SQL Server Hacking from ISSA Kentuckiana workshop 7 - Jeremy Druin
(Hacking Illustrated Series InfoSec Tutorial Videos)
SQL Server Hacking from ISSA
Kentuckiana workshop 7 - Jeremy Druin
This is the 7th in a line of classes Jeremy Druin will
be giving on pen-testing and web app security featuring
Mutillidae (or other tools) for the Kentuckiana
ISSA . This one covers SQL Server Hacking.
Details:
Video Tutorials:
www.youtube.com/user/webpwnized
Video Index URL:
http://www.irongeek.com/i.php?page=videos/web-application-pen-testing-tutorials-with-mutillidae
YouTube Channel:
http://www.youtube.com/user/webpwnized
Twitter Updates: @webpwnized
VIDEO
Notes: Database Exploitation/Post Exploitation
SQL Server
How does SQL Server handle connections?
Server vs. Instance vs. Port vs. Database
Where are remote connections configured?
SQL Server Connection Manager
How does the client know where instances are listening?
SQL Browser Service
Configuration
services.msc
SQL Server Connection Manager
Recon: Detecting SQL Server (Passive)
DNS Hostnames
Remediation
Scanning: Detecting SQL Server (Active)
SQL Server Browser Service (nmap, sqlscan)
Metasploit mssql_ping
Scapy MS SQL Browser Inquiry (Advanced Workshop)
Remediation
Browsing SQL Server
Microsoft SQL Server Management Studio
Microsoft osql.exe (Advanced Workshop)
[Remote]: osql -U brokerage_qa -S JEREMY-8GNO9J7F\SQLEXPRESS -P brokerage_qa
[Localhost]:osql -U brokerage_qa -S localhost\SQLEXPRESS -P brokerage_qa
SQL Injection
Remediation
least-privilege
schema-containment
application accounts
Bruteforcing passwords
Metasploit mssql_login
username = password
silly passwords
remediation
smart cards
active directory integration
password policy
Audit: SSMS -> Management -> Policy Management -> Policies
Locating Passwords
SQL Injection
VB Scripts
Applications
Service Accounts
Windows Shares
Developer Workstations
DTS and DTSX files (Data Transformation Services)
Remediation
Stop treating development environment like a development environment
Capturing Passwords
Metasploit auxiliary/server/capture/mssql
Post Exploitation
Metasploit Microsoft SQL Server Configuration Enumerator
auxiliary/admin/mssql/mssql_enum
Metasploit XP Command Shell
auxiliary/admin/mssql/mssql_exec
Listing Databases (use browser service)
Listing Tables/Columns (SSMS)
Listing Tables/Columns (Information Schema) (Advanced Workshop)
Dump Hashes
Metasploit auxiliary/scanner/mssql/mssql_hashdump
Query master..syslogins LOGINPROPERTY(name, 'PasswordHash' ) (Advanced Workshop)
SELECT name, LOGINPROPERTY(name, 'PasswordHash' ) hash FROM master.sys.syslogins
john mssql05 hashcrack
john --format=mssql05 /tmp/mssql-pwhash.txt
Format <username>:<0Xhex_format_password_hash>
Linked Servers
Logins (AD vs. Windows vs. SQL Server logins vs. Users)
Listing Logins ([master].[sys].[server_principals]) (Advanced Workshop)
Listing Credentials (SSMS)
Listing Credentials ([master].[sys].[credentials]) (Advanced Workshop)
Listing backup device properties
Running Commands
Metasploit auxiliary/admin/mssql/mssql_exec
Microsoft osql.exe (Advanced Workshop)
[Remote]: osql -U brokerage_qa -S JEREMY-8GNO9J7F\SQLEXPRESS -P brokerage_qa
[Localhost]:osql -U brokerage_qa -S localhost\SQLEXPRESS -P brokerage_qa
SSMS
How do these tools work? (Advanced Workshop)
tcpdump
code reviews
Download from:
http://archive.org/download/SqlServerHackingByJeremyDruin/sql-server-hacking-jeremy-druin-webpwnized.avi