More Related Content Similar to Everything you should already know about MS-SQL post-exploitation (20) More from Source Conference (20) Everything you should already know about MS-SQL post-exploitation3. Name: Rob Beck (whitey) Title: Director of Assessment Contact: rob.beck@attackresearch.com Background: Career pen-tester (MS/@stake/Honeywell/AR) Security hobbyist and researcher Slacker All About Me 1 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 4. What Is SQL Post-Exploitation? The steps taken by an attacker following successful SQL access or command execution. Motivation or purpose Level of access achieved Amount of stealth required Persistence 2 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 5. Why MS-SQL Post Exploitation? Most pen-test resources lack details The explanations given are limited Extended functionality not covered Lots of don’ts without reason in hardening docs People still aren’t using this stuff or get stuck Apparently it was interesting enough for you 3 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 6. Nothing covered in this presentation is new Everything presented is actively being used Everything presented can be prevented This talk assumes you have SQL access MS-SQL is a subject of interest, not expertise The subject is databases, which is boring Pro-tip: You might be bored 4 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 7. What’s Covered Utilizing SQL procedures to attack the host Lesser known evils (some don’ts explained) Credential harvesting scenario Potential for using the DB in attacks Persistence tricks 5 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 8. If you have DBO/sa you win! (There’s more to it) Owning the host or just the DB Persistence If you don’t have DBO/sa it could be research time Stored procedures Extended stored procedures Assemblies Good old fashioned exploits Sometimes it’s just about the data I Have Access Now What? 6 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 9. What’s Really Important Getting xp_cmdshell() – Do you need it? Adding accounts - Not too stealthy Total capabilities in the SQL instance Blind injection: not always so blind Network access to/from SQL instance Validity of SQL credentials elsewhere Things to Consider 7 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 10. Lessons Learned Over the past year: 30 assessments 20 of them were successful due to SQL 0 of them detected anything wrong All of them neglected to restrict access 3 of them had blank sa account instances Only 5 of them had plans to upgrade to SQL 2k8 Development environments were always BAD 8 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 11. Large numbers of organizations are still running SQL as NT AUTHORITYYSTEM If it’s not local system, it’s most likely still admin If it’s a domain account Used elsewhere Still likely to be system admin Of the small percentage who aren’t local system or admin Few if any additional hardening steps are being taken Shared accounts on hosts that were using privileged accounts People Are Still Running SQL As System 9 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 12. A majority of SQL instances that exist are legacy and will be for some time Everything is vanilla Shared accounts are a certainty Logging is performed, but never observed Lack of access is usually a by-product Reality 10 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 13. People are lazy Nobody has the resources The people who make the rules Good enough is better than best Why Are Things Broken 11 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 38. sp_OACreate12 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 39. Check That Advanced Options Are Enabled If it doesn’t execute, it might need some help. Each of these may require a call to sp_configure*: xp_cmdshell Procedure Name Configuration Option Name xp_cmdshell sp_OACreate xp_sendmail Ole Automation Procedures SQL Mail XPs * A query of ‘UPDATE sys.configurations [..]’ also does the trick 13 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 42. Even if procedure access is allowed, object access might not be14 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 43. You Don’t Have To Script A File Read If sp_OACreate and the Scripting.FileSystemObject is nice, but it’s a bit much for just reading the contents of a file. A bulk insert will usually get the job done. 15 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 46. You can still operate as the SQL account16 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 47. Some Things Require Finesse ..there are limitations even to the ex-sprocs. 17 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 48. Some Things Require More Finesse Wscript’sRegRead would be a good choice, but.. ..though not all failures are a bad thing (not for us). 18 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 49. Forget Finesse, Go With What You Known Finally. 19 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 51. Any custom registered component20 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 52. Why Not Register Your Own If you can execute commands and have elevated access, why not use your own controls? -- RegSrv32.exe /c <your OLE DLL/OCX> 21 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 53. SQL Methods For Compiled Code SQL provides a number of facilities for running compiled code: Extended stored procedures Assemblies OLE Automation Standard console access 22 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 54. File Locations Can Be Fun SQL Recognizes Standard File Paths: UNC shares are valid paths in the creation of extended stored procedures and assemblies. Alternate streams work just fine. 23 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 55. The SQL As An Attack Framework Depending on the level of access, SQL makes a great attack platform Loading of compiled code modules Local files Network shares Execution of scripting resources Facilitates the storage of results (go figure) No one ever expects the SQL instance! 24 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 56. Where To Go From Here Silly Persistence Tricks – The dumb stuff usually works best. Triggers Guest account Spiking the Model database ALWAYS dump the SQL passwords Data copying and backup permissioning 25 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com 57. Questions? 26 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com Editor's Notes Luckily, or unfortunately (point of view), this is still the case and all too common. Luckily, or unfortunately (point of view), this is still the case and all too common. Luckily, or unfortunately (point of view), this is still the case and all too common. DBAs are always told to disable these extended stored procedures, but it’s not always covered why they’re so bad.The dirtree, fileexist, and subdirs ex-sprocs can be a lot more devastating (useful) than one might think.Even the sp’s (rather than ex-sp’s) can pose a significant risk as well if they accept a UNC path as a parameter.A lot of these have been ACL’d away from normal users by default, but xp_fileexist made it’s way into MS-SQL2k8.CREATE ASSEMBLY also allows UNC paths, not an extended sproc, but worth mentioning here. A lot of pentesters and attackers assume that xp_cmdshell isn’t available because commands don’t execute;they’re further confused when a call to sp_addextendedproc doesn’t work – xp_cmdshell needs to be enabled. Using the sp_OACreate, sp_OAMethod, and sp_OADestroy methods the same functionality of xp_cmdshell can be accomplished.Unfortunately results of a command execution aren’t directly accessible and must go to a temporary storage (file on disk).Luckily since it’s being used in a scripting environment, we can access the %TEMP% and %SYSTEM% environment variables to help stage temp storage directories and other valuable information. No sense in going through all the trouble of scripting a file read when you can have SQL do all the work. Minimal footprints on the system is always better for stealth. Fail #1 Fail #2 – but this looks interesting. 5 Now we’re in business. The limited documentation and examples available on the sp_OA methods usually only cover Wscript, the system is full of other fun controls. If you can access Wscript to execute shell commands, why stop there?If you have expanded access on the host, you can always register your own controls for use by the sp_OA methods. SQL facilitates 2 existing methods that will load and execute compiled code. All of the typical path fun for files works from inside SQL. Repurpose the platform to facilitate your foot-hold into an environment.Everything an attacker would need is available in SQL, and if you operate entirely in the environment you leave a minimal footprint on the actual host.