Successfully reported this slideshow.

Everything you should already know about MS-SQL post-exploitation

2,691 views

Published on

SOURCE Seattle 2011 - Rob Beck

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Everything you should already know about MS-SQL post-exploitation

  1. 1. ATTACK RESEARCH<br />ADVANCED COMPUTER SECURITY<br />RESEARCH & CONSULTING<br />
  2. 2. MS-SQL Post Exploitation:<br />Everything you should already know.<br />Presented By: Rob Beck<br />
  3. 3. Name: Rob Beck (whitey)<br />Title: Director of Assessment<br />Contact: rob.beck@attackresearch.com<br />Background:<br />Career pen-tester (MS/@stake/Honeywell/AR)<br />Security hobbyist and researcher<br />Slacker<br />All About Me<br />1<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  4. 4. What Is SQL Post-Exploitation?<br />The steps taken by an attacker following successful SQL access or command execution.<br />Motivation or purpose<br />Level of access achieved<br />Amount of stealth required<br />Persistence<br />2<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  5. 5. Why MS-SQL Post Exploitation?<br />Most pen-test resources lack details<br />The explanations given are limited<br />Extended functionality not covered<br />Lots of don’ts without reason in hardening docs<br />People still aren’t using this stuff or get stuck<br />Apparently it was interesting enough for you<br />3<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  6. 6. Nothing covered in this presentation is new<br />Everything presented is actively being used<br />Everything presented can be prevented<br />This talk assumes you have SQL access<br />MS-SQL is a subject of interest, not expertise<br />The subject is databases, which is boring<br />Pro-tip: You might be bored<br />4<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  7. 7. What’s Covered<br />Utilizing SQL procedures to attack the host<br />Lesser known evils (some don’ts explained)<br />Credential harvesting scenario<br />Potential for using the DB in attacks<br />Persistence tricks<br />5<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  8. 8. If you have DBO/sa you win! (There’s more to it)<br />Owning the host or just the DB<br />Persistence<br />If you don’t have DBO/sa it could be research time<br />Stored procedures<br />Extended stored procedures<br />Assemblies<br />Good old fashioned exploits<br />Sometimes it’s just about the data<br />I Have Access Now What?<br />6<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  9. 9. What’s Really Important<br />Getting xp_cmdshell() – Do you need it?<br />Adding accounts - Not too stealthy<br />Total capabilities in the SQL instance<br />Blind injection: not always so blind<br />Network access to/from SQL instance<br />Validity of SQL credentials elsewhere<br />Things to Consider<br />7<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  10. 10. Lessons Learned<br />Over the past year: 30 assessments<br />20 of them were successful due to SQL<br />0 of them detected anything wrong<br />All of them neglected to restrict access<br />3 of them had blank sa account instances<br />Only 5 of them had plans to upgrade to SQL 2k8<br />Development environments were always BAD<br />8<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  11. 11. Large numbers of organizations are still running SQL as NT AUTHORITYSYSTEM<br />If it’s not local system, it’s most likely still admin<br />If it’s a domain account<br />Used elsewhere<br />Still likely to be system admin<br />Of the small percentage who aren’t local system or admin<br />Few if any additional hardening steps are being taken<br />Shared accounts on hosts that were using privileged accounts<br />People Are Still Running SQL As System<br />9<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  12. 12. A majority of SQL instances that exist are legacy and will be for some time<br />Everything is vanilla<br />Shared accounts are a certainty<br />Logging is performed, but never observed<br />Lack of access is usually a by-product<br />Reality<br />10<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  13. 13. People are lazy<br />Nobody has the resources<br />The people who make the rules<br />Good enough is better than best<br />Why Are Things Broken<br />11<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  14. 14. Extended Stored Procedures - The Hidden Usage<br />The other fun extended stored procedures:<br /><ul><li>xp_dirtree*
  15. 15. xp_enumdsn
  16. 16. xp_enumerrorlogs
  17. 17. xp_enumgroups
  18. 18. xp_fileexist*
  19. 19. xp_fixeddrives
  20. 20. xp_getnetname
  21. 21. xp_subdirs*
  22. 22. xp_regdeletekey
  23. 23. xp_regdeletevalue
  24. 24. xp_regread
  25. 25. xp_regwrite</li></ul>xp_dirtree<br />xp_enumdsn<br />xp_enumerrorlogs<br />xp_enumgroups<br />xp_fileexist<br />xp_fixeddrives<br /><ul><li>xp_getnetname
  26. 26. xp_subdirs
  27. 27. xp_regdeletekey
  28. 28. xp_regdeletevalue
  29. 29. xp_regread
  30. 30. xp_regwrite
  31. 31. xp_dirtree*
  32. 32. xp_enumdsn
  33. 33. xp_enumerrorlogs
  34. 34. xp_enumgroups
  35. 35. xp_fileexist**
  36. 36. xp_fixeddrives</li></ul>* Can specify a UNC path<br />* Still around in SQL 2k8<br /><ul><li>sp_addextendedproc*
  37. 37. xp_cmdshell
  38. 38. sp_OACreate</li></ul>12<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  39. 39. Check That Advanced Options Are Enabled <br />If it doesn’t execute, it might need some help.<br />Each of these may require a call to sp_configure*:<br />xp_cmdshell<br />Procedure Name<br />Configuration Option Name<br />xp_cmdshell<br />sp_OACreate<br />xp_sendmail<br />Ole Automation Procedures<br />SQL Mail XPs<br />* A query of ‘UPDATE sys.configurations [..]’ also does the trick<br />13<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  40. 40. xp_cmdshell Isn’t The Only Command Shell<br />Commands can be executed by means of sp_OACreate the sp_OAMethod procedures:<br />Used for OLE Automation<br />Access to the Wscript object (command execution)<br />Doesn’t require the creation of additional procedures<br />Caveats:<br /><ul><li>Limited to sysadmin role by default
  41. 41. Results aren’t always as easy to get as xp_cmdshell
  42. 42. Even if procedure access is allowed, object access might not be</li></ul>14<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  43. 43. You Don’t Have To Script A File Read<br />If sp_OACreate and the Scripting.FileSystemObject is nice, but it’s a bit much for just reading the contents of a file.<br />A bulk insert will usually get the job done.<br />15<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  44. 44. Credential Harvesting From SQL<br />Creating accounts is useful, but not too stealthy..<br />Accounts already exist on the host<br />Tokens most likely exist on the host (incognito)<br />Using existing accounts is a lot less noticeable<br />..all of the usual host-based tricks are open to SQL<br /><ul><li>SYSTEM is still SYSTEM
  45. 45. Administrator can still become SYSTEM
  46. 46. You can still operate as the SQL account</li></ul>16<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  47. 47. Some Things Require Finesse<br />..there are limitations even to the ex-sprocs.<br />17<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  48. 48. Some Things Require More Finesse<br />Wscript’sRegRead would be a good choice, but..<br />..though not all failures are a bad thing (not for us).<br />18<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  49. 49. Forget Finesse, Go With What You Known<br />Finally.<br />19<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  50. 50. The OA Methods – Not Just For Wscript<br />The OA methods are for OLE Automation, not Wscript automation; any OLE object the SQL server context has access to can be utilized.<br /><ul><li>System configuration information</li></ul>(Shell.LocalMachine)<br /><ul><li>Windows firewall configuration</li></ul>(HNetCfg.FwMgr)<br />(HNetCfg.NATUPnP)<br /><ul><li>Fun things like UPnP mappings
  51. 51. Any custom registered component</li></ul>20<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  52. 52. Why Not Register Your Own<br />If you can execute commands and have elevated access, why not use your own controls?<br />-- RegSrv32.exe /c <your OLE DLL/OCX><br />21<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  53. 53. SQL Methods For Compiled Code<br />SQL provides a number of facilities for running compiled code:<br />Extended stored procedures<br />Assemblies<br />OLE Automation<br />Standard console access<br />22<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  54. 54. File Locations Can Be Fun<br />SQL Recognizes Standard File Paths:<br />UNC shares are valid paths in the creation of extended stored procedures and assemblies.<br />Alternate streams work just fine.<br />23<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  55. 55. The SQL As An Attack Framework<br />Depending on the level of access, SQL makes a great attack platform<br />Loading of compiled code modules<br />Local files<br />Network shares<br />Execution of scripting resources<br />Facilitates the storage of results (go figure)<br />No one ever expects the SQL instance!<br />24<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  56. 56. Where To Go From Here<br />Silly Persistence Tricks – The dumb stuff usually works best.<br />Triggers<br />Guest account<br />Spiking the Model database<br />ALWAYS dump the SQL passwords<br />Data copying and backup permissioning<br />25<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />
  57. 57. Questions?<br />26<br />Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com<br />

×