SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
Everything you should already know about MS-SQL post-exploitation
-
Upload
source-conference -
Category
Technology
-
view
1.924 -
download
2
description
Transcript of Everything you should already know about MS-SQL post-exploitation
ATTACK RESEARCHADVANCED COMPUTER SECURITY
RESEARCH & CONSULTING
MS-SQL Post Exploitation:Everything you should already know.
Presented By: Rob Beck
Name: Rob Beck (whitey)Title: Director of AssessmentContact: [email protected]
Background:• Career pen-tester (MS/@stake/Honeywell/AR)• Security hobbyist and researcher• Slacker
1C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
All About Me
– Motivation or purpose– Level of access achieved– Amount of stealth required– Persistence
2C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
The steps taken by an attacker following successful SQL access or command execution.
What Is SQL Post-Exploitation?
• Most pen-test resources lack details• The explanations given are limited• Extended functionality not covered• Lots of don’ts without reason in hardening docs• People still aren’t using this stuff or get stuck
• Apparently it was interesting enough for you
3C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
Why MS-SQL Post Exploitation?
• Nothing covered in this presentation is new• Everything presented is actively being used• Everything presented can be prevented• This talk assumes you have SQL access• MS-SQL is a subject of interest, not expertise
• The subject is databases, which is boring
4C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
Pro-tip: You might be bored
• Utilizing SQL procedures to attack the host• Lesser known evils (some don’ts explained)• Credential harvesting scenario• Potential for using the DB in attacks• Persistence tricks
5C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
What’s Covered
• If you have DBO/sa you win! (There’s more to it)– Owning the host or just the DB– Persistence
• If you don’t have DBO/sa it could be research time– Stored procedures– Extended stored procedures– Assemblies– Good old fashioned exploits
• Sometimes it’s just about the data6
C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7 C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w
M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 - E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
I Have Access Now What?
• What’s Really Important• Getting xp_cmdshell() – Do you need it?• Adding accounts - Not too stealthy• Total capabilities in the SQL instance
– Blind injection: not always so blind– Network access to/from SQL instance– Validity of SQL credentials elsewhere
7C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
Things to Consider
• Over the past year: 30 assessments– 20 of them were successful due to SQL– 0 of them detected anything wrong– All of them neglected to restrict access– 3 of them had blank sa account instances– Only 5 of them had plans to upgrade to SQL 2k8– Development environments were always BAD
8C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
Lessons Learned
• Large numbers of organizations are still running SQL as NT AUTHORITY\SYSTEM– If it’s not local system, it’s most likely still admin– If it’s a domain account
• Used elsewhere• Still likely to be system admin
• Of the small percentage who aren’t local system or admin– Few if any additional hardening steps are being taken– Shared accounts on hosts that were using privileged accounts
9C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
People Are Still Running SQL As System
• A majority of SQL instances that exist are legacy and will be for some time
• Everything is vanilla• Shared accounts are a certainty• Logging is performed, but never observed• Lack of access is usually a by-product
10C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
Reality
• People are lazy• Nobody has the resources• The people who make the rules• Good enough is better than best
11C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
Why Are Things Broken
• xp_dirtree*• xp_enumdsn• xp_enumerrorlogs• xp_enumgroups• xp_fileexist*• xp_fixeddrives
• xp_getnetname• xp_subdirs*• xp_regdeletekey• xp_regdeletevalue• xp_regread• xp_regwrite
* Can specify a UNC path
• xp_dirtree• xp_enumdsn• xp_enumerrorlogs• xp_enumgroups• xp_fileexist• xp_fixeddrives
• xp_getnetname• xp_subdirs• xp_regdeletekey• xp_regdeletevalue• xp_regread• xp_regwrite
12C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
Extended Stored Procedures - The Hidden Usage
• sp_addextendedproc*
• xp_cmdshell • sp_OACreate
The other fun extended stored procedures:
• xp_dirtree*• xp_enumdsn• xp_enumerrorlogs• xp_enumgroups• xp_fileexist**• xp_fixeddrives
* Still around in SQL 2k8
Ole Automation Proceduresxp_cmdshell
SQL Mail XPs
Procedure Name Configuration Option Name
13C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
If it doesn’t execute, it might need some help.
Check That Advanced Options Are Enabled
• xp_cmdshell• sp_OACreate• xp_sendmail
Each of these may require a call to sp_configure*:
* A query of ‘UPDATE sys.configurations [..]’ also does the trick
14C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
Commands can be executed by means of sp_OACreate the sp_OAMethod procedures:
xp_cmdshell Isn’t The Only Command Shell
• Used for OLE Automation• Access to the Wscript object (command execution)• Doesn’t require the creation of additional procedures
• Limited to sysadmin role by default• Results aren’t always as easy to get as xp_cmdshell• Even if procedure access is allowed, object access might not be
Caveats:
15C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
If sp_OACreate and the Scripting.FileSystemObject is nice, but it’s a bit much for just reading the contents of a file.
You Don’t Have To Script A File Read
A bulk insert will usually get the job done.
• Accounts already exist on the host• Tokens most likely exist on the host (incognito)• Using existing accounts is a lot less noticeable
16C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
Creating accounts is useful, but not too stealthy..
Credential Harvesting From SQL
..all of the usual host-based tricks are open to SQL• SYSTEM is still SYSTEM• Administrator can still become SYSTEM• You can still operate as the SQL account
17C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
Some Things Require Finesse
..there are limitations even to the ex-sprocs.
18C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
Some Things Require More Finesse
Wscript’s RegRead would be a good choice, but..
..though not all failures are a bad thing (not for us).
19C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
Forget Finesse, Go With What You Known
Finally.
20C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
The OA methods are for OLE Automation, not Wscript automation; any OLE object the SQL server context has access to can be utilized.
The OA Methods – Not Just For Wscript
(HNetCfg.FwMgr)• Windows firewall configuration(Shell.LocalMachine)• System configuration information
(HNetCfg.NATUPnP)• Fun things like UPnP mappings• Any custom registered component
21C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
If you can execute commands and have elevated access, why not use your own controls?
Why Not Register Your Own
-- RegSrv32.exe /c <your OLE DLL/OCX>
• Extended stored procedures• Assemblies• OLE Automation• Standard console access
22C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
SQL provides a number of facilities for running compiled code:
SQL Methods For Compiled Code
• UNC shares are valid paths in the creation of extended stored procedures and assemblies.
• Alternate streams work just fine.
23C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
SQL Recognizes Standard File Paths:
File Locations Can Be Fun
– Loading of compiled code modules• Local files• Network shares
– Execution of scripting resources– Facilitates the storage of results (go figure)– No one ever expects the SQL instance!
24C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
Depending on the level of access, SQL makes a great attack platform
The SQL As An Attack Framework
• Triggers• Guest account• Spiking the Model database• ALWAYS dump the SQL passwords• Data copying and backup permissioning
25C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
Silly Persistence Tricks – The dumb stuff usually works best.
Where To Go From Here
26C o p y r i g h t © 2 0 1 1 A tt a c k R e s e a r c h - 1 0 7
C e n t r a l P a r k S q u a r e # 1 1 0 , L o s A l a m o s , N e w M e x i c o 8 7 5 4 4 - T e l : ( 5 0 5 ) 7 5 0 - 3 0 0 7 -
E m a i l : i n f o @ a tt a c k r e s e a r c h . c o m
Questions?