Everything you should already know about MS-SQL post-exploitation

2,598 views

Published on

SOURCE Seattle 2011 - Rob Beck

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,598
On SlideShare
0
From Embeds
0
Number of Embeds
62
Actions
Shares
0
Downloads
51
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Luckily, or unfortunately (point of view), this is still the case and all too common.
  • Luckily, or unfortunately (point of view), this is still the case and all too common.
  • Luckily, or unfortunately (point of view), this is still the case and all too common.
  • DBAs are always told to disable these extended stored procedures, but it’s not always covered why they’re so bad.The dirtree, fileexist, and subdirs ex-sprocs can be a lot more devastating (useful) than one might think.Even the sp’s (rather than ex-sp’s) can pose a significant risk as well if they accept a UNC path as a parameter.A lot of these have been ACL’d away from normal users by default, but xp_fileexist made it’s way into MS-SQL2k8.CREATE ASSEMBLY also allows UNC paths, not an extended sproc, but worth mentioning here.
  • A lot of pentesters and attackers assume that xp_cmdshell isn’t available because commands don’t execute;they’re further confused when a call to sp_addextendedproc doesn’t work – xp_cmdshell needs to be enabled.
  • Using the sp_OACreate, sp_OAMethod, and sp_OADestroy methods the same functionality of xp_cmdshell can be accomplished.Unfortunately results of a command execution aren’t directly accessible and must go to a temporary storage (file on disk).Luckily since it’s being used in a scripting environment, we can access the %TEMP% and %SYSTEM% environment variables to help stage temp storage directories and other valuable information.
  • No sense in going through all the trouble of scripting a file read when you can have SQL do all the work.
  • Minimal footprints on the system is always better for stealth.
  • Fail #1
  • Fail #2 – but this looks interesting. 5
  • Now we’re in business.
  • The limited documentation and examples available on the sp_OA methods usually only cover Wscript, the system is full of other fun controls.
  • If you can access Wscript to execute shell commands, why stop there?If you have expanded access on the host, you can always register your own controls for use by the sp_OA methods.
  • SQL facilitates 2 existing methods that will load and execute compiled code.
  • All of the typical path fun for files works from inside SQL.
  • Repurpose the platform to facilitate your foot-hold into an environment.Everything an attacker would need is available in SQL, and if you operate entirely in the environment you leave a minimal footprint on the actual host.
  • Everything you should already know about MS-SQL post-exploitation

    1. 1. ATTACK RESEARCH<br />ADVANCED COMPUTER SECURITY<br />RESEARCH & CONSULTING<br />
    2. 2. MS-SQL Post Exploitation:<br />Everything you should already know.<br />Presented By: Rob Beck<br />
    3. 3. Name: Rob Beck (whitey)<br />Title: Director of Assessment<br />Contact: rob.beck@attackresearch.com<br />Background:<br />Career pen-tester (MS/@stake/Honeywell/AR)<br />Security hobbyist and researcher<br />Slacker<br />All About Me<br />1<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    4. 4. What Is SQL Post-Exploitation?<br />The steps taken by an attacker following successful SQL access or command execution.<br />Motivation or purpose<br />Level of access achieved<br />Amount of stealth required<br />Persistence<br />2<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    5. 5. Why MS-SQL Post Exploitation?<br />Most pen-test resources lack details<br />The explanations given are limited<br />Extended functionality not covered<br />Lots of don’ts without reason in hardening docs<br />People still aren’t using this stuff or get stuck<br />Apparently it was interesting enough for you<br />3<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    6. 6. Nothing covered in this presentation is new<br />Everything presented is actively being used<br />Everything presented can be prevented<br />This talk assumes you have SQL access<br />MS-SQL is a subject of interest, not expertise<br />The subject is databases, which is boring<br />Pro-tip: You might be bored<br />4<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    7. 7. What’s Covered<br />Utilizing SQL procedures to attack the host<br />Lesser known evils (some don’ts explained)<br />Credential harvesting scenario<br />Potential for using the DB in attacks<br />Persistence tricks<br />5<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    8. 8. If you have DBO/sa you win! (There’s more to it)<br />Owning the host or just the DB<br />Persistence<br />If you don’t have DBO/sa it could be research time<br />Stored procedures<br />Extended stored procedures<br />Assemblies<br />Good old fashioned exploits<br />Sometimes it’s just about the data<br />I Have Access Now What?<br />6<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    9. 9. What’s Really Important<br />Getting xp_cmdshell() – Do you need it?<br />Adding accounts - Not too stealthy<br />Total capabilities in the SQL instance<br />Blind injection: not always so blind<br />Network access to/from SQL instance<br />Validity of SQL credentials elsewhere<br />Things to Consider<br />7<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    10. 10. Lessons Learned<br />Over the past year: 30 assessments<br />20 of them were successful due to SQL<br />0 of them detected anything wrong<br />All of them neglected to restrict access<br />3 of them had blank sa account instances<br />Only 5 of them had plans to upgrade to SQL 2k8<br />Development environments were always BAD<br />8<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    11. 11. Large numbers of organizations are still running SQL as NT AUTHORITYSYSTEM<br />If it’s not local system, it’s most likely still admin<br />If it’s a domain account<br />Used elsewhere<br />Still likely to be system admin<br />Of the small percentage who aren’t local system or admin<br />Few if any additional hardening steps are being taken<br />Shared accounts on hosts that were using privileged accounts<br />People Are Still Running SQL As System<br />9<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    12. 12. A majority of SQL instances that exist are legacy and will be for some time<br />Everything is vanilla<br />Shared accounts are a certainty<br />Logging is performed, but never observed<br />Lack of access is usually a by-product<br />Reality<br />10<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    13. 13. People are lazy<br />Nobody has the resources<br />The people who make the rules<br />Good enough is better than best<br />Why Are Things Broken<br />11<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    14. 14. Extended Stored Procedures - The Hidden Usage<br />The other fun extended stored procedures:<br /><ul><li>xp_dirtree*
    15. 15. xp_enumdsn
    16. 16. xp_enumerrorlogs
    17. 17. xp_enumgroups
    18. 18. xp_fileexist*
    19. 19. xp_fixeddrives
    20. 20. xp_getnetname
    21. 21. xp_subdirs*
    22. 22. xp_regdeletekey
    23. 23. xp_regdeletevalue
    24. 24. xp_regread
    25. 25. xp_regwrite</li></ul>xp_dirtree<br />xp_enumdsn<br />xp_enumerrorlogs<br />xp_enumgroups<br />xp_fileexist<br />xp_fixeddrives<br /><ul><li>xp_getnetname
    26. 26. xp_subdirs
    27. 27. xp_regdeletekey
    28. 28. xp_regdeletevalue
    29. 29. xp_regread
    30. 30. xp_regwrite
    31. 31. xp_dirtree*
    32. 32. xp_enumdsn
    33. 33. xp_enumerrorlogs
    34. 34. xp_enumgroups
    35. 35. xp_fileexist**
    36. 36. xp_fixeddrives</li></ul>* Can specify a UNC path<br />* Still around in SQL 2k8<br /><ul><li>sp_addextendedproc*
    37. 37. xp_cmdshell
    38. 38. sp_OACreate</li></ul>12<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    39. 39. Check That Advanced Options Are Enabled <br />If it doesn’t execute, it might need some help.<br />Each of these may require a call to sp_configure*:<br />xp_cmdshell<br />Procedure Name<br />Configuration Option Name<br />xp_cmdshell<br />sp_OACreate<br />xp_sendmail<br />Ole Automation Procedures<br />SQL Mail XPs<br />* A query of ‘UPDATE sys.configurations [..]’ also does the trick<br />13<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    40. 40. xp_cmdshell Isn’t The Only Command Shell<br />Commands can be executed by means of sp_OACreate the sp_OAMethod procedures:<br />Used for OLE Automation<br />Access to the Wscript object (command execution)<br />Doesn’t require the creation of additional procedures<br />Caveats:<br /><ul><li>Limited to sysadmin role by default
    41. 41. Results aren’t always as easy to get as xp_cmdshell
    42. 42. Even if procedure access is allowed, object access might not be</li></ul>14<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    43. 43. You Don’t Have To Script A File Read<br />If sp_OACreate and the Scripting.FileSystemObject is nice, but it’s a bit much for just reading the contents of a file.<br />A bulk insert will usually get the job done.<br />15<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    44. 44. Credential Harvesting From SQL<br />Creating accounts is useful, but not too stealthy..<br />Accounts already exist on the host<br />Tokens most likely exist on the host (incognito)<br />Using existing accounts is a lot less noticeable<br />..all of the usual host-based tricks are open to SQL<br /><ul><li>SYSTEM is still SYSTEM
    45. 45. Administrator can still become SYSTEM
    46. 46. You can still operate as the SQL account</li></ul>16<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    47. 47. Some Things Require Finesse<br />..there are limitations even to the ex-sprocs.<br />17<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    48. 48. Some Things Require More Finesse<br />Wscript’sRegRead would be a good choice, but..<br />..though not all failures are a bad thing (not for us).<br />18<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    49. 49. Forget Finesse, Go With What You Known<br />Finally.<br />19<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    50. 50. The OA Methods – Not Just For Wscript<br />The OA methods are for OLE Automation, not Wscript automation; any OLE object the SQL server context has access to can be utilized.<br /><ul><li>System configuration information</li></ul>(Shell.LocalMachine)<br /><ul><li>Windows firewall configuration</li></ul>(HNetCfg.FwMgr)<br />(HNetCfg.NATUPnP)<br /><ul><li>Fun things like UPnP mappings
    51. 51. Any custom registered component</li></ul>20<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    52. 52. Why Not Register Your Own<br />If you can execute commands and have elevated access, why not use your own controls?<br />-- RegSrv32.exe /c <your OLE DLL/OCX><br />21<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    53. 53. SQL Methods For Compiled Code<br />SQL provides a number of facilities for running compiled code:<br />Extended stored procedures<br />Assemblies<br />OLE Automation<br />Standard console access<br />22<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    54. 54. File Locations Can Be Fun<br />SQL Recognizes Standard File Paths:<br />UNC shares are valid paths in the creation of extended stored procedures and assemblies.<br />Alternate streams work just fine.<br />23<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    55. 55. The SQL As An Attack Framework<br />Depending on the level of access, SQL makes a great attack platform<br />Loading of compiled code modules<br />Local files<br />Network shares<br />Execution of scripting resources<br />Facilitates the storage of results (go figure)<br />No one ever expects the SQL instance!<br />24<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    56. 56. Where To Go From Here<br />Silly Persistence Tricks – The dumb stuff usually works best.<br />Triggers<br />Guest account<br />Spiking the Model database<br />ALWAYS dump the SQL passwords<br />Data copying and backup permissioning<br />25<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
    57. 57. Questions?<br />26<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />

    ×