DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally we?ll show how PowerShell automation can be used to execute the SQL Server attacks on scale. All scripts created and demonstrated during the presentation will be open sourced. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012Scott Sutherland
During this presentation attendees will be introduced to lesser known, yet significant vulnerabilities in SQL Server implementations related to common trust relationships, misconfigurations, and weak default settings. The issues that will be covered are often leveraged by attackers to gain unauthorized access to high value systems, applications, and sensitive data. An overview of each issue, common vectors of attack, and manual techniques will be covered. Finally newly created Metasploit modules and TSQL scripts will be demonstrated that help automate the attacks. This presentation will be valuable to penetration testers who are looking for faster ways to gain access to critical data and systems. Additionally, it should be worth while for developers and database administrators who are interested in gaining a better understanding of how to protect their applications and databases from these attacks.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
2017 Thotcon - Hacking SQL Servers on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally I’ll show how PowerShell automation can be used to execute the SQL Server attacks on scale with PowerUpSQL. All scripts demonstrated during the presentation are available on GitHub. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally I’ll show how PowerShell automation can be used to execute the SQL Server attacks on scale with PowerUpSQL. All scripts demonstrated during the presentation are available on GitHub. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsScott Sutherland
During this presentation, I’ll cover common ways to target, exploit, and escalate domain privileges through SQL Servers in Active Directory environments. I’ll also share a msbuild.exe project file that can be used as an offensive SQL Client during red team engagements when tools like PowerUpSQL are too overt.
Where there is Active Directory, there are SQL Servers. In dynamic enterprise environments it’s common to see both platforms suffer from misconfigurations that lead to unauthorized system and sensitive data access. During this presentation, I’ll cover common ways to target, exploit, and escalate domain privileges through SQL Servers in Active Directory environments. I’ll also share a msbuild.exe project file that can be used as an offensive SQL Client during red team engagements when tools like PowerUpSQL are too overt.
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
This presentation provides an overview off common adversarial emulation approaches along with attack and detection trends. It should be interesting to penetration testers and professionals in security operations roles.
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
This is the presentation we provided at the 2018 Blackhat USA Arsenal to introduce PowerUpSQL. PowerUpSQL includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post exploitation actions such as OS command execution. It is intended to be used during internal penetration tests and red team engagements. However, PowerUpSQL also includes many functions that can be used by administrators to quickly inventory the SQL Servers in their ADS domain and perform common threat hunting tasks related to SQL Server. This should be interesting to red, blue, and purple teams interested in automating day to day tasks involving SQL Server.
More information can be found at:
https://github.com/NetSPI/PowerUpSQL/wiki
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally we?ll show how PowerShell automation can be used to execute the SQL Server attacks on scale. All scripts created and demonstrated during the presentation will be open sourced. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012Scott Sutherland
During this presentation attendees will be introduced to lesser known, yet significant vulnerabilities in SQL Server implementations related to common trust relationships, misconfigurations, and weak default settings. The issues that will be covered are often leveraged by attackers to gain unauthorized access to high value systems, applications, and sensitive data. An overview of each issue, common vectors of attack, and manual techniques will be covered. Finally newly created Metasploit modules and TSQL scripts will be demonstrated that help automate the attacks. This presentation will be valuable to penetration testers who are looking for faster ways to gain access to critical data and systems. Additionally, it should be worth while for developers and database administrators who are interested in gaining a better understanding of how to protect their applications and databases from these attacks.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
2017 Thotcon - Hacking SQL Servers on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally I’ll show how PowerShell automation can be used to execute the SQL Server attacks on scale with PowerUpSQL. All scripts demonstrated during the presentation are available on GitHub. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally I’ll show how PowerShell automation can be used to execute the SQL Server attacks on scale with PowerUpSQL. All scripts demonstrated during the presentation are available on GitHub. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsScott Sutherland
During this presentation, I’ll cover common ways to target, exploit, and escalate domain privileges through SQL Servers in Active Directory environments. I’ll also share a msbuild.exe project file that can be used as an offensive SQL Client during red team engagements when tools like PowerUpSQL are too overt.
Where there is Active Directory, there are SQL Servers. In dynamic enterprise environments it’s common to see both platforms suffer from misconfigurations that lead to unauthorized system and sensitive data access. During this presentation, I’ll cover common ways to target, exploit, and escalate domain privileges through SQL Servers in Active Directory environments. I’ll also share a msbuild.exe project file that can be used as an offensive SQL Client during red team engagements when tools like PowerUpSQL are too overt.
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
This presentation provides an overview off common adversarial emulation approaches along with attack and detection trends. It should be interesting to penetration testers and professionals in security operations roles.
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
This is the presentation we provided at the 2018 Blackhat USA Arsenal to introduce PowerUpSQL. PowerUpSQL includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post exploitation actions such as OS command execution. It is intended to be used during internal penetration tests and red team engagements. However, PowerUpSQL also includes many functions that can be used by administrators to quickly inventory the SQL Servers in their ADS domain and perform common threat hunting tasks related to SQL Server. This should be interesting to red, blue, and purple teams interested in automating day to day tasks involving SQL Server.
More information can be found at:
https://github.com/NetSPI/PowerUpSQL/wiki
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation. This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation. This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
Beyond XP_CMDSHELL: Owning the Empire Through SQL ServerNetSPI
Scott Sutherland and Alexander Leary present at Secure360 Twin Cities 2018 on Owning the Empire Through SQL Server.
Presentation includes five objectives:
- Get Access
- Hide from Audit Controls
- Execute OS Commands
- Use SQL Server as a breach head
- Detect OS Comment Execution
Questions? Contact @0xbadjuju or @_nullbind on Twitter.
Beyond xp_cmdshell: Owning the Empire through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation.
This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
This presentation will cover 10 common weak SQL Server configurations and the practical attacks that help hackers gain unauthorized access to data, applications, and systems. This will include a few demonstrations of the techniques that are being used during real-world attacks and penetration tests. This should be interesting to developers, new database admins, and aspiring penetration testers looking to gain a better understanding of the risks associated with weak SQL Server configurations.
Full Video Presentation: http://youtu.be/SIeMz6gCK3Q
This presentation will provide an overview of common methods that can be used to obtain clear text credentials from Microsoft products such as Windows, IIS, and SQL Server. It also provides an overview of the proof of concept script used to recover MSSQL Linked Server passwords.
Relevant blog links have been provided below.
https://www.netspi.com/blog/entryid/215/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1
https://www.netspi.com/blog/entryid/226/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2
https://www.netspi.com/blog/entryid/221/decrypting-mssql-database-link-server-passwords
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Codemotion 2013: Feliz 15 aniversario, SQL InjectionChema Alonso
Charla de Chema Alonso sobre la historia y evolución de las técnicas de SQL Injection en el evento Codemotion ES del año 2013 que tuvo lugar en la Escuela Universitaria de Informática de la Universidad Politécnica de Madrid
PowerUp - Automating Windows Privilege EscalationWill Schroeder
This slidedeck was given as a firetalk at @BSidesBoston '14, and covers the genesis and implementation of PowerUp, a Powershell tool for Windows privilege escalation.
Training Slides: 302 - Securing Your Cluster With SSLContinuent
Watch this 41min training session on how to secure your Tungsten Cluster with SSL, looking at internal cluster communications as well as how to deploy SSL for the Tungsten Connector. It all starts off with some background information on what SSL is all about.
TOPICS COVERED
- What is SSL?
- Deploying SSL for Cluster communications
- Deploying SSL for Tungsten Connector
Video of the presentation: http://www.youtube.com/watch?v=8z3h4Uv9YbE
At LinkedIn, we have started to use the Play Framework to build front-end and back-end services at massive scale. Play does things a little differently: it's a Java and Scala web framework, but it doesn't follow the servlet spec; it's fairly new, but it runs on top of robust technologies like Akka and Netty; it uses a thread pool, but it's built for non-blocking I/O and reactive programming; most importantly, it's high performance, but also high productivity. We've found that the Play Framework is one of the few frameworks that is able to maintain the delicate balance of performance, reliability, and developer productivity. In the Java and Scala world, nothing even comes close. In this talk, I'll share what we've learned so far, including details of rapid iteration with Java and Scala, the story behind async I/O on the JVM, support for real time web apps (comet, WebSockets), and integrating Play into a large existing codebase.
Nagios Conference 2014 - Jeff Mendoza - Monitoring Microsoft Azure with NagiosNagios
Jeff Mendoza's presentation on Monitoring Microsoft Azure with Nagios.
The presentation was given during the Nagios World Conference North America held Oct 13th - Oct 16th, 2014 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/conference
How to scheduled jobs in a cloudera cluster without oozieTiago Simões
This presentation, it’s for everyone that is looking for an oozie alternative to scheduled jobs in a secured Cloudera Cluster.With this, you will be able to add and configure the Airflow Service an manage it with in Cloudera Manager.
Describes in detail the security architecture of Apache Cassandra. We discuss encryption at rest, encryption on the wire, authentication and authorization and securing JMX and management tools
Troy Lea's presentation on Monitoring VMware Virtualization Using vMA.
The presentation was given during the Nagios World Conference North America held Oct 13th - Oct 16th, 2014 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/conference
How to implement a gdpr solution in a cloudera architectureTiago Simões
Since the implementation of GDPR regulation, all data processors across the world have been struggling to be GDPR compliant and also deal with the new reality in Big Data, that data is constantly drifting and mutating.
In this presentation, the approach will be:
Cloudera architecture
No additional financial cost
Masking & Encrypting
In a dynamic infrastructure world, let's stop pretending credentials aren't public knowledge in an organization and just assume that they have already been leaked, now what?
Start to finish overview of tools, tips and techniques for developing software for Apache Cassandra. Includes code and configuration examples, build systems and container support.
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
This is the version modified for the OWASP meeting in June of 2014.
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
The talk I gave at Black Hat USA 2016 on Anti Malware Scan Interface. The talk looks at what good AMSI brings to Windows 10 and various methods of avoiding/bypassing it.
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation. This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation. This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
Beyond XP_CMDSHELL: Owning the Empire Through SQL ServerNetSPI
Scott Sutherland and Alexander Leary present at Secure360 Twin Cities 2018 on Owning the Empire Through SQL Server.
Presentation includes five objectives:
- Get Access
- Hide from Audit Controls
- Execute OS Commands
- Use SQL Server as a breach head
- Detect OS Comment Execution
Questions? Contact @0xbadjuju or @_nullbind on Twitter.
Beyond xp_cmdshell: Owning the Empire through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation.
This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
This presentation will cover 10 common weak SQL Server configurations and the practical attacks that help hackers gain unauthorized access to data, applications, and systems. This will include a few demonstrations of the techniques that are being used during real-world attacks and penetration tests. This should be interesting to developers, new database admins, and aspiring penetration testers looking to gain a better understanding of the risks associated with weak SQL Server configurations.
Full Video Presentation: http://youtu.be/SIeMz6gCK3Q
This presentation will provide an overview of common methods that can be used to obtain clear text credentials from Microsoft products such as Windows, IIS, and SQL Server. It also provides an overview of the proof of concept script used to recover MSSQL Linked Server passwords.
Relevant blog links have been provided below.
https://www.netspi.com/blog/entryid/215/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1
https://www.netspi.com/blog/entryid/226/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2
https://www.netspi.com/blog/entryid/221/decrypting-mssql-database-link-server-passwords
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Codemotion 2013: Feliz 15 aniversario, SQL InjectionChema Alonso
Charla de Chema Alonso sobre la historia y evolución de las técnicas de SQL Injection en el evento Codemotion ES del año 2013 que tuvo lugar en la Escuela Universitaria de Informática de la Universidad Politécnica de Madrid
PowerUp - Automating Windows Privilege EscalationWill Schroeder
This slidedeck was given as a firetalk at @BSidesBoston '14, and covers the genesis and implementation of PowerUp, a Powershell tool for Windows privilege escalation.
Training Slides: 302 - Securing Your Cluster With SSLContinuent
Watch this 41min training session on how to secure your Tungsten Cluster with SSL, looking at internal cluster communications as well as how to deploy SSL for the Tungsten Connector. It all starts off with some background information on what SSL is all about.
TOPICS COVERED
- What is SSL?
- Deploying SSL for Cluster communications
- Deploying SSL for Tungsten Connector
Video of the presentation: http://www.youtube.com/watch?v=8z3h4Uv9YbE
At LinkedIn, we have started to use the Play Framework to build front-end and back-end services at massive scale. Play does things a little differently: it's a Java and Scala web framework, but it doesn't follow the servlet spec; it's fairly new, but it runs on top of robust technologies like Akka and Netty; it uses a thread pool, but it's built for non-blocking I/O and reactive programming; most importantly, it's high performance, but also high productivity. We've found that the Play Framework is one of the few frameworks that is able to maintain the delicate balance of performance, reliability, and developer productivity. In the Java and Scala world, nothing even comes close. In this talk, I'll share what we've learned so far, including details of rapid iteration with Java and Scala, the story behind async I/O on the JVM, support for real time web apps (comet, WebSockets), and integrating Play into a large existing codebase.
Nagios Conference 2014 - Jeff Mendoza - Monitoring Microsoft Azure with NagiosNagios
Jeff Mendoza's presentation on Monitoring Microsoft Azure with Nagios.
The presentation was given during the Nagios World Conference North America held Oct 13th - Oct 16th, 2014 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/conference
How to scheduled jobs in a cloudera cluster without oozieTiago Simões
This presentation, it’s for everyone that is looking for an oozie alternative to scheduled jobs in a secured Cloudera Cluster.With this, you will be able to add and configure the Airflow Service an manage it with in Cloudera Manager.
Describes in detail the security architecture of Apache Cassandra. We discuss encryption at rest, encryption on the wire, authentication and authorization and securing JMX and management tools
Troy Lea's presentation on Monitoring VMware Virtualization Using vMA.
The presentation was given during the Nagios World Conference North America held Oct 13th - Oct 16th, 2014 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/conference
How to implement a gdpr solution in a cloudera architectureTiago Simões
Since the implementation of GDPR regulation, all data processors across the world have been struggling to be GDPR compliant and also deal with the new reality in Big Data, that data is constantly drifting and mutating.
In this presentation, the approach will be:
Cloudera architecture
No additional financial cost
Masking & Encrypting
In a dynamic infrastructure world, let's stop pretending credentials aren't public knowledge in an organization and just assume that they have already been leaked, now what?
Start to finish overview of tools, tips and techniques for developing software for Apache Cassandra. Includes code and configuration examples, build systems and container support.
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
This is the version modified for the OWASP meeting in June of 2014.
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
The talk I gave at Black Hat USA 2016 on Anti Malware Scan Interface. The talk looks at what good AMSI brings to Windows 10 and various methods of avoiding/bypassing it.
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally I’ll show how PowerShell automation can be used to execute the SQL Server attacks on scale with PowerUpSQL. All scripts demonstrated during the presentation are available on GitHub. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
Sections Updated for OWASP Meeting:
- SQL Server Link Crawling
- UNC path injection targets
- Command execution details
PASS VC: SQL Server Performance Monitoring and BaseliningPARIKSHIT SAVJANI
When managing large scale deployment of SQL Server instances, it is important for DBAs to setup proactive monitoring & establishing performance baselines which helps in performance tuning, capacity planning & identifying workload patterns. Attend this session to learn what data should a DBAs collect & how, to monitor & establish performance baseline in SQL Server.
DerbyCon 2016
Nick Landers @monoxgas
External mail via Exchange is one of the most common services offered by organizations today. The Microsoft Office suite is even more prevalent making Outlook the most common mail client around. This talk focuses on the abuse of these two products for the purpose of gaining code execution inside remote networks. Subjects include E-Mail and password scraping, OWA/EWS brute forcing techniques, and new research into abusing Outlook mail rules for remote code execution. Learn about the capabilities of client side rules, the underlying Windows APIs, and how to modify these rule objects to make phishing attacks obsolete. Security Consultant at Silent Break Security. Professional Hacker for 2 years. Current work involves writing custom malware and researching unique attack vectors that abuse functionality in windows environments.
This is the talk given at NullCon 2017. This talk give s history of the Veil Framework, and showcases the differences between 2.0 and the newly released 3.0. Veil 3.0 is released in this talk
A short course I had few weeks ago that I wanted to share with you. All the MySQL issues from basics to experts: tuning, ERD, DDL, DML, Backup, Security
This workshop handles the concept of using Object Relational Mapping features from ColdFusion 9 in AIR to synchronise your local database with a remote server without writing any SQL code.
SQL Server R Services: What Every SQL Professional Should KnowBob Ward
SQL Server 2016 introduces a new platform for building intelligent, advanced analytic applications called SQL Server R Services. This session is for the SQL Server Database professional to learn more about this technology and its impact on managing a SQL Server environment. We will cover the basics of this technology but also look at how it works, troubleshooting topics, and even usage case scenarios. You don't have to be a data scientist to understand SQL Server R Services but you need to know how this works so come upgrade you career by learning more about SQL Server and advanced analytics.
Performance testing as part of Agile - Continius Delivery solutionSergey Radov
This presentaion provides steps that are necessary for implementing of performace test solution for nightly build validation for regression.
It doesn't have detailed instructions.
If detailed steps are needed contact the author.
common_schema, DBA's framework for MySQLShlomi Noach
An introduction to common_schema, looking at the concepts behind the project and some notable features.
Slides from my talk at Percona Live London, Dec 2012
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Understanding and preventing sql injection attacksKevin Kline
SQL Injection attacks are one of the most common hacker tricks used on the web. Learn what a SQL injection attack is and why you should be concerned about them.
This all new session is loaded with demos. You’ll get to witness first-hand several different types of SQL injection attacks, how to find them, and how to block them.
Similar to 2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates) (20)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Scott Sutherland
During this presentation, we’ll talk about how to identify and triage the large volume of excessive access most standard Active Directory users have to common network shares. Over the course of hundreds of internal network penetration tests and audits one theme has stood out, vulnerability management programs do not adequately identify excessive share privileges. The excessive shares have become a risk for data exposure, ransomware attacks, and privilege escalation within enterprise environments. During this discussion, we will talk about why this gap exists, how to inventory excessive share across an entire Active Directory domain quickly, and how to triage those results to help reduce risk for your organization.
How to Build and Validate Ransomware Attack Detections (Secure360)Scott Sutherland
Ransomware is a strategy for adversaries to make money – a strategy that’s proven successful. During this presentation, we will cover how ransomware works, ransomware trends to watch, best practices for prevention, and more. At the core of the discussion, Scott will explain how to build detections for common tactics, techniques, and procedures (TTPs) used by ransomware families and how to validate they work, ongoing, as part of the larger security program. Participants will leave this webinar with actionable advice to ensure their organization is more resilient to ever-evolving ransomware attacks.
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. This talk includes real-world examples of attacks that they use on a daily basis, and some reflections on what techniques have changed over the last year. Vulnerabilities related to the application, network, and server layers will all be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in most IT security programs. It will also include a brief overview of the common skill sets and tools used by today’s security professionals. Finally, it will offer some basic advice for getting started in penetration testing. This should be interesting to aspiring pentesters trying to gain a better understanding of how penetration testing fits into the larger IT security world.
Additional resources can be found in the blog below:
https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
More security blogs by the authors can be found @
https://www.netspi.com/blog/
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks. Karl Fosaaen and I put this together for Secure 360 in Minneapolis. We hope you enjoy it.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
This presentation will take a high level look at the malware life cycle and the role that both hackers and IT professionals play in it. It should be interesting to IT professionals as well as individuals interested in learning more about the general approach used by hackers to gain unauthorized access to systems, applications, and sensitive data.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
This presentation will provide a high level overview of the current role that desktop applications play in enterprise environments, and the general risks associated with different deployment models. It will also cover common methodologies, techniques, and tools used to identify vulnerabilities in typical desktop application implementations. Although there will be some technical content. The discussion should be interesting and accessible to both operational and management levels.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
In this presentation I will cover the basics of how to perform dictionary attacks against Windows Active Directory accounts safely. Below is an overview of the steps that will be covered:
Identify domains
Enumerate domain controllers
Enumerate users from domain controllers
Enumerate password policy from domain controllers
Perform dictionary attack
More security blogs by the authors can be found @
https://www.netspi.com/blog/
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in IT security.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
3. Presentation Overview
● Why SQL Server and PowerShell?
● PowerUpSQL Overview
● Finding & Accessing SQL Servers
● Privilege Escalation Scenarios
o Domain user to SQL Server login
o SQL Server Login to Sysadmin
o Sysadmin to Windows Admin
o Windows Admin to Sysadmin
o Domain Escalation
● Post Exploitation Activities
● General Recommendations
4. Why SQL Server?
● Used in most enterprise environments
● Supports local Windows and Domain authentication
● Integrates with lots of Windows applications
● Generally has trust relationships that other don’t
5. Why PowerShell?
● Native to Windows
● Run commands in memory
● Run managed .net code
● Run unmanaged code
● Avoid detection by legacy Anti-virus
● Already flagged as "trusted" by most
application whitelist solutions
● A medium used to write many open source
Pentest toolkits
7. PowerUpSQL Overview: Project Goals
Project Goals (Get-Abilities)
● Scalability via runspace threading
● Flexibility via pipeline support
● ps objects and data tables
● Portability
o No SMO dependancies
o .Net Framework libraries
o PowerShell v.2 compliant (in theory)
o Single file
Functional Goals
● Discover SQL Servers from different attacker perspectives
● Inventory SQL Servers quickly
● Audit SQL Servers for common insecure configurations
● Escalate privileges quickly on SQL Servers
● Support authentication using SQL Login or Windows Credential
9. PowerUpSQL Overview: Where can I get it?
Github
https://github.com/netspi/PowerUpSQL
PowerShell Gallery
https://www.powershellgallery.com/packages/PowerUpSQL/
10. PowerUpSQL Overview: How do I install it?
Github
Import-Module PowerUpSQL.psd1
IEX(New-Object
System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/P
owerUpSQL.ps1")
Execution policy work arounds
https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/
PowerShell Gallery
Install-Module -Name PowerUpSQL
12. SQL Server Basics
What is SQL Server?
● A database platform
● An application
● A set of Windows services
● Each instance has its own set of
services
13. SQL Server Basics: Account Types
Account Types
● Windows Accounts
o Used to login
o Mapped to SQL Server login
● SQL Server Logins
o Used to login
o Mapped to database account
● Database Users
o Used to access databases
14. SQL Server Basics: Common Roles
Important SQL Server Roles
● Sysadmin role
○ Database administrator account
○ Think of it as the “Administrators” Windows group,
but in SQL Server
● Public role
○ Only provides CONNECT permission
○ Think of it as the “Everyone” Windows group, but
in SQL Server
16. Find SQL Servers: Techniques
Attacker Perspective Attack Technique
Unauthenticated ● List from file
● TCP port scan
● UDP port scan
● UDP broadcast
● Azure DNS dictionary attack (x.databases.windows.net)
● Azure DNS lookup via public resources
Local User ● Services
● Registry entries
Domain User ● Service Principal Names
● Azure Portal / PowerShell Modules
17. Find SQL Servers: PowerUpSQL
Attacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog: https://blog.netspi.com/blindly-discover-sql-server-instances-powerupsql/
19. Testing Login Access: Techniques
What credentials can I use to log into discovered SQL Servers?
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords.
Unauthenticated Default passwords based on the SQL Server instance names.
Local Windows or ADS
Domain Account
Attempt to login using the current account.
20. Testing Login Access: PowerUpSQL CMDs
What PowerUpSQL functions can I use to test for successful logins?
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
Get-SQLServerLoginDefaultPw
Get-SQLInstanceDomain | Get-SQLServerLoginDefaultPw -Verbose
Local Windows or ADS
Domain Account
Get-SQLConnectionTestThreaded
22. Testing Login Access: Login CMD Examples
Attacker Perspective Command Example
Unauthenticated Get-SQLInstanceUDPScan | Get-SQLConnectionTestThreaded
-Verbose -Threads 15 -Username testuser -Password testpass
Local User Get-SQLInstanceLocal | Get-SQLConnectionTestThreaded -Verbose
Domain User Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded
-Verbose -Threads 15
Alternative
Domain User
runas /noprofile /netonly /user:domainuser PowerShell.exe
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded
-Verbose -Threads 15
23. Testing Login Access: Reusing Result Lists
Process Command Example
Enumerate
Accessible Servers
$Accessible = Get-SQLInstanceDomain |
Get-SQLConnectionTestThreaded -Verbose -Threads 15 |
Where-Object {$_.Status –like “Accessible”}
Get server information $Acessible | Get-SQLServerInfo -Verbose
Get database list $Acessible | Get-SQLDatabase -Verbose
Perform audit $Acessible | Invoke-SQLAudit -Verbose
Do I have to rerun instance discovery every time I want to run a command? No.
26. Escalating Privileges: Domain User
Why can Domain Users login into so
many SQL Servers?
● Admins give them access
● Privilege inheritance issue on
domain systems = Public role
access
27. Escalating Privileges: Domain User
Why can Domain Users login into so
many SQL Servers?
● Admins give them access
● Privilege inheritance issue on
domain systems = Public role
access
28. Escalating Privileges: Domain User
Why can Domain Users login into so
many SQL Servers?
● Admins give them access
● Privilege inheritance issue on
domain systems = Public role
access
30. Escalating Privileges: Weak Passwords
Didn’t we just cover this? Yes, but there’s more…
Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
Local Windows or ADS
Domain Account
Get-SQLConnectionTestThreaded
31. Escalating Privileges: Weak Passwords
…we can also enumerate SQL Server logins and Domain Accounts
Technique PowerUpSQL Function
Blind Login Enumeration
+
Dictionary Attack
=
Super Cool!
Invoke-SQLAuditWeakLoginPw
• Enumerate all SQL Server logins with the Public role
• Enumerate all domain accounts with the Public role
32. Escalating Privileges: Weak Passwords
Enumerating SQL Logins
1. Attempt to list all SQL Server
logins and fail.
33. Escalating Privileges: Weak Passwords
Enumerating SQL Logins
1. Attempt to list all SQL Server
logins and fail.
2. Get principal id for the sa
account with “suser_id”
34. Escalating Privileges: Weak Passwords
Enumerating SQL Logins
1. Attempt to list all SQL Server
logins and fail.
2. Get principal id for the sa account
with “suser_id”
3. Use “suser_name” to get SQL
logins using just principal ID
35. Escalating Privileges: Weak Passwords
Enumerating SQL Logins
1. Attempt to list all SQL Server
logins and fail.
2. Get principal id for the sa account
with “suser_id”
3. Use “suser_name” to get SQL
logins using just principal ID
4. Increment number and repeat
36. Escalating Privileges: Weak Passwords
Enumerating SQL Logins
1. Attempt to list all SQL Server
logins and fail.
2. Get principal id for the sa account
with “suser_id”
3. Use “suser_name” to get SQL
logins using just principal ID
4. Increment number and repeat
select n [id], SUSER_NAME(n) [user_name]
from (
select top 10000 row_number() over(order by t1.number) as N
from master..spt_values t1
cross join master..spt_values t2
) a
where SUSER_NAME(n) is not null
Code gifted from @mobileck
Source:
https://gist.github.com/ConstantineK/c6de5d398ec43bab1a29ef07e8c21ec7
37. Escalating Privileges: Weak Passwords
select n [id], SUSER_NAME(n) [user_name]
from (
select top 10000 row_number() over(order by
t1.number) as N
from master..spt_values t1
cross join master..spt_values t2
) a
where SUSER_NAME(n) is not null
Code gifted from @mobileck
Source:
https://gist.github.com/ConstantineK/c6de5d3
98ec43bab1a29ef07e8c21ec7
39. Escalating Privileges: Weak Passwords
Enumerating Domain Users
1. Get the domain
2. GID RID of default group
Full RID of
Domain Admins
group
40. Escalating Privileges: Weak Passwords
Enumerating Domain Users
1. Get the domain
2. GID RID of default group
3. Grab the first 48 Bytes of the full RID
RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000
SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
41. Escalating Privileges: Weak Passwords
Enumerating Domain Users
1. Get the domain
2. GID RID of default group
3. Grab the first 48 Bytes of the full RID
4. Create new RID with by appending
a hex number value and the SID
1. Start with number, 500
2. Convert to hex, F401
3. Pad with 0 to 8 bytes, F4010000
4. Concatenate the SID and the new RID
SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
RID = 0x0105000000000005150000009CC30DD479441EDEB31027D0F4010000
42. Escalating Privileges: Weak Passwords
Enumerating Domain Users
1. Get the domain
2. GID RID of default group
3. Grab the first 48 Bytes of the full RID
4. Create new RID with by appending a
hex number value and the SID
5. Use “suser_name” function to get
domain object name
1. Start with number, 500
2. Convert to hex, F401
3. Pad with 0 to 8 bytes, F4010000
4. Concatenate the SID and the new RID
SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
RID = 0x0105000000000005150000009CC30DD479441EDEB31027D0F4010000
43. Escalating Privileges: Weak Passwords
Enumerating Domain Users
1. Get the domain
2. GID RID of default group
3. Grab the first 48 Bytes of the full RID
4. Create new RID with by appending a
hex number value and the SID
5. Use “suser_name” function to get
domain object name
6. Increment and repeat
1. Start with number, 500
2. Convert to hex, F401
3. Pad with 0 to 8 bytes, F4010000
4. Concatenate the SID and the new RID
SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
RID = 0x0105000000000005150000009CC30DD479441EDEB31027D0F4010000
46. Escalating Privileges: Impersonation
1. Impersonate Privilege
a. Server: EXECUTE AS LOGIN
b. Database: EXECUTE AS USER
2. Stored Procedure and Trigger Creation / Injection
Issues
a. EXECUTE AS OWNER
b. Signed with cert login
3. Automatic Execution of Stored Procedures
4. Agent Jobs
5. xp_cmdshell proxy acount
6. Create Databse Link to File or Server
7. Import / Install Custom Assemblies
8. Ad-Hoc Queries
9. Shared Service Accounts
10. Database Links
11. UNC Path Injection
47. Escalating Privileges: Impersonation
Impersonate Privilege
• Can be used at server layer
o EXECUTE AS LOGIN
• Can be used at database layer
o EXECUTE AS USER
Pros
• Execute queries/commands in another user context
Cons
• Requires database to be configured as trustworthy
for OS command execution
• Commands and queries are not limited in any way
50. Escalating Privileges: Impersonation
Stored Procedure and Trigger Creation / Injection
Issues
• EXECUTE AS OWNER can be used to execute a
stored procedure as another login
Pros
• Can execute queries/commands in another user context
• Limit commands and queries
• Don’t have to grant IMPERSONATE
Cons
• No granular control over the database owner’s privileges
• DB_OWNER role can EXECUTE AS OWNER of the DB,
which is often a sysadmin
• Requires database to be configured as trustworthy for
OS command execution
• Impersonation can be done via SQL injection under
specific conditions
• Impersonation can be done via command injection under
specific conditions
51. Escalating Privileges: Impersonation
Stored Procedure and Trigger Creation / Injection
Issues
• EXECUTE AS OWNER can be used to execute a
stored procedure as another login
• DB_OWNER role can impersonate the actual
database owner
USE MyAppDb
GO
CREATE PROCEDURE sp_escalate_me
WITH EXECUTE AS OWNER
AS
EXEC sp_addsrvrolemember
'MyAppUser','sysadmin'
GO
52. Escalating Privileges: Impersonation
Stored Procedure and Trigger Creation / Injection
Issues
• EXECUTE AS OWNER can be used to execute a
stored procedure as another login
• DB_OWNER role can impersonate the actual
database owner
USE MyAppDb
GO
CREATE PROCEDURE sp_escalate_me
WITH EXECUTE AS OWNER
AS
EXEC sp_addsrvrolemember
'MyAppUser','sysadmin'
GO
SYSADMIN
is often the
OWNER
53. Escalating Privileges: Impersonation
Stored Procedure and Trigger Creation / Injection
Issues
• Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Pros
• Can execute queries/commands in another user
context
• Limit commands and queries
• Don’t have to grant IMPERSONATE
• Granular control over permissions
• Database does NOT have to be configured as
trustworthy for OS command execution
Cons
• Impersonation can be done via SQL injection
under specific conditions
• Impersonation can be done via command
injection under specific conditions
54. Escalating Privileges: Impersonation
SQL Injection Example
CREATE PROCEDURE sp_sqli2
@DbName varchar(max)
AS
BEGIN
Declare @query as varchar(max)
SET @query = ‘
SELECT name FROM master..sysdatabases
WHERE name like ''%'+ @DbName+'%'' OR
name=''tempdb''';
EXECUTE(@query)
END
GO
https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
55. Escalating Privileges: Impersonation
SQL Injection Example
CREATE PROCEDURE sp_sqli2
@DbName varchar(max)
AS
BEGIN
Declare @query as varchar(max)
SET @query = ‘
SELECT name FROM master..sysdatabases
WHERE name like ''%'+ @DbName+'%'' OR
name=''tempdb''';
EXECUTE(@query)
END
GO
PURE EVIL
https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
58. Escalating Privileges: Impersonation
Automatic Execution of Stored Procedure
• Stored procedures ca be configured to execute
when the SQL Server service restarts
Pros
• Marking a stored procedure to run when the SQL
Server service restarts has many use cases
• Only stored procedures in the master database
can be marked for auto execution
Cons
• No granular control over what context the startup
command is executed in
• All stored procedures marked for auto execution
are executed as ‘sa’, even if ‘sa’ is disabled
• Any non sysadmin access to stored procedures
can lead to execution as ‘sa’
64. Escalating Privileges: SysAdmin to Service Account
OS Command Execution = Service Account Impersonation
Executing OS Commands:
● xp_cmdshell
● Custom Assemblies (.net)
● Custom Extended Stored Procedures (C++)
● Agent Jobs
o ActiveX: Vbscript, Jscript, and Other
o CmdExec
o PowerShell
o SSIS Package
● Registry Autoruns
● File Autoruns
65. Escalating Privileges: SysAdmin to Service Account
OS Command Execution = Service Account Impersonation
You don’t need to know the password, crack a hash, or PTH
Service Account Types
● Local User
● Local System
● Network Service
● Local managed service account
● Domain managed service account
● Domain User
● Domain Admin
66. Escalating Privileges: SysAdmin to Service Account
But wait, there’s more…RottenPotato @ DerbyCon 2016
- Authors: Chris Mallz (@vvalien1) & Steve Breen (@breenmachine)
- We can now escalation from service account to LocalSystem!
- No patch that I’m aware of.
Check out their blog for details:
https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-
escalation-from-service-accounts-to-system/
67. Escalating Privileges: Invoke-SQLOSCmd
Invoke-SQLOSCMD can be used for basic command execution.
PS C:>$Accessible | Invoke-SQLOSCmd –Verbose –Command “whoami” –Threads 10
ComputerName Instance CommandResults
--------------------- ----------- --------------
SQLServer1 SQLServer1SQLEXPRESS nt servicemssql$sqlexpress
SQLServer1 SQLServer1STANDARDDEV2014 nt authoritysystem
SQLServer1 SQLServer1 DomainSQLSvc
69. Escalating Privileges: Shared Service Accounts
Why should I care about shared service accounts?
1. SysAdmins can execute OS commands
2. OS commands run as the SQL Server service account
3. Service accounts have sysadmin privileges by default
4. Companies often use a single domain account to run hundreds of SQL Servers
5. So if you get sysadmin on one server you have it on all of them!
One account to rule them all!
71. InternetDMZIntranet
LRA HVA
LVA
ADS
LVA
Ports
80 and 443
Ports
1433 and 1434
HVA
PURE
EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
72. InternetDMZIntranet
LRA HVA
LVA
ADS
LVA
Ports
80 and 443
Ports
1433 and 1434
HVA
PURE
EVIL
Captain Evil
SQL Injection
1
Execute Local Command
via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
73. InternetDMZIntranet
LRA HVA
LVA
ADS
LVA
Ports
80 and 443
Ports
1433 and 1434
HVA
PURE
EVIL
Captain Evil
SQL Injection
1
Execute Local Command
via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and
gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
75. Escalating Privileges: Crawling Server Links
What’s a database link?
● Database links are basically persistent database connections for SQL Servers.
Why should I care?
● Short answer = privilege escalation
● Public role can use links to execute queries on remote servers (impersonation)
SELECT * FROM OpenQuery([SQLSERVER2],’SELECT @@Version’)
● Stored procedures can be executed (xp_cmdshell)
● Links can be crawled
76. InternetDMZIntranet
LRA HVA
LVA
ADS
Ports
80 and 443
Ports
1433 and 1434
HVA
PURE
EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
77. InternetDMZIntranet
LRA HVA
LVA
ADS
Ports
80 and 443
Ports
1433 and 1434
HVA
PURE
EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
78. InternetDMZIntranet
LRA HVA
LVA
ADS
Ports
80 and 443
Ports
1433 and 1434
HVA
PURE
EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
D
B
Link
w
ith
LeastPrivileges
DB1
LVA
79. InternetDMZIntranet
LRA HVA
LVA
ADS
Ports
80 and 443
Ports
1433 and 1434
HVA
PURE
EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
D
B
Link
w
ith
LeastPrivileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and
local commands on
database servers via
nested linked services
2
80. Escalating Privileges: Crawling Server Links
Penetration Test Stats
● Database links exist (and can be crawled) in about 50% of environments we’ve seen
● The max number of hops we’ve seen is 12
● The max number of servers crawled is 226
81. Escalating Privileges: Crawling Server Links
Old Script
● 2012 - https://www.rapid7.com/db/modules/exploit/windows/mssql/mssql_linkcrawler
New Script
● /scripts/pending/Get-SqlServerLinkCrawl.ps1
● Author: Antti Rantasaari
86. Escalating Privileges: UNC Path Injection
UNC Path Injection Summary
● UNC paths are used for accessing remote file servers like so 192.168.1.4file
● Almost all procedures that accept a file path in SQL Server, support UNC paths
● UNC paths can be used to force the SQL Server service account to authenticate to an attacker
● An attacker can then capture the NetNTLM password hash and crack or relay it
● Relay becomes pretty easy when you know which SQL Servers are using shared accounts
88. Escalating Privileges: UNC Path Injection
Oh yeah…
By DEFAULT, the PUBLIC role can execute (at least) two procedures that accept a file path
xp_dirtree
xp_fileexists
89. Escalating Privileges: UNC Path Injection
So, in summary…
The PUBLIC role can access the SQL
Server service account NetNTLM
password hash by default!!
90. Escalating Privileges: UNC Path Injection
But who really has
PUBLIC role access?
Oh yeah, a ton of domain users
94. Escalating Privileges: OS Admin to SysAdmin
Two things to know…
1. Different SQL Server versions can be abused in different ways
2. All SQL Server versions provide the service account with sysadmin privileges.
95. Escalating Privileges: OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode ? x x x x x
Below are some options for leveraging that knowledge...
96. Escalating Privileges: OS Admin to SysAdmin
Here are some tool options...
Approach Common Tools
Access as Local Administrator Management Studio, sqlcmd, and other native SQL client
tools.
Access as LocalSystem Psexec, accessibility options, debugger with native SQL
client tools.
Recover SQL Server service account
password from LSA Secrets
Mimikatz, Metasploit, lsadump.
Inject shellcode or DLL into the SQL
Server service process
Metasploit, Empire, Python, Powershell, C, C++
(LoadLibrary,CreateRemoteThread, and similar functions)
Steal Authentication Token From SQL
Server service process
Metasploit, Incognito, Invoke-TokenManipulation
Single User Mode DBATools
98. Post Exploitation: Overview
Common Post Exploitation Activities
1. Establish Persistence
• SQL Server Layer: startup procedures, agent jobs, triggers, modified code
• OS Layer: Registry & file auto runs, tasks, services, etc.
2. Identify Sensitive Data
• Target large databases
• Locate transparently encrypted databases
• Search columns based on keywords and sample data
• Use regular expressions and the Luhn formula against data samples
3. Exfiltrate Sensitive Data
• All standard methods: Copy database, TCP ports, UDP ports, DNS tunneling,
ICMP tunneling, email, HTTP, shares, links, etc. (No exfil in PowerUpSQL
yet)
105. General Recommendations
Things to do…
1. Enforce least privilege everywhere!
2. Disable dangerous default stored procedures.
3. Audit and fix insecure configurations.
4. Use policy based management for standardizing configurations.
5. Enable auditing at the server and database levels, and monitor for potentially malicious activity.
106. PowerUpSQL Overview: Thanks!
Individual Third Party Code / Direct Contributors
Boe Prox Runspace blogs
Warren F. ( RamblingCookieMonster) Invoke-Parallel function
Oyvind Kallstad Test-IsLuhnValid function
Kevin Robertson Invoke-Inveigh
Joe Bialek Invoke-TokenManipulation
Antti Rantasaari, Eric Gruber, and Alexander
Leary, @leoloobeek, and @ktaranov
Contributions and QA
Khai Tran Design advice
NetSPI assessment team and dev team Design advice
COMMON USE CASES
phishing - clickonce, java applet, macro in office
Sql injection download craddle
Skip
Skip
Skip
Just touch on alternative user.
Skip
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
You get sysadmins.
Architecture overview.
SQL injection.
Scenario
Database account with excessive privileges
Shared service account
Use xp_cmdshell to verify local command execution
Use xp_cmdshell and OSQL to:
Enumerate databases on the internal network
Issues queries on remote HVA database server that is configured with the same service account.
No alerts – using trusted account and non destructive native functionality
No logs (or few logs) – No account creation or group modification
No accountability!
Another REALLY COOL lateral movement / privilege escalation technique.
Architecture overview.
Scenario
No sysadmin role
No excessive service account access
No shared service account access
Enumerate linked servers
Find link to DB1 - Used to transmit marketing metrics to DB1
Connect to DB1 (linked server) via OPENQUERY
Has least privilege
Enumerate linked servers
Find link to HVA - Used to pull marketing metrics to DB1
Connect to HVA (linked server) via NESTED OPENQUERY
Configured with the SA account
HVA could have access to other resources
Nesting can continue
Nested Shared service account with excessive privs
Linked database can be
direct between high value and low value
Other server not on the diagram
Can be nested many times