Summary
In this module, we will face technologies like MSSQL, Exchange, and SCCM, which are indispensable in most modern organizations. They are tightly incorporated in medium to large businesses, assisting their operations. The module has several environments showcasing each technology separately, as well as their enumeration and further exploitation. The technologies are broken into different sections, supplemented with a set of exercises.
This module covers attacks from Windows and Linux environments and includes the following sections:
- Introduction to MSSQL Server
- Privilege Escalation
- Command Execution
- Lateral Movement
- Tools of the Trade
- Introduction to Exchange
- Enumeration
- Vulnerabilities
- Attacks via Emails
- Introduction to SCCM
- SCCM Auditing
- Abusing SCCM
- SCCM Site Takeover
- SCCM Post Exploitation
As you work through the module, you will see example commands and command output for the various topics introduced. You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading", but you must complete all of the exercises and the skills assessments to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.
The module is classified as "Hard" and assumes in-depth knowledge of the Windows and Linux command line, the structure and function of Active Directory, and common Active Directory enumeration tasks and attacks from both Linux and Windows attack hosts.
A firm grasp of the following modules can be considered prerequisites for successful completion of this module:
-
Introduction to Active Directory -
Footprinting -
Attacking Common Services -
Linux Fundamentals -
Windows Fundamentals -
Pivoting, Tunneling, and Port Forwarding -
Active Directory Enumeration & Attacks
Introduction to MSSQL Server
Introduction to MSSQL Server
The next few sections discuss various attacks specific to MSSQL Server. It is assumed that you have some previous experience with SQL. If you do not, please consider checking out the SQL Injection Fundamentals module, which covers the basics of SQL.
Microsoft SQL Server (MSSQL Server) is a proprietary relational database management system (RDMS) developed by Microsoft, which at the time of writing, is the third most popular in the world.
It stands out amongst its competitors due to various reasons, such as its tight integration with Active Directory and .NET, its large community of developers which has been built up over the past couple of decades, and its reliable performance when handling large amounts of data.
MSSQL Server uses its own dialect of the SQL language, called Transact-SQL (T-SQL), which extends the capabilities of SQL by including procedural programming, local variables, various support functions and enhancements to the DELETE and UPDATE statements.
In these next few sections, we will discuss various attacks which are specific to MSSQL Server, including ways to escalate privileges within the server, ways to execute commands on the underlying host, as well as ways to "move laterally" to further compromise linked servers.
Accessing MSSQL Server
To set the scene, let's imagine we discovered a configuration file during an internal penetration test which contained the following lines:
<SNIP>
DB_CONNECTION=sqlsrv
DB_HOST=10.10.15.129
DB_PORT=1433
DB_DATABASE=webshop
DB_USERNAME=ws_dev
DB_PASSWORD=4X6cuvDLNer7nwYN5LBZ
<SNIP>
Based on the value of DB_CONNECTION, it can be assumed that these are credentials for an MSSQL Server instance. There are many ways to connect to or interact with an MSSQL Server instance, but we will focus on two tools - Impacket MSSQLClient, which is an open-source penetration testing tool belonging to the Impacket project, and Microsoft SQL Server Management Studio (SSMS), which is Microsoft's official integrated environment for managing MSSQL Server infrastructure.
In most cases, attackers will be interacting with MSSQL Server through SQL injection attacks, rather than connecting directly with known credentials.
Impacket MSSQLClient
Impacket is an open-source project which contains implementations of various network protocols in Python3, as well as many well-known tools for interacting with them such as secretsdump, psexec and mssqlclient.
We can connect to an MSSQL Server instance using MSSQL Server authentication credentials with the following syntax:
[!bash!]$ impacket-mssqlclient ws_dev:[email protected]
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(SQL01): Line 1: Changed database context to 'master'.
[*] INFO(SQL01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (ws_dev guest@master)>
Besides MSSQL Server authentication, MSSQLClient supports Windows and Kerberos authentication, and can be used for pass-the-hash attacks.
Once connected to an instance, T-SQL queries may be executed like so:
SQL (ws_dev guest@master)> SELECT SYSTEM_USER;
------
ws_dev
There is a bit more to this tool that makes it especially convenient for penetration testing, but we will get back to that in the Tools of the Trade section.
Microsoft SQL Server Management Studio (SSMS)
The more popular way of connecting to and managing MSSQL Server instances is with Microsoft SQL Server Management Studio (SSMS), which alongside sqlcmd, are the official tools developed by Microsoft to do so.
To connect to the server from our example, launch SSMS from the start menu and then fill out the connection details as follows. Note that the server name is set to SQL01 rather than the IP address.
Once connected, you can execute T-SQL queries by selecting New Query from the file menu, or by right-clicking on a server or database and then selecting New Query from the drop-down menu to execute queries in that specific context.
Enumerating MSSQL Server
The first thing an attacker would do upon receiving access to a database, is enumerate the data available to them to identify sensitive information such as emails, passwords or credit card numbers. As a next step, after figuring out what sort of database server they are interacting with, they may attempt server-specific attacks in order to achieve further goals such as command execution on the underlying system. Let's take a look at some of the things we would want to enumerate before attempting any MSSQL-specific attacks.
Enumerating (Server) Logins
In MSSQL Server, there are logins and users. These are both types of security principals, the difference is that logins are server-level, and users are database-level. One login can be mapped to multiple users across multiple databases, with a maximum of one user per database. In our example, the credentials we found are for a login security principal called ws_dev.
We can enumerate logins as well as their server-level roles with the following T-SQL query (source):
SELECT r.name, r.type_desc, r.is_disabled, sl.sysadmin, sl.securityadmin, sl.serveradmin, sl.setupadmin, sl.processadmin, sl.diskadmin, sl.dbcreator, sl.bulkadmin
FROM master.sys.server_principals r
LEFT JOIN master.sys.syslogins sl ON sl.sid = r.sid
WHERE r.type IN ('S','E','X','U','G');
Enumerating Databases
To enumerate databases, which principals own them, and whether they are marked as trustworthy, we can use the following T-SQL query. Why the last two columns are important is something we will cover in the next section.
SELECT a.name AS 'database', b.name AS 'owner', is_trustworthy_on
FROM sys.databases a
JOIN sys.server_principals b ON a.owner_sid = b.sid;
Enumerating (Database) Users
In T-SQL, we can use the USE statement to change the database context to a specified database. Once executing in said context, we can enumerate the users and their respective database-level roles with the built-in stored procedure sp_helpuser. Note that this will only return information available to our current user.
USE webshop;
EXECUTE sp_helpuser;
A stored procedure is similar to a function in other programming languages. They may accept input arguments, contain programming statements and return a status value to indicate success or failure. MSSQL Server has a large number of built-in stored procedures, which are documented here. A special type of stored procedure is an extended stored procedure, which allows MSSQL Server to execute native code stored in a DLL. Once again, this is something we will come back to in a later section.
