLAuditWeakLoginPw • Enumerate all SQL Server logins with the Public role • Enumerate all domain accounts with the Public role
  • 32. Escalating Privileges: Weak Passwords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail.
  • 33. Escalating Privileges: Weak Passwords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail. 2. Get principal id for the sa account with “suser_id”
  • 34. Escalating Privileges: Weak Passwords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail. 2. Get principal id for the sa account with “suser_id” 3. Use “suser_name” to get SQL logins using just principal ID
  • 35. Escalating Privileges: Weak Passwords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail. 2. Get principal id for the sa account with “suser_id” 3. Use “suser_name” to get SQL logins using just principal ID 4. Increment number and repeat
  • 36. Escalating Privileges: Weak Passwords Enumerating SQL Logins 1. Attempt to list all SQL Server logins and fail. 2. Get principal id for the sa account with “suser_id” 3. Use “suser_name” to get SQL logins using just principal ID 4. Increment number and repeat select n [id], SUSER_NAME(n) [user_name] from ( select top 10000 row_number() over(order by t1.number) as N from master..spt_values t1 cross join master..spt_values t2 ) a where SUSER_NAME(n) is not null Code gifted from @mobileck Source: https://gist.github.com/ConstantineK/c6de5d398ec43bab1a29ef07e8c21ec7
  • 37. Escalating Privileges: Weak Passwords select n [id], SUSER_NAME(n) [user_name] from ( select top 10000 row_number() over(order by t1.number) as N from master..spt_values t1 cross join master..spt_values t2 ) a where SUSER_NAME(n) is not null Code gifted from @mobileck Source: https://gist.github.com/ConstantineK/c6de5d3 98ec43bab1a29ef07e8c21ec7
  • 38. Escalating Privileges: Weak Passwords Enumerating Domain Users 1. Get the domain Domain of SQL Server
  • 39. Escalating Privileges: Weak Passwords Enumerating Domain Users 1. Get the domain 2. GID RID of default group Full RID of Domain Admins group
  • 40. Escalating Privileges: Weak Passwords Enumerating Domain Users 1. Get the domain 2. GID RID of default group 3. Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
  • 41. Escalating Privileges: Weak Passwords Enumerating Domain Users 1. Get the domain 2. GID RID of default group 3. Grab the first 48 Bytes of the full RID 4. Create new RID with by appending a hex number value and the SID 1. Start with number, 500 2. Convert to hex, F401 3. Pad with 0 to 8 bytes, F4010000 4. Concatenate the SID and the new RID SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0 RID = 0x0105000000000005150000009CC30DD479441EDEB31027D0F4010000
  • 42. Escalating Privileges: Weak Passwords Enumerating Domain Users 1. Get the domain 2. GID RID of default group 3. Grab the first 48 Bytes of the full RID 4. Create new RID with by appending a hex number value and the SID 5. Use “suser_name” function to get domain object name 1. Start with number, 500 2. Convert to hex, F401 3. Pad with 0 to 8 bytes, F4010000 4. Concatenate the SID and the new RID SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0 RID = 0x0105000000000005150000009CC30DD479441EDEB31027D0F4010000
  • 43. Escalating Privileges: Weak Passwords Enumerating Domain Users 1. Get the domain 2. GID RID of default group 3. Grab the first 48 Bytes of the full RID 4. Create new RID with by appending a hex number value and the SID 5. Use “suser_name” function to get domain object name 6. Increment and repeat 1. Start with number, 500 2. Convert to hex, F401 3. Pad with 0 to 8 bytes, F4010000 4. Concatenate the SID and the new RID SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0 RID = 0x0105000000000005150000009CC30DD479441EDEB31027D0F4010000
  • 46. Escalating Privileges: Impersonation 1. Impersonate Privilege a. Server: EXECUTE AS LOGIN b. Database: EXECUTE AS USER 2. Stored Procedure and Trigger Creation / Injection Issues a. EXECUTE AS OWNER b. Signed with cert login 3. Automatic Execution of Stored Procedures 4. Agent Jobs 5. xp_cmdshell proxy acount 6. Create Databse Link to File or Server 7. Import / Install Custom Assemblies 8. Ad-Hoc Queries 9. Shared Service Accounts 10. Database Links 11. UNC Path Injection
  • 47. Escalating Privileges: Impersonation Impersonate Privilege • Can be used at server layer o EXECUTE AS LOGIN • Can be used at database layer o EXECUTE AS USER Pros • Execute queries/commands in another user context Cons • Requires database to be configured as trustworthy for OS command execution • Commands and queries are not limited in any way
  • 48. Escalating Privileges: Impersonation Impersonate Privilege • Can be used at server layer o EXECUTE AS LOGIN • Can be used at database layer o EXECUTE AS USER
  • 49. Escalating Privileges: Impersonation Impersonate Privilege • Can be used at server layer o EXECUTE AS LOGIN • Can be used at database layer o EXECUTE AS USER
  • 50. Escalating Privileges: Impersonation Stored Procedure and Trigger Creation / Injection Issues • EXECUTE AS OWNER can be used to execute a stored procedure as another login Pros • Can execute queries/commands in another user context • Limit commands and queries • Don’t have to grant IMPERSONATE Cons • No granular control over the database owner’s privileges • DB_OWNER role can EXECUTE AS OWNER of the DB, which is often a sysadmin • Requires database to be configured as trustworthy for OS command execution • Impersonation can be done via SQL injection under specific conditions • Impersonation can be done via command injection under specific conditions
  • 51. Escalating Privileges: Impersonation Stored Procedure and Trigger Creation / Injection Issues • EXECUTE AS OWNER can be used to execute a stored procedure as another login • DB_OWNER role can impersonate the actual database owner USE MyAppDb GO CREATE PROCEDURE sp_escalate_me WITH EXECUTE AS OWNER AS EXEC sp_addsrvrolemember 'MyAppUser','sysadmin' GO
  • 52. Escalating Privileges: Impersonation Stored Procedure and Trigger Creation / Injection Issues • EXECUTE AS OWNER can be used to execute a stored procedure as another login • DB_OWNER role can impersonate the actual database owner USE MyAppDb GO CREATE PROCEDURE sp_escalate_me WITH EXECUTE AS OWNER AS EXEC sp_addsrvrolemember 'MyAppUser','sysadmin' GO SYSADMIN is often the OWNER
  • 53. Escalating Privileges: Impersonation Stored Procedure and Trigger Creation / Injection Issues • Use signed Procedures o Create stored procedure o Create a database master key o Create a certificate o Create a login from the certificate o Configure login privileges o Sign stored procedure with certifiate o GRANT EXECUTE to User Pros • Can execute queries/commands in another user context • Limit commands and queries • Don’t have to grant IMPERSONATE • Granular control over permissions • Database does NOT have to be configured as trustworthy for OS command execution Cons • Impersonation can be done via SQL injection under specific conditions • Impersonation can be done via command injection under specific conditions
  • 54. Escalating Privileges: Impersonation SQL Injection Example CREATE PROCEDURE sp_sqli2 @DbName varchar(max) AS BEGIN Declare @query as varchar(max) SET @query = ‘ SELECT name FROM master..sysdatabases WHERE name like ''%'+ @DbName+'%'' OR name=''tempdb'''; EXECUTE(@query) END GO https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
  • 55. Escalating Privileges: Impersonation SQL Injection Example CREATE PROCEDURE sp_sqli2 @DbName varchar(max) AS BEGIN Declare @query as varchar(max) SET @query = ‘ SELECT name FROM master..sysdatabases WHERE name like ''%'+ @DbName+'%'' OR name=''tempdb'''; EXECUTE(@query) END GO PURE EVIL https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
  • 56. Escalating Privileges: Impersonation SQL Injection Example EXEC MASTER.dbo.sp_sqli2 'master'';EXEC master..xp_cmdshell ''whoami''--'; https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
  • 58. Escalating Privileges: Impersonation Automatic Execution of Stored Procedure • Stored procedures ca be configured to execute when the SQL Server service restarts Pros • Marking a stored procedure to run when the SQL Server service restarts has many use cases • Only stored procedures in the master database can be marked for auto execution Cons • No granular control over what context the startup command is executed in • All stored procedures marked for auto execution are executed as ‘sa’, even if ‘sa’ is disabled • Any non sysadmin access to stored procedures can lead to execution as ‘sa’
  • 64. Escalating Privileges: SysAdmin to Service Account OS Command Execution = Service Account Impersonation Executing OS Commands: ● xp_cmdshell ● Custom Assemblies (.net) ● Custom Extended Stored Procedures (C++) ● Agent Jobs o ActiveX: Vbscript, Jscript, and Other o CmdExec o PowerShell o SSIS Package ● Registry Autoruns ● File Autoruns
  • 65. Escalating Privileges: SysAdmin to Service Account OS Command Execution = Service Account Impersonation You don’t need to know the password, crack a hash, or PTH Service Account Types ● Local User ● Local System ● Network Service ● Local managed service account ● Domain managed service account ● Domain User ● Domain Admin
  • 66. Escalating Privileges: SysAdmin to Service Account But wait, there’s more…RottenPotato @ DerbyCon 2016 - Authors: Chris Mallz (@vvalien1) & Steve Breen (@breenmachine) - We can now escalation from service account to LocalSystem! - No patch that I’m aware of. Check out their blog for details: https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege- escalation-from-service-accounts-to-system/
  • 67. Escalating Privileges: Invoke-SQLOSCmd Invoke-SQLOSCMD can be used for basic command execution. PS C:>$Accessible | Invoke-SQLOSCmd –Verbose –Command “whoami” –Threads 10 ComputerName Instance CommandResults --------------------- ----------- -------------- SQLServer1 SQLServer1SQLEXPRESS nt servicemssql$sqlexpress SQLServer1 SQLServer1STANDARDDEV2014 nt authoritysystem SQLServer1 SQLServer1 DomainSQLSvc
  • 69. Escalating Privileges: Shared Service Accounts Why should I care about shared service accounts? 1. SysAdmins can execute OS commands 2. OS commands run as the SQL Server service account 3. Service accounts have sysadmin privileges by default 4. Companies often use a single domain account to run hundreds of SQL Servers 5. So if you get sysadmin on one server you have it on all of them! One account to rule them all!
  • 70. InternetDMZIntranet LRA HVA LVA ADS LVA Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Key HVA = High Value Application LVA = Low Value Application Leveraging Shared MS SQL Server Service Accounts
  • 71. InternetDMZIntranet LRA HVA LVA ADS LVA Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Key HVA = High Value Application LVA = Low Value Application Leveraging Shared MS SQL Server Service Accounts
  • 72. InternetDMZIntranet LRA HVA LVA ADS LVA Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Execute Local Command via xp_cmdshell 2 Key HVA = High Value Application LVA = Low Value Application Leveraging Shared MS SQL Server Service Accounts
  • 73. InternetDMZIntranet LRA HVA LVA ADS LVA Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Execute Local Command via xp_cmdshell 2 Access to HVA with shared domain service account Key HVA = High Value Application LVA = Low Value Application Execute commands and gather data from other database servers via osql 3 Leveraging Shared MS SQL Server Service Accounts
  • 75. Escalating Privileges: Crawling Server Links What’s a database link? ● Database links are basically persistent database connections for SQL Servers. Why should I care? ● Short answer = privilege escalation ● Public role can use links to execute queries on remote servers (impersonation) SELECT * FROM OpenQuery([SQLSERVER2],’SELECT @@Version’) ● Stored procedures can be executed (xp_cmdshell) ● Links can be crawled
  • 76. InternetDMZIntranet LRA HVA LVA ADS Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain EvilKey HVA = High Value Application LVA = Low Value Application Leveraging MS SQL Database links DB1 LVA
  • 77. InternetDMZIntranet LRA HVA LVA ADS Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Key HVA = High Value Application LVA = Low Value Application Leveraging MS SQL Database links DB1 LVA
  • 78. InternetDMZIntranet LRA HVA LVA ADS Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Key HVA = High Value Application LVA = Low Value Application Leveraging MS SQL Database links D B Link w ith LeastPrivileges DB1 LVA
  • 79. InternetDMZIntranet LRA HVA LVA ADS Ports 80 and 443 Ports 1433 and 1434 HVA PURE EVIL Captain Evil SQL Injection 1 Key HVA = High Value Application LVA = Low Value Application Leveraging MS SQL Database links D B Link w ith LeastPrivileges DB Link with SA account DB1 LVA Execute SQL queries and local commands on database servers via nested linked services 2
  • 80. Escalating Privileges: Crawling Server Links Penetration Test Stats ● Database links exist (and can be crawled) in about 50% of environments we’ve seen ● The max number of hops we’ve seen is 12 ● The max number of servers crawled is 226
  • 81. Escalating Privileges: Crawling Server Links Old Script ● 2012 - https://www.rapid7.com/db/modules/exploit/windows/mssql/mssql_linkcrawler New Script ● /scripts/pending/Get-SqlServerLinkCrawl.ps1 ● Author: Antti Rantasaari
  • 82. Escalating Privileges: Crawling Server Links DEMO
  • 86. Escalating Privileges: UNC Path Injection UNC Path Injection Summary ● UNC paths are used for accessing remote file servers like so 192.168.1.4file ● Almost all procedures that accept a file path in SQL Server, support UNC paths ● UNC paths can be used to force the SQL Server service account to authenticate to an attacker ● An attacker can then capture the NetNTLM password hash and crack or relay it ● Relay becomes pretty easy when you know which SQL Servers are using shared accounts
  • 87. Escalating Privileges: UNC Path Injection
  • 88. Escalating Privileges: UNC Path Injection Oh yeah… By DEFAULT, the PUBLIC role can execute (at least) two procedures that accept a file path xp_dirtree xp_fileexists
  • 89. Escalating Privileges: UNC Path Injection So, in summary… The PUBLIC role can access the SQL Server service account NetNTLM password hash by default!!
  • 90. Escalating Privileges: UNC Path Injection But who really has PUBLIC role access? Oh yeah, a ton of domain users 
  • 92. Escalating Privileges: UNC Path Injection DEMO
  • 94. Escalating Privileges: OS Admin to SysAdmin Two things to know… 1. Different SQL Server versions can be abused in different ways 2. All SQL Server versions provide the service account with sysadmin privileges.
  • 95. Escalating Privileges: OS Admin to SysAdmin Approach 2000 2005 2008 2012 2014 2016 LSA Secrets x x x x x x Local Administrator x x LocalSystem x x x Process Migration x x x x x x Token Stealing x x x x x X Single User Mode ? x x x x x Below are some options for leveraging that knowledge...
  • 96. Escalating Privileges: OS Admin to SysAdmin Here are some tool options... Approach Common Tools Access as Local Administrator Management Studio, sqlcmd, and other native SQL client tools. Access as LocalSystem Psexec, accessibility options, debugger with native SQL client tools. Recover SQL Server service account password from LSA Secrets Mimikatz, Metasploit, lsadump. Inject shellcode or DLL into the SQL Server service process Metasploit, Empire, Python, Powershell, C, C++ (LoadLibrary,CreateRemoteThread, and similar functions) Steal Authentication Token From SQL Server service process Metasploit, Incognito, Invoke-TokenManipulation Single User Mode DBATools
  • 98. Post Exploitation: Overview Common Post Exploitation Activities 1. Establish Persistence • SQL Server Layer: startup procedures, agent jobs, triggers, modified code • OS Layer: Registry & file auto runs, tasks, services, etc. 2. Identify Sensitive Data • Target large databases • Locate transparently encrypted databases • Search columns based on keywords and sample data • Use regular expressions and the Luhn formula against data samples 3. Exfiltrate Sensitive Data • All standard methods: Copy database, TCP ports, UDP ports, DNS tunneling, ICMP tunneling, email, HTTP, shares, links, etc. (No exfil in PowerUpSQL yet)
  • 99. Post Exploitation: Persistence Task Command Example Registry Autorun Persistence Get-SQLPersistRegRun -Verbose -Name EvilSauce -Command "EvilBoxEvilSandwich.exe" -Instance "SQLServer1STANDARDDEV2014" Debugger Backdoor Persistence Get-SQLPersistRegDebugger -Verbose -FileName utilman.exe -Command 'c:windowssystem32cmd.exe' -Instance "SQLServer1STANDARDDEV2014"
  • 101. Post Exploitation: Finding Sensitive Data Task Command Example Locate Encrypted Databases Get-SQLInstanceDomain -Verbose | Get-SQLDatabaseThreaded –Verbose –Threads 10 -NoDefaults | Where-Object {$_.is_encrypted –eq “TRUE”} Locate and Sample Sensitive Columns and Export to CSV Get-SQLInstanceDomain -Verbose | Get-SQLColumnSampleDataThreaded –Verbose –Threads 10 –Keyword “credit,ssn,password” –SampleSize 2 –ValidateCC –NoDefaults | Export-CSV –NoTypeInformation c:tempdatasample.csv
  • 102. Post Exploitation: Finding Sensitive Data DEMO
  • 103. Post Exploitation: Finding Sensitive Data DEMO
  • 105. General Recommendations Things to do… 1. Enforce least privilege everywhere! 2. Disable dangerous default stored procedures. 3. Audit and fix insecure configurations. 4. Use policy based management for standardizing configurations. 5. Enable auditing at the server and database levels, and monitor for potentially malicious activity.
  • 106. PowerUpSQL Overview: Thanks! Individual Third Party Code / Direct Contributors Boe Prox Runspace blogs Warren F. ( RamblingCookieMonster) Invoke-Parallel function Oyvind Kallstad Test-IsLuhnValid function Kevin Robertson Invoke-Inveigh Joe Bialek Invoke-TokenManipulation Antti Rantasaari, Eric Gruber, and Alexander Leary, @leoloobeek, and @ktaranov Contributions and QA Khai Tran Design advice NetSPI assessment team and dev team Design advice
  • 107. Speaker Information Name: Scott Sutherland Job: Network & Application Pentester @ NetSPI Twitter: @_nullbind Slides: http://slideshare.net/nullbind http://slideshare.net/netspi Blogs: https://blog.netspi.com/author/scott-sutherland/ Code: https://github.com/netspi/PowerUpSQL https://github.com/nullbind

Editor's Notes

  • #5: More integrated than Oracle, db2, and mysql
  • #8: COMMON USE CASES phishing - clickonce, java applet, macro in office Sql injection download craddle
  • #9: Skip
  • #10: Skip
  • #11: Skip
  • #23: Just touch on alternative user.
  • #24: Skip
  • #45: Cornucopia of excessive privileges.
  • #46: Cornucopia of excessive privileges.
  • #47: Cornucopia of excessive privileges.
  • #48: Cornucopia of excessive privileges.
  • #49: Cornucopia of excessive privileges.
  • #50: Cornucopia of excessive privileges.
  • #51: Cornucopia of excessive privileges.
  • #52: Cornucopia of excessive privileges.
  • #53: Cornucopia of excessive privileges.
  • #54: Cornucopia of excessive privileges.
  • #55: Cornucopia of excessive privileges.
  • #56: Cornucopia of excessive privileges.
  • #57: Cornucopia of excessive privileges.
  • #58: Cornucopia of excessive privileges.
  • #59: Cornucopia of excessive privileges.
  • #60: Cornucopia of excessive privileges.
  • #62: Cornucopia of excessive privileges.
  • #70: Cornucopia of excessive privileges. You get sysadmins.
  • #71: Architecture overview.
  • #72: SQL injection.
  • #73: Scenario Database account with excessive privileges Shared service account Use xp_cmdshell to verify local command execution
  • #74: Use xp_cmdshell and OSQL to: Enumerate databases on the internal network Issues queries on remote HVA database server that is configured with the same service account. No alerts – using trusted account and non destructive native functionality No logs (or few logs) – No account creation or group modification No accountability!
  • #76: Another REALLY COOL lateral movement / privilege escalation technique.
  • #77: Architecture overview.
  • #78: Scenario No sysadmin role No excessive service account access No shared service account access Enumerate linked servers Find link to DB1 - Used to transmit marketing metrics to DB1
  • #79: Connect to DB1 (linked server) via OPENQUERY Has least privilege Enumerate linked servers Find link to HVA - Used to pull marketing metrics to DB1
  • #80: Connect to HVA (linked server) via NESTED OPENQUERY Configured with the SA account HVA could have access to other resources Nesting can continue Nested  Shared service account with excessive privs Linked database can be direct between high value and low value Other server not on the diagram Can be nested many times
  • #85: Neo4j Bloodhound pending
  • #87: Here’s the good one 
  • #92: Cornucopia of excessive privileges.
  • #107: Skip