DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
1. Abusing Microsoft SQL Server with SQLRecon
Sanjiv Kawa
IBM X-Force Red Adversary Services
2. 2
Sanjiv Kawa
Senior Managing Security Consultant, Adversary Services at IBM X-Force Red
- Red Team Operator
- Post-Exploitation Tooling Developer
- github.com/xforcered/SQLRecon
Intro
@sanjivkawa
github.com/skahwah
IBM X-Force Red
3. 3
Microsoft SQL Server Overview 2 min
SQLRecon Overview 4 min
10 Demos! 20 min
- Enumeration
- Standard Modules
- Attacking MS SQL Server with Low Privileges
- Abusing MS SQL Impersonation
- Attacking Linked MS SQL Servers
- Attacking MS MECM / SCCM Databases
Defensive Considerations 3 min
Questions 5 min
Agenda
4. 4
Get Involved!
Hack with me
- Download the latest release of SQLRecon (v3.3) from github.com/skahwah/SQLRecon/releases
- Spin up a Windows VM
- Connect to SSID SQLRecon-Lab, don’t worry, it’s safe
- Connection details will be provided before demo’s
6. 6
Relational database which allows the storage and retrieval of data
Deployed on-premise on top of Microsoft Server or in the cloud
Used by businesses of all sizes, not just large enterprise networks
Tightly integrated into Active Directory / Azure Active Directory
MS SQL Server Overview
7. 7
Why Attack MS SQL Server?
Often overlooked
Often misconfigured
BUILTINUsers can connect to MS SQL Server by default, and:
- Execute basic SQL commands
- Determine privileges via user mapping/roles
- UNC Path injection
- Piggyback off rights to compromise linked SQL servers
10. 10
How Did This Research Come About?
Like most tooling … to solve a problem encountered on an engagement
PowerShell is good, but C# is better when evading modern defensive controls
Address the MS SQL Server C# post-exploitation tooling gap
- Modernize the approach red teamers can take when facing MS SQL Server
- Operational Security
- Execution Guardrails
- SQLRecon works with a diverse set of C2 frameworks
- Fork & Run and In-Process compatible
12. 12
Command Line Usage
SQLRecon is straight forward to use. There are only three required arguments:
- An authentication type
SQLRecon.exe /Auth:WinToken
13. 13
Command Line Usage
SQLRecon is straight forward to use. There are only three required arguments:
- An authentication type
- The hostname or IP address for a MS SQL Server
SQLRecon.exe /Auth:WinToken /Host:SQL01
14. 14
Command Line Usage
SQLRecon is straight forward to use. There are only three required arguments:
- An authentication type
- The hostname or IP address for a MS SQL Server
- A module
SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases
15. 15
Command Line Usage
SQLRecon is straight forward to use. There are only three required arguments:
- An authentication type
- The hostname or IP address for a MS SQL Server
- A module
Example: Enumerating databases on a remote MS SQL Server
SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases
16. 16
Command Line Usage
SQLRecon is straight forward to use. There are only three required arguments:
- An authentication type
- The hostname or IP address for a MS SQL Server
- A module
Example: Enumerating databases on a remote MS SQL Server
SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases
Shortform command line arguments and case-insensitive
SQLRecon.exe /a:wintoken /h:172.16.10.101 /m:databases
17. 17
Authentication Providers
SQLRecon supports 5 different MS SQL Server authentication providers:
Authentication
Type
Example
WinToken SQLRecon.exe /a:WinToken /h:host /m:module
WinDomain SQLRecon.exe /a:WinDomain /d:domain /u:user /p:pass /h:host /m:module
Local SQLRecon.exe /a:Local /u:user /p:pass /h:host /m:module
AzureAD
SQLRecon.exe /a:AzureDomain /d:domain /u:user /p:pass /h:host
/m:module
AzureLocal SQLRecon.exe /a:AzureLocal /u:user /p:pass /h:host /m:module
18. 18
Module Overview
SQLRecon has 83 different modules which can be used against MS SQL Server in a variety of scenarios. Listed below are
modules that can facilitate with privilege escalation, lateral movement, or command execution:
Module
Privilege
Escalation
Lateral
Movement
Command
Execution
xp_cmdshell ✅ ✅ ✅
OLE Automation Procedures ✅ ✅ ✅
CLR Integration for Custom .NET Assemblies ✅ ✅ ✅
Agent Jobs ✅ ✅ ✅
Cleartext ADSI Credential Retrieval ✅
MECM / SCCM User Management ✅
Cleartext MECM / SCCM Credential Retrieval ✅
20. 20
Get Involved!
Rules
- Don’t DoS the lab. We’re all here to learn together.
- Don’t attack each other. We’re all here to learn together.
- You can attack AD and AAD if you want, but I promise you, it’s not going to get you anything
21. 21
Get Involved!
WiFi
SSID: SQLRecon-Lab
Password: DefconIsCancelled!
Rules
- Don’t DoS the lab. We’re all here to learn together.
- Don’t attack each other. We’re all here to learn together.
- You can attack AD and AAD if you want, but I promise you, it’s not going to get you anything.
Lab (kawalabs.local)
DC01 172.16.10.100
SQL01 172.16.10.101
SQL02 172.16.10.102
SQL03 172.16.10.104
MECM01 172.16.10.103
ecom01.database.windows.net
Test Connection String
SQLRecon.exe /a:WinDomain
/d:kawalabs /u:jsmith /p:Password123
/h:172.16.10.101 /m:whoami
37. 37
Demo 7
Lateral Movement: Abusing Linked MS SQL Servers
- CLR Integration allows custom .NET assemblies to be imported into MS SQL Server
- Assemblies get stored inside a SQL database Stored Procedure
- You can then execute whatever is inside the custom assembly!
38. 38
Demo 7
Lateral Movement: Abusing Linked MS SQL Servers
Basic Template: gist.github.com/skahwah/c92a8ce41f529f40c14715c91b8f90ce
Process Hollowing: gist.github.com/skahwah/a585e176e4a5cf319b0c759637f5c410
// sql.cs
// C:WindowsMicrosoft.NETFramework64v4.0.30319csc.exe /target:library c:tempsql.cs
using System;
using System.Data;
using System.Data.SqlClient;
using System.Data.SqlTypes;
using Microsoft.SqlServer.Server;
using System.Diagnostics;
public partial class StoredProcedures
{
[Microsoft.SqlServer.Server.SqlProcedure]
public static void CustomFunctionName()
{
Process proc = new Process();
proc.StartInfo.FileName = "C:WindowsSystem32notepad.exe";
proc.Start();
}
}
49. 49
Defensive Considerations
Top 3 MS SQL Server Security Controls
- Follow the Microsoft SQL Server best practices!
- Consider removing or restricting the BUILTINUsers
account and low privilege groups from authenticating
against MS SQL Server instances
- Evaluate impersonation and MS SQL Server links
github.com/xforcered/SQLRecon/wiki