Вы находитесь на странице: 1из 2

Notes: Database Exploitation/Post Exploitation SQL Server How does SQL Server handle connections? Server vs.

Instance vs. Port vs. Database Where are remote connections configured? SQL Server Connection Manager How does the client know where instances are listening? SQL Browser Service Configuration services.msc SQL Server Connection Manager Recon: Detecting SQL Server (Passive) DNS Hostnames Remediation Scanning: Detecting SQL Server (Active) SQL Server Browser Service (nmap, sqlscan) Metasploit mssql_ping Scapy MS SQL Browser Inquiry (Advanced Workshop) Remediation Browsing SQL Server Microsoft SQL Server Management Studio Microsoft osql.exe (Advanced Workshop) [Remote]: osql -U brokerage_qa -S JEREMY -8GNO9J7F\SQLEXPRESS -P brokerage_qa [Localhost]:osql -U brokerage_qa -S loca lhost\SQLEXPRESS -P brokerage_qa SQL Injection Remediation least-privilege schema-containment application accounts Bruteforcing passwords Metasploit mssql_login username = password silly passwords remediation smart cards active directory integration password policy Audit: SSMS -> Management -> Policy Mana gement -> Policies Locating Passwords SQL Injection VB Scripts Applications Service Accounts Windows Shares Developer Workstations DTS and DTSX files (Data Transformation Services ) Remediation

Stop treating development environment li ke a development environment Capturing Passwords Metasploit auxiliary/server/capture/mssql Post Exploitation Metasploit Microsoft SQL Server Configuration En umerator auxiliary/admin/mssql/mssql_enum Metasploit XP Command Shell auxiliary/admin/mssql/mssql_exec Listing Databases (use browser service) Listing Tables/Columns (SSMS) Listing Tables/Columns (Information Schema) (Adv anced Workshop) Dump Hashes Metasploit auxiliary/scanner/mssql/mssql _hashdump Query master..syslogins LOGINPROPERTY(na me, 'PasswordHash' ) (Advanced Workshop) SELECT name, LOGINPROPERTY(name, 'PasswordHash' ) hash FROM master.sys.syslogins john mssql05 hashcrack john --format=mssql05 /tmp/mssql-pwhash. txt Format <username>:<0Xhex_format_password _hash> Linked Servers Logins (AD vs. Windows vs. SQL Server logins vs. Users) Listing Logins ([master].[sys].[server_principal s]) (Advanced Workshop) Listing Credentials (SSMS) Listing Credentials ([master].[sys].[credentials ]) (Advanced Workshop) Listing backup device properties Running Commands Metasploit auxiliary/admin/mssql/mssql_e xec Microsoft osql.exe (Advanced Workshop) [Remote]: osql -U brokerage_qa S JEREMY-8GNO9J7F\SQLEXPRESS -P brokerage_qa [Localhost]:osql -U brokerage_qa -S localhost\SQLEXPRESS -P brokerage_qa SSMS How do these tools work? (Advanced Workshop) tcpdump code reviews