Hacking SQL Server on Scale with PowerShell

Hacking SQL Server on
Scale with PowerShell
DerbyCon 6.0

Speaker Information
Name: Scott Sutherland
Job: Network & Application Pentester @ NetSPI
Twitter: @_nullbind
Slides: http://slideshare.net/nullbind
http://slideshare.net/netspi
Blogs: https://blog.netspi.com/author/scott-sutherland/
Code: https://github.com/netspi/PowerUpSQL
https://github.com/nullbind

Presentation Overview
● Why SQL Server and PowerShell?
● PowerUpSQL Overview
● Finding & Accessing SQL Servers
● Privilege Escalation Scenarios
o Domain user to SQL Server login
o SQL Server Login to Sysadmin
o Sysadmin to Windows Admin
o Windows Admin to Sysadmin
o Domain Escalation
● Post Exploitation Activities
● General Recommendations

Why SQL Server?
● Used in most enterprise environments
● Supports local Windows and Domain authentication
● Integrates with lots of Windows applications

Why PowerShell?
● Native to Windows
● Run commands in memory
● Run managed .net code
● Run unmanaged code
● Avoid detection by legacy Anti-virus
● Already flagged as "trusted" by most
application whitelist solutions
● A medium used to write many open source
Pentest toolkits

PowerUpSQL Overview: Project Goals
Project Goals (Get-Abilities) 
● Scalability via runspace threading
● Flexibility via pipeline support
● Portability
● No SMO dependancies
● .Net Framework libraries
● PowerShell v.2 compliant (in theory)
● Single file
Functional Goals
● Discover SQL Servers from different attacker perspectives
● Inventory SQL Servers quickly
● Audit SQL Servers for common insecure configurations
● Escalate privileges quickly on SQL Servers
● Support authentication using SQL Login or Windows Credential

PowerUpSQL Overview: Functions
Primary Attack Functions
● Invoke-SQLDumpInfo
● Invoke-SQLAudit
● Invoke-SQLPrivEsc
● Invoke-SQLOsCmd
Function list and dev roadmap is on the wiki
https://github.com/NetSPI/PowerUpSQL/wiki
Currently 59 Functions

PowerUpSQL Overview: Where can I get it?
Github
https://github.com/netspi/PowerUpSQL
PowerShell Gallery
https://www.powershellgallery.com/packages/PowerUpSQL/

PowerUpSQL Overview: How to I install it?
Github
Import-Module PowerUpSQL.psd1
IEX(New-Object
System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/P
owerUpSQL.ps1")
Execute policy work arounds
https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/
PowerShell Gallery
Install-Module -Name PowerUpSQL

SQL Server Basics
What is SQL Server?
● A database platform
● An application
● A set of Windows services

SQL Server Basics: Account Types
Account Types
● Windows Accounts
o Used to login
o Mapped to SQL Server login
● SQL Server Logins
o Used to login
o Mapped to database account
● Database Users
o Used to access databases

SQL Server Basics: Common Roles
Important SQL Server Roles
● Sysadmin role
○ Database administrator account
○ Think of it as the “Administrators” Windows group,
but in SQL Server
● Public role
○ Only provides CONNECT permission
○ Think of it as the “Everyone” Windows group, but
in SQL Server

Find SQL Servers: Techniques
Attacker Perspective Technique
Unauthenticated ● List from file
● TCP port scan
● UDP port scan
● UDP broadcast
● Azure DNS dictionary attack (x.databases.windows.net)
● Azure DNS lookup via public resources
Local User ● Services
● Registry entries
Domain User ● Service Principal Names
● Azure Portal / PowerShell Modules

Find SQL Servers: PowerUpSQL
Attacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog: https://blog.netspi.com/blindly-discover-sql-server-instances-powerupsql/

Escalating
Privileges
Domain User to SQL Login

Testing Login Access: Overview
PowerUpSQL Functions
● Invoke-SQLAuditWeakLoginPw
● Get-SQLConnectionTestThreaded

Testing Login Access: Command Examples
Attacker
Perspective
Command Example
Unauthenticated Get-SQLInstanceUDPScan | Get-SQLConnectionTestThreaded
-Verbose -Threads 15 -Username testuser -Password testpass
Local User Get-SQLInstanceLocal | Get-SQLConnectionTestThreaded -Verbose
Domain User Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded
-Verbose -Threads 15
Alternative
Domain User
runas /noprofile /netonly /user:domainuser PowerShell.exe
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded
-Verbose -Threads 15

Testing Login Access: Reuse Discovery List
Process Command Example
Enumerate
Accessible Servers
$Accessible = Get-SQLInstanceDomain |
Get-SQLConnectionTestThreaded -Verbose -Threads 15 |
Where-Object {$_.Status –like “Accessible”}
Get server information $Acessible | Get-SQLServerInfo -Verbose
Get database list $Acessible | Get-SQLDatabase -Verbose
Perform audit $Acessible | Invoke-SQLAudit -Verbose

Testing Login Access: Domain User Access
DEMO

Testing Login Access: Demo
DEMO

Escalating Privileges: Domain User
Why can Domain Users login into so many
SQL Servers?
● Admins give them access
● Privilege inheritance issue on domain
systems = Public role access

Escalating
Privileges
SQL Login to SysAdmin

Escalating Privileges: Getting Sysadmin Privs
How can I get sysadmin privileges?
● Weak Passwords
o Blind user enumeration
o Default vendor passwords
o Weak passwords
● SQL Injection in Stored Procedures
o EXECUTE AS LOGIN
o Signed procedures
● Excessive Privileges
o Roles: DB_OWNER, DB_DDLADMIN, etc
o Permissions: Impersonation, agent jobs,
triggers, xp_cmdshell, importing assemblies
o Write access to autorun procedures

Escalating Privileges: DEMO
DEMO
Invoke-SQLAudit

Escalating Privileges: Invoke-SQLPrivEsc
Whooray for Automation Demo!

DEMO
Invoke-SQLPrivEsc

Escalating Privileges: Invoke-SQLPrivEsc
DEMO

Escalating
Privileges
SysAdmin to Service Account

Escalating Privileges: SysAdmin to Service Account
OS Command Execution = Service Account Impersonation
You don’t need to know the password, crack a hash, or PTH
Service Account Types
● Local User
● Local System
● Network Service
● Local managed service account
● Domain managed service account
● Domain User
● Domain Admin

Escalating Privileges: SysAdmin to Service Account
OS Command Execution = Service Account Impersonation
Executing OS Commands:
● xp_cmdshell
● Custom extended stored procedures
● Agent jobs
● ActiveX Script
● CmdExec
● PowerShell
● Analysis Services Command (PoC pending)
● Analysis Services Query (PoC pending)
● SSIS Package
● Registry autoruns

Escalating Privileges: Invoke-SQLOSCmd
Invoke-SQLOSCMD can be used for basic command execution.
PS C:>$Accessible | Invoke-SQLOSCmd –Verbose –Command “whoami” –Threads 10
ComputerName Instance CommandResults
--------------------- ----------- --------------
SQLServer1 SQLServer1SQLEXPRESS nt servicemssql$sqlexpress
SQLServer1 SQLServer1STANDARDDEV2014 nt authoritysystem
SQLServer1 SQLServer1 DomainSQLSvc

Escalating
Privileges
Shared Service Accounts

Escalating Privileges: Shared Service Accounts
Why should I care about shared service accounts?
1. SysAdmins can execute OS commands
2. OS commands run as the SQL Server service account
3. Service accounts have sysadmin privileges by default
4. Companies often use a single domain account to run hundreds of SQL Servers
5. So if you get sysadmin on one server you have it on all of them!
One account to rule them all!

InternetDMZIntranet
LRA HVA
LVA
ADS
LVA
Ports
80 and 443
Ports
1433 and 1434
HVA
PURE
EVIL
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts

InternetDMZIntranet
LRA HVA
LVA
ADS
LVA
Ports
80 and 443
Ports
1433 and 1434
HVA
PURE
EVIL
Captain Evil
SQL Injection
1
Key

InternetDMZIntranet
LRA HVA
LVA
ADS
LVA
Ports
80 and 443
Ports
1433 and 1434
HVA
PURE
EVIL
Captain Evil
SQL Injection
1
Execute Local Command
via xp_cmdshell
2
Key

InternetDMZIntranet
LRA HVA
LVA
ADS
LVA
Ports
80 and 443
Ports
1433 and 1434
HVA
PURE
EVIL
Captain Evil
SQL Injection
1
Execute Local Command
via xp_cmdshell
2
Access to HVA with shared domain service account
Key
Execute commands and
gather data from other
database servers via osql
3

Escalating
Privileges
Crawling Database Links

Escalating Privileges: Crawling Database Links
What’s a database link?
● Database links are basically persistent database connections for SQL Servers.
Why should I care?
● Short answer = privilege escalation
● Public role can use links to execute queries on remote servers (impersonation)
SELECT * FROM OpenQuery([SQLSERVER2],’SELECT @@Version’)
● Stored procedures can be executed (xp_cmdshell)
● Links can be crawled

InternetDMZIntranet
LRA HVA
LVA
ADS
Ports
80 and 443
Ports
1433 and 1434
HVA
PURE
EVIL
Captain EvilKey
Leveraging MS SQL Database links
DB1
LVA

InternetDMZIntranet
LRA HVA
LVA
ADS
Ports
80 and 443
Ports
1433 and 1434
HVA
PURE
EVIL
Captain Evil
SQL Injection
1
Key
DB1
LVA

InternetDMZIntranet
LRA HVA
LVA
ADS
Ports
80 and 443
Ports
1433 and 1434
HVA
PURE
EVIL
Captain Evil
SQL Injection
1
Key
D
B
Link
w
ith
LeastPrivileges
DB1
LVA

InternetDMZIntranet
LRA HVA
LVA
ADS
Ports
80 and 443
Ports
1433 and 1434
HVA
PURE
EVIL
Captain Evil
SQL Injection
1
Key
D
B
Link
w
ith
LeastPrivileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and
local commands on
database servers via
nested linked services
2

Penetration Test Stats
● Database links exist (and can be crawled) in about 50% of environments we’ve seen
● The max number of hops we’ve seen is 12
● The max number of servers crawled is 226

Old Script
● 2012 - https://www.rapid7.com/db/modules/exploit/windows/mssql/mssql_linkcrawler
New Script
● /scripts/pending/Get-SqlServerLinkCrawl.ps1
● Author: Antti Rantasaari

DEMO

Escalating Privileges: Database Links
DEMO

Escalating
Privileges
UNC Path Injection

Escalating Privileges: UNC Path Injection
UNC Path Injection Summary
● UNC paths are used for accessing remote file servers like so 192.168.1.4file
● Almost all procedures that accept a file path in SQL Server, support UNC paths
● UNC paths can be used to force the SQL Server service account to authenticate to an attacker
● An attacker can then capture the NetNTLM password hash and crack or relay it
● Relay becomes pretty easy when you know which SQL Servers are using shared accounts

Oh yeah…
By DEFAULT, the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtree
xp_fileexists

So, in summary…
The PUBLIC role can access the
SQL Server service account
password hash by default!!

But who really has
Public role access?
Oh yeah, a ton of domain users 

DEMO
Get-SQLServiceAccountPwHashes
…what? It’s self descriptive 

DEMO

Escalating
Privileges
OS Admin to SysAdmin

Escalating Privileges: OS Admin to SysAdmin
Two things to know…
1. Different SQL Server versions can be abused in different ways
2. All SQL Server versions provide the service account with sysadmin privileges.

Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x ?
Token Stealing x x x x x ?
Single User Mode ? x x x x x
Below are some options for leveraging that knowledge...

Here are some tool options...
Approach Common Tools
Access as Local Administrator Management Studio, sqlcmd, and other native SQL client tools.
Access as LocalSystem Psexec, accessibility options, debugger with native SQL client
tools.
Recover service account
password via LSA Secrets
Mimikatz, Metasploit, lsadump.
Inject code to Run in the SQL
Server’s Process
Metasploit, Python, Powershell
(LoadLibrary,CreateRemoteThread, and similar functions)
Steal Authentication Token From
Service Process
Metasploit, Incognito, Invoke-TokenManipulation
Single User Mode DBATools

Common
Post
Exploitation
Activities

Post Exploitation: Overview
Common Post Exploitation Activities
1. Establish Persistence
• SQL Server Layer: startup procedures, agent jobs, triggers, modified code
• OS Layer: Registry & file auto runs, tasks, services, etc.
2. Identify Sensitive Data
• Target large databases
• Locate transparently encrypted databases
• Search columns based on keywords and sample data
• Use regular expressions and the Luhn formula against data samples
3. Exfiltrate Sensitive Data
• All standard methods: Copy database, TCP ports, UDP ports, DNS tunneling,
ICMP tunneling, email, HTTP, shares, links, etc. (No exfil in PowerUpSQL
yet)

Post Exploitation : Persistence
Task Command Example
Registry Autorun
Persistence
Get-SQLPersistRegRun -Verbose -Name EvilSauce
-Command "EvilBoxEvilSandwich.exe" -Instance
"SQLServer1STANDARDDEV2014"
Debugger Backdoor
Persistence
Get-SQLPersistRegDebugger -Verbose -FileName utilman.exe
-Command 'c:windowssystem32cmd.exe' -Instance
"SQLServer1STANDARDDEV2014"

Post Exploitation : Post Exploitation

Post Exploitation : Finding Sensitive Data
Task Command Example
Locate Encrypted
Databases
Get-SQLInstanceDomain -Verbose |
Get-SQLDatabaseThreaded –Verbose –Threads 10 -NoDefaults |
Where-Object {$_.is_encrypted –eq “TRUE”}
Locate and Sample
Sensitive Columns
and Export to CSV
Get-SQLInstanceDomain -Verbose |
Get-SQLColumnSampleDataThreaded –Verbose –Threads 10 –Keyword
“credit,ssn,password” –SampleSize 2 –ValidateCC –NoDefaults |
Export-CSV –NoTypeInformation c:tempdatasample.csv

Post Exploitation: Finding Sensitive Data
DEMO

General Recommendations
Things to do…
1. Enforce least privilege everywhere!
2. Disable dangerous default stored procedures.
3. Audit and fix insecure configurations.
4. Use policy based management for standardizing configurations.
5. Enable auditing at the server and database levels, and monitor for potentially malicious activity.

PowerUpSQL Overview: Thanks!
Individual Third Party Code / Direct Contributors
Boe Prox Runspace blogs
Warren F. ( RamblingCookieMonster) Invoke-Parallel function
Oyvind Kallstad Test-IsLuhnValid function
Kevin Robertson Invoke-Inveigh
Joe Bialek Invoke-TokenManipulation
Antti Rantasaari, Eric Gruber, and Alexander Leary Contributions and QA
Khai Tran Design advice
NetSPI assessment team and dev team Design advice

Name: Scott Sutherland
Job: Network & Application Pentester @ NetSPI
Twitter: @_nullbind
Slides: http://slideshare.net/nullbind
http://slideshare.net/netspi
Blogs: https://blog.netspi.com/author/scott-sutherland/
Code: https://github.com/netspi/PowerUpSQL
https://github.com/nullbind
Hacking SQL Server on Scale with PowerShell

Hacking SQL Server on Scale with PowerShell

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (12)

Similar a Hacking SQL Server on Scale with PowerShell

Similar a Hacking SQL Server on Scale with PowerShell (20)

Más de Scott Sutherland

Más de Scott Sutherland (8)

Último

Último (20)

Hacking SQL Server on Scale with PowerShell

Notas del editor