Everything you should already know about MS-SQL post-exploitation

ATTACK RESEARCHADVANCED COMPUTER SECURITY

RESEARCH & CONSULTING

MS-SQL Post Exploitation:Everything you should already know.

Presented By: Rob Beck

Name: Rob Beck (whitey)Title: Director of AssessmentContact: [email protected]

Background:• Career pen-tester (MS/@stake/Honeywell/AR)• Security hobbyist and researcher• Slacker

1C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7

C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -

E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m

All About Me

mailto:[email protected]

– Motivation or purpose– Level of access achieved– Amount of stealth required– Persistence




The steps taken by an attacker following successful SQL access or command execution.

What Is SQL Post-Exploitation?

• Most pen-test resources lack details• The explanations given are limited• Extended functionality not covered• Lots of don’ts without reason in hardening docs• People still aren’t using this stuff or get stuck

• Apparently it was interesting enough for you




Why MS-SQL Post Exploitation?

• Nothing covered in this presentation is new• Everything presented is actively being used• Everything presented can be prevented• This talk assumes you have SQL access• MS-SQL is a subject of interest, not expertise

• The subject is databases, which is boring




Pro-tip: You might be bored

• Utilizing SQL procedures to attack the host• Lesser known evils (some don’ts explained)• Credential harvesting scenario• Potential for using the DB in attacks• Persistence tricks




What’s Covered

• If you have DBO/sa you win! (There’s more to it)– Owning the host or just the DB– Persistence

• If you don’t have DBO/sa it could be research time– Stored procedures– Extended stored procedures– Assemblies– Good old fashioned exploits

• Sometimes it’s just about the data6

C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7 C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w

M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 - E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m

I Have Access Now What?

• What’s Really Important• Getting xp_cmdshell() – Do you need it?• Adding accounts - Not too stealthy• Total capabilities in the SQL instance

– Blind injection: not always so blind– Network access to/from SQL instance– Validity of SQL credentials elsewhere




Things to Consider

• Over the past year: 30 assessments– 20 of them were successful due to SQL– 0 of them detected anything wrong– All of them neglected to restrict access– 3 of them had blank sa account instances– Only 5 of them had plans to upgrade to SQL 2k8– Development environments were always BAD




Lessons Learned

• Large numbers of organizations are still running SQL as NT AUTHORITY\SYSTEM– If it’s not local system, it’s most likely still admin– If it’s a domain account

• Used elsewhere• Still likely to be system admin

• Of the small percentage who aren’t local system or admin– Few if any additional hardening steps are being taken– Shared accounts on hosts that were using privileged accounts




People Are Still Running SQL As System

• A majority of SQL instances that exist are legacy and will be for some time

• Everything is vanilla• Shared accounts are a certainty• Logging is performed, but never observed• Lack of access is usually a by-product




Reality

• People are lazy• Nobody has the resources• The people who make the rules• Good enough is better than best




Why Are Things Broken

• xp_dirtree*• xp_enumdsn• xp_enumerrorlogs• xp_enumgroups• xp_fileexist*• xp_fixeddrives

• xp_getnetname• xp_subdirs*• xp_regdeletekey• xp_regdeletevalue• xp_regread• xp_regwrite

* Can specify a UNC path

• xp_dirtree• xp_enumdsn• xp_enumerrorlogs• xp_enumgroups• xp_fileexist• xp_fixeddrives

• xp_getnetname• xp_subdirs• xp_regdeletekey• xp_regdeletevalue• xp_regread• xp_regwrite




Extended Stored Procedures - The Hidden Usage

• sp_addextendedproc*

• xp_cmdshell • sp_OACreate

The other fun extended stored procedures:

• xp_dirtree*• xp_enumdsn• xp_enumerrorlogs• xp_enumgroups• xp_fileexist**• xp_fixeddrives

* Still around in SQL 2k8

Ole Automation Proceduresxp_cmdshell

SQL Mail XPs

Procedure Name Configuration Option Name




If it doesn’t execute, it might need some help.

Check That Advanced Options Are Enabled

• xp_cmdshell• sp_OACreate• xp_sendmail

Each of these may require a call to sp_configure*:

* A query of ‘UPDATE sys.configurations [..]’ also does the trick




Commands can be executed by means of sp_OACreate the sp_OAMethod procedures:

xp_cmdshell Isn’t The Only Command Shell

• Used for OLE Automation• Access to the Wscript object (command execution)• Doesn’t require the creation of additional procedures

• Limited to sysadmin role by default• Results aren’t always as easy to get as xp_cmdshell• Even if procedure access is allowed, object access might not be

Caveats:




If sp_OACreate and the Scripting.FileSystemObject is nice, but it’s a bit much for just reading the contents of a file.

You Don’t Have To Script A File Read

A bulk insert will usually get the job done.

• Accounts already exist on the host• Tokens most likely exist on the host (incognito)• Using existing accounts is a lot less noticeable




Creating accounts is useful, but not too stealthy..

Credential Harvesting From SQL

..all of the usual host-based tricks are open to SQL• SYSTEM is still SYSTEM• Administrator can still become SYSTEM• You can still operate as the SQL account




Some Things Require Finesse

..there are limitations even to the ex-sprocs.




Some Things Require More Finesse

Wscript’s RegRead would be a good choice, but..

..though not all failures are a bad thing (not for us).




Forget Finesse, Go With What You Known

Finally.




The OA methods are for OLE Automation, not Wscript automation; any OLE object the SQL server context has access to can be utilized.

The OA Methods – Not Just For Wscript

(HNetCfg.FwMgr)• Windows firewall configuration(Shell.LocalMachine)• System configuration information

(HNetCfg.NATUPnP)• Fun things like UPnP mappings• Any custom registered component




If you can execute commands and have elevated access, why not use your own controls?

Why Not Register Your Own

-- RegSrv32.exe /c <your OLE DLL/OCX>

• Extended stored procedures• Assemblies• OLE Automation• Standard console access




SQL provides a number of facilities for running compiled code:

SQL Methods For Compiled Code

• UNC shares are valid paths in the creation of extended stored procedures and assemblies.

• Alternate streams work just fine.




SQL Recognizes Standard File Paths:

File Locations Can Be Fun

– Loading of compiled code modules• Local files• Network shares

– Execution of scripting resources– Facilitates the storage of results (go figure)– No one ever expects the SQL instance!




Depending on the level of access, SQL makes a great attack platform

The SQL As An Attack Framework

• Triggers• Guest account• Spiking the Model database• ALWAYS dump the SQL passwords• Data copying and backup permissioning




Silly Persistence Tricks – The dumb stuff usually works best.

Where To Go From Here




Questions?

Everything you should already know about MS-SQL post-exploitation

Technology

Transcript of Everything you should already know about MS-SQL post-exploitation