The transition from HTB CBBH to HTB CWES has officially started. Learn More

MSSQL, Exchange, and SCCM Attacks

This module covers attacks targeting tightly incorporated technologies in Active Directory environments such as MSSQL, Exchange, and SCCM, and how to identify them.

4.67

Created by PlainText
Co-Authors: bmdyy, BlWasp, nwodtuhs, dpgg

Hard Offensive

Summary

In this module, we will face technologies like MSSQL, Exchange, and SCCM, which are indispensable in most modern organizations. They are tightly incorporated in medium to large businesses, assisting their operations. The module has several environments showcasing each technology separately, as well as their enumeration and further exploitation. The technologies are broken into different sections, supplemented with a set of exercises.

This module covers attacks from Windows and Linux environments and includes the following sections:

  • Introduction to MSSQL Server
  • Privilege Escalation
  • Command Execution
  • Lateral Movement
  • Tools of the Trade
  • Introduction to Exchange
  • Enumeration
  • Vulnerabilities
  • Attacks via Emails
  • Introduction to SCCM
  • SCCM Auditing
  • Abusing SCCM
  • SCCM Site Takeover
  • SCCM Post Exploitation

As you work through the module, you will see example commands and command output for the various topics introduced. You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading", but you must complete all of the exercises and the skills assessments to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.

The module is classified as "Hard" and assumes in-depth knowledge of the Windows and Linux command line, the structure and function of Active Directory, and common Active Directory enumeration tasks and attacks from both Linux and Windows attack hosts.

A firm grasp of the following modules can be considered prerequisites for successful completion of this module:

  • Introduction to Active Directory
  • Footprinting
  • Attacking Common Services
  • Linux Fundamentals
  • Windows Fundamentals
  • Pivoting, Tunneling, and Port Forwarding
  • Active Directory Enumeration & Attacks

Introduction to MSSQL Server

Introduction to MSSQL Server

The next few sections discuss various attacks specific to MSSQL Server. It is assumed that you have some previous experience with SQL. If you do not, please consider checking out the SQL Injection Fundamentals module, which covers the basics of SQL.

Microsoft SQL Server (MSSQL Server) is a proprietary relational database management system (RDMS) developed by Microsoft, which at the time of writing, is the third most popular in the world.

Database ranking table for May 2024. Top DBMS: Oracle, MySQL, Microsoft SQL Server. Includes ranks, database models, and scores with changes from previous months.

It stands out amongst its competitors due to various reasons, such as its tight integration with Active Directory and .NET, its large community of developers which has been built up over the past couple of decades, and its reliable performance when handling large amounts of data.

MSSQL Server uses its own dialect of the SQL language, called Transact-SQL (T-SQL), which extends the capabilities of SQL by including procedural programming, local variables, various support functions and enhancements to the DELETE and UPDATE statements.

In these next few sections, we will discuss various attacks which are specific to MSSQL Server, including ways to escalate privileges within the server, ways to execute commands on the underlying host, as well as ways to "move laterally" to further compromise linked servers.

Accessing MSSQL Server

To set the scene, let's imagine we discovered a configuration file during an internal penetration test which contained the following lines:

<SNIP>
DB_CONNECTION=sqlsrv
DB_HOST=10.10.15.129
DB_PORT=1433
DB_DATABASE=webshop
DB_USERNAME=ws_dev
DB_PASSWORD=4X6cuvDLNer7nwYN5LBZ
<SNIP>

Based on the value of DB_CONNECTION, it can be assumed that these are credentials for an MSSQL Server instance. There are many ways to connect to or interact with an MSSQL Server instance, but we will focus on two tools - Impacket MSSQLClient, which is an open-source penetration testing tool belonging to the Impacket project, and Microsoft SQL Server Management Studio (SSMS), which is Microsoft's official integrated environment for managing MSSQL Server infrastructure.

In most cases, attackers will be interacting with MSSQL Server through SQL injection attacks, rather than connecting directly with known credentials.

Impacket MSSQLClient

Impacket is an open-source project which contains implementations of various network protocols in Python3, as well as many well-known tools for interacting with them such as secretsdump, psexec and mssqlclient.

We can connect to an MSSQL Server instance using MSSQL Server authentication credentials with the following syntax:

[!bash!]$ impacket-mssqlclient ws_dev:[email protected]
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(SQL01): Line 1: Changed database context to 'master'.
[*] INFO(SQL01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232) 
[!] Press help for extra shell commands
SQL (ws_dev  guest@master)>

Besides MSSQL Server authentication, MSSQLClient supports Windows and Kerberos authentication, and can be used for pass-the-hash attacks.

Once connected to an instance, T-SQL queries may be executed like so:

SQL (ws_dev  guest@master)> SELECT SYSTEM_USER;

------   
ws_dev

There is a bit more to this tool that makes it especially convenient for penetration testing, but we will get back to that in the Tools of the Trade section.

Microsoft SQL Server Management Studio (SSMS)

The more popular way of connecting to and managing MSSQL Server instances is with Microsoft SQL Server Management Studio (SSMS), which alongside sqlcmd, are the official tools developed by Microsoft to do so.

To connect to the server from our example, launch SSMS from the start menu and then fill out the connection details as follows. Note that the server name is set to SQL01 rather than the IP address.

SQL Server connection window with fields for server type, server name (SQL01), authentication method, login (ws_dev), and password. Options for encryption and trusting server certificate. Connect button at the bottom.

Once connected, you can execute T-SQL queries by selecting New Query from the file menu, or by right-clicking on a server or database and then selecting New Query from the drop-down menu to execute queries in that specific context.

GIF showcasing the execution of the SELECT SYSTEM_USER T-SQL query.

Enumerating MSSQL Server

The first thing an attacker would do upon receiving access to a database, is enumerate the data available to them to identify sensitive information such as emails, passwords or credit card numbers. As a next step, after figuring out what sort of database server they are interacting with, they may attempt server-specific attacks in order to achieve further goals such as command execution on the underlying system. Let's take a look at some of the things we would want to enumerate before attempting any MSSQL-specific attacks.

Enumerating (Server) Logins

In MSSQL Server, there are logins and users. These are both types of security principals, the difference is that logins are server-level, and users are database-level. One login can be mapped to multiple users across multiple databases, with a maximum of one user per database. In our example, the credentials we found are for a login security principal called ws_dev.

We can enumerate logins as well as their server-level roles with the following T-SQL query (source):

SELECT r.name, r.type_desc, r.is_disabled, sl.sysadmin, sl.securityadmin, sl.serveradmin, sl.setupadmin, sl.processadmin, sl.diskadmin, sl.dbcreator, sl.bulkadmin
FROM master.sys.server_principals r
LEFT JOIN master.sys.syslogins sl ON sl.sid = r.sid
WHERE r.type IN ('S','E','X','U','G');

SQL query results showing user roles and permissions. Users: sa, ws_dev, ws_user. Columns include type, disabled status, and admin roles like sysadmin and securityadmin, all set to 0.

Enumerating Databases

To enumerate databases, which principals own them, and whether they are marked as trustworthy, we can use the following T-SQL query. Why the last two columns are important is something we will cover in the next section.

SELECT a.name AS 'database', b.name AS 'owner', is_trustworthy_on
FROM sys.databases a
JOIN sys.server_principals b ON a.owner_sid = b.sid;

SQL query results showing databases and their owners. Databases: master, tempdb, model, msdb, webshop. All owned by "sa" with "is_trustworthy_on" set to 0.

Enumerating (Database) Users

In T-SQL, we can use the USE statement to change the database context to a specified database. Once executing in said context, we can enumerate the users and their respective database-level roles with the built-in stored procedure sp_helpuser. Note that this will only return information available to our current user.

USE webshop;
EXECUTE sp_helpuser;

SQL query results for webshop database users. Users: dbo, guest, INFORMATION_SCHEMA, sys, ws_dev. Roles include db_owner and public. Login names and default databases are shown.

A stored procedure is similar to a function in other programming languages. They may accept input arguments, contain programming statements and return a status value to indicate success or failure. MSSQL Server has a large number of built-in stored procedures, which are documented here. A special type of stored procedure is an extended stored procedure, which allows MSSQL Server to execute native code stored in a DLL. Once again, this is something we will come back to in a later section.

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.

Sections

Relevant Paths

This module progresses you towards the following Paths

Active Directory Penetration Tester

Active Directory Penetration Tester

The Active Directory Penetration Tester Job Role Path is designed for individuals who aim to develop skills in pentesting large Active Directory (AD) networks and the components commonly found in such environments. This path equips students with the skills needed to evaluate the security of AD environments, navigate complex Windows networks, and identify elusive attack paths. This path includes advanced hands-on labs where participants will practice techniques such as Kerberos attacks, NTLM relay attacks, and the abuse of services like AD Certificate Services (ADCS), Exchange, WSUS, and MSSQL. Students will also learn how to exploit misconfigurations in Active Directory DACLs and Domain Trusts, perform evasion tactics in Windows environments, and leverage Command and Control (C2) frameworks for post-exploitation activities. By combining theoretical foundations with practical exercises and a structured methodology for identifying AD vulnerabilities, this path enables students to conduct professional security assessments on complex AD infrastructures and effectively report security weaknesses discovered by chaining multiple vulnerabilities.

Hard Path Sections 253 Sections
Required: 7100
Reward: +1420
Path Modules
Active Directory Enumeration & Attacks
Medium
Path Sections 36 Sections
Reward: +20
Active Directory (AD) is the leading enterprise domain management suite, providing identity and access management, centralized domain administration, authentication, and much more. Due to the many features and complexity of AD, it presents a large attack surface that is difficult to secure properly. To be successful as infosec professionals, we must understand AD architectures and how to secure our enterprise environments. As Penetration testers, having a firm grasp of what tools, techniques, and procedures are available to us for enumerating and attacking AD environments and commonly seen AD misconfigurations is a must.
Active Directory LDAP
Medium
Path Sections 12 Sections
Reward: +100
This module provides an overview of Active Directory (AD), introduces core AD enumeration concepts, and covers enumeration with built-in tools.
Active Directory PowerView
Medium
Path Sections 9 Sections
Reward: +100
This module covers AD enumeration focusing on the PowerView and SharpView tools. We will cover various techniques for enumerating key AD objects that will inform our attacks in later modules.
Active Directory BloodHound
Medium
Path Sections 14 Sections
Reward: +100
This module covers AD enumeration focusing on the BloodHound tool. We will cover various techniques for enumerating key AD objects that will inform our attacks in later modules.
Windows Lateral Movement
Medium
Path Sections 14 Sections
Reward: +100
Windows lateral movement involves techniques to navigate and control remote systems within a network, primarily after gaining initial access. It is crucial in offensive and defensive cybersecurity strategies, allowing attackers to escalate privileges, access sensitive data, and expand their network presence while helping defenders understand, identify, and mitigate such movements. This module delves into various lateral movement techniques on Windows systems, providing a comprehensive understanding and practical examples of executing and defending against these methods.
Using CrackMapExec
Medium
Path Sections 27 Sections
Reward: +100
Active Directory presents a vast attack surface and often requires us to use many different tools during an assessment. The CrackMapExec tool, known as a "Swiss Army Knife" for testing networks, facilitates enumeration, attacks, and post-exploitation that can be leveraged against most any domain using multiple network protocols. It is a versatile and highly customizable tool that should be in any penetration tester's toolbox.
Kerberos Attacks
Hard
Path Sections 23 Sections
Reward: +100
Kerberos is an authentication protocol that allows users to authenticate and access services on a potentially insecure network. Due to its prevalence throughout an Active Directory environment, it presents us with a significant attack surface when assessing internal networks. This module will explain how Kerberos works thoroughly and examines several scenarios to practice the most common attacks against it from multiple perspectives.
DACL Attacks I
mini module tag Mini-Module
Hard
Path Sections 7 Sections
Reward: +100
Discretionary Access Control Lists (DACLs), found within security descriptors, are a fundamental component of the security model of Windows and Active Directory, defining and enforcing access to the various system resources. This mini-module will cover enumerating and attacking common DACL misconfigurations, allowing us to escalate our privileges horizontally and vertically and move laterally across an Active Directory network.
DACL Attacks II
mini module tag Mini-Module
Hard
Path Sections 9 Sections
Reward: +100
In this second module on Discretionary Access Control Lists (DACLs), we delve into sophisticated attack techniques and strategies within Windows Active Directory environments. Building on the foundation laid in DACL Attacks I, this module explores other DACL misconfigurations and their exploitation. We also introduce methods for detecting and mitigating these DACL-based attacks, equipping learners with both offensive and defensive skills crucial for safeguarding and compromising Active Directory networks.
NTLM Relay Attacks
Hard
Path Sections 10 Sections
Reward: +100
The NTLM authentication protocol is commonly used within Windows-based networks to facilitate authentication between clients and servers. However, NTLM's inherent weaknesses make it susceptible to Adversary-in-the-Middle attacks, providing a significant attack vector. This module focuses on the various NTLM relay attacks that attackers use to compromise Active Directory networks.
ADCS Attacks
Hard
Path Sections 19 Sections
Reward: +100
This module focuses on privilege escalation attacks by abusing misconfigurations in Active Directory Certificate Services.
Active Directory Trust Attacks
Hard
Path Sections 21 Sections
Reward: +100
Active Directory (AD) is the leading solution for organizations to provide identity and access management, centralized domain administration, authentication, and many other tasks. It is possible to connect Active Directory domains and forests via a feature called "trusts". Domain trusts can be set up for a variety of reasons such as resource sharing, centralized management, cross-forest collaboration, migration, enhanced security. With the introduction of trusts into any environment, they bring with them many inherent risks. As skilled AD pentesters we must understand how to enumerate and attack both intra-forest and cross-forest and be able to confidently explain the hardening considerations a customer needs to take into an account to mitigate some of the risk of introducing trusts into their operation environment.
Intro to C2 Operations with Sliver
Hard
Path Sections 19 Sections
Reward: +100
Active Directory is present in over 90% of corporate environments and it is the prime target for attacks. This module covers the attack chain from getting the initial foothold within a corporate environment to compromising the whole forest with Sliver C2 and other open-source tools.
Introduction to Windows Evasion Techniques
Hard
Path Sections 14 Sections
Reward: +100
In this module we will cover the basics of evading antivirus solutions (Windows Defender specifically) from an attackers point-of-view.
MSSQL, Exchange, and SCCM Attacks
Hard
Path Sections 19 Sections
Reward: +100
This module covers attacks targeting tightly incorporated technologies in Active Directory environments such as MSSQL, Exchange, and SCCM, and how to identify them.