Thick Client — Attacking databases the fun/easy way

I was recently looking at a desktop application of a large security firm which manages the security of various large buildings around the UK. The application was fairly straight-forward for a standard thick-client which retrieved and stored data in SQLServer from a remote host.

The test started off as every other test does — setting up tools, installing dependencies, etc. If you are familiar with a web assessment or a thick-client assessment then the methodology should be familiar to you. Once I had the basic tools setup such as Echo Mirage, Burp, etc, it was a case of looking through the traffic to see if there was anything interesting. After going through the application and logging the traffic I found something interesting!

The application was connecting to the database over a clear-text connection which meant the database credentials were being sent.

[Disclaimer] I am going to redact any sensitive information.

Credentials being sent over clear-text

From this I was able to grab the database credentials, use the metasploit module “windows/mssql/mssql_payload” and get a meterpreter shell. The joy of this is that the shell was running as SYSTEM! \o/

SYSTEM shell on the database server

From metasploit and the meterpreter shell I was able to dump the entire database, create new users on the system, pivot through the network, etc. It goes to show that it’s not a great idea to send credentials over clear-text.