The content of the article
Suppose you have successfully obtained user accounts on a network with an Active Directory domain controller, and even managed to increase your own privileges. It would seem that you can relax and rest on our laurels. No matter how! What if we did not capture the entire network, but its specific segment? You need to figure out how to move further on the network, look for new entry points, support for reconnaissance and further privilege escalation!
Lateral Movement Technique through Microsoft SQL Server Links
For starters, a bit of theory. Microsoft SQL Server allows you to create links to external data sources, such as other SQL servers, Oracle databases, Excel tables. Often the server is configured incorrectly, which is why such links (links or links), or “linked servers”, can be used to detect and bypass database connections on the network, gain unauthorized access to data, or download various shells. How such attacks are implemented in practice, we will now analyze.
All information is provided for informational purposes only. Neither the editors nor the author are liable for any possible harm caused by the information in this article.
Introduction to Links
Creating a connection on SQL Server is pretty trivial. This can be done using a stored procedure.
sp_addlinkedserver or SQL Server Management Studio (SSMS). Typically, attackers do not seek to create links, but try to find existing ones and exploit them.
Links can be viewed in the Server Objects → Link Servers menu in SSMS. Alternatively, they can be listed using a stored procedure.
sp_linkedservers or by request
select * from master..sysservers. Select directly from the table
sysservers preferably, as this reveals a little more information about the links.
For existing links, there are several key settings that you should pay attention to. Obviously, the purpose of the link, the type of data source (provider name), and link availability (data access) are important for using the link. In addition, outgoing RPC (rpcout) connections must be enabled for links in order to, in turn, enable
xp_cmdshell on remote linked servers.
When breaking database connections, attackers pay attention to two main configurations: a data source (provider name) and a way to configure links for authentication. We focus on SQL Server data sources that connect to other Microsoft SQL Server servers.
Each of these SQL Server associations can be configured for authentication in several different ways. You can disable links without providing credentials for the connection. You can also use the current security context or set an SQL account and password that will be used for all connections using the link. As practice shows, after going around all the links, there is always one or more settings with permissions
sysadmin; this allows you to increase privileges from the initial public access to access
sysadminwithout even leaving the database level.
Although only system administrators can create links, any database user can try to access them. However, there are two very important things to understand about using links:
- if communication is enabled (
dataaccessset to 1), each user on the database server can use the link regardless of user rights (
- if the connection is configured to use an SQL account, each connection will be with the rights of this account. In other words, a public user on server A can potentially execute SQL queries on server B as
Links to SQL Server are very easy to use. For example, the following query using
openquery() Lists the version of the server on the remote server.
select version from openquery("linked_remote_server", 'select @@version as version');
You can also use
openquery to execute SQL queries on several nested links; this makes linking possible and thus allows the use of link trees.
select version from openquery("link1",'select version from openquery("link2","http://xakep.ru/"select @@version as version"http://xakep.ru/")')
In the same way, so many operators can be nested
openqueryas needed to access all related servers. The only problem is that each subquery must use twice as many single quotes as the outer query. As a result, the query syntax becomes rather cumbersome when you have to use 32 single quotes in each line.
Inside network operation diagram
The following figure shows an example of a typical network of related databases. A user with general access rights to DB1 can follow the database link to DB2 (user level permissions) and from DB2 to DB3 (user level permissions). Now you can click on the link from DB3 back to DB1 (user level permissions) or on the link to DB4. Since this link is configured with elevated privileges, following the link chain DB1 -> DB2 -> DB3 -> DB4 gives the user unprivileged user privileges
sysadmin on DB4, which is located in an "isolated" network zone.
Database references may also be requested using alternative syntax, but it does not allow multiple references. In addition, actual operation requires rpcout to be enabled for links, and since it is disabled by default, this is unlikely to be often used in practice.
Although Microsoft claims that
openquery() cannot be used to execute extended stored procedures on a linked server; this is possible. The trick is to return some data, complete the SQL statement, and then execute the required stored procedure. The following is a basic example of executing a procedure using
select 1 from openquery("linkedremoteserver",'select 1;exec master..xp_cmdshell "dir c:"http://xakep.ru/")
The query does not return results
xp_cmdshell, but if
xp_cmdshell enabled and the user has the rights to execute it, he will execute the command
dir in the operating system. One of the easiest ways to get a shell on the target system is to call PowerShell (if this shell is installed on the OS) and transfer the back connect to the Meterpreter shell. In general, the algorithm of actions is as follows:
- Create a PowerShell script to execute its Metasploit payload, an example can be taken here.
- Encode the script in Unicode.
- Encode to Base64.
- Run command
powershell -noexit -noprofile -EncodedCommandvia
xp_cmdshell not enabled on the linked server, it may not be possible to enable it even if the link is configured with privileges
sysadmin. Any requests made through
openqueryare considered user transactions that do not allow for reconfiguration. Turning on
sp_configure does not change the state of the server without reconfiguration, and therefore
xp_cmdshell will remain disconnected. If
rpcout enabled for all links inside the link path, you can enable
xp_cmdshellusing the following syntax.
execute('sp_configure "xp_cmdshell",1;reconfigure;') at LinkedServer
But, as already noted, rpcout is disabled by default, so it is unlikely to work with long chains of links.
The scheme of operation from the outside
Although database links can be a good way to elevate privileges after you have authenticated access to the database within the network, a more serious risk is when linked servers are accessible from the outside. The same SQL injections are very common, and a successful attack makes it possible to execute arbitrary SQL queries on the database server. If the database connection to the web application is configured with the least privileges (which happens quite often), then it is easy to increase permissions for the internal network, where the database server is probably located. However, as mentioned earlier, any user, regardless of their privilege level, can access pre-configured database connections.
The following illustration shows the attack path from the outside. Having found the SQL injection on the web application server, the attacker can start following the links DB1 → DB2 → DB3 → DB4. And after getting permissions
sysadmin on DB4, it can execute xp_cmdshell to start PowerShell and get back connect.
Thus, an attacker gains privileges in an isolated segment of the corporate network and can claim to compromise the entire domain, while initially having no access to the internal network.
How to automate operational path detection
To automate the enumeration and crawl of links after the initial access to SQL Server is obtained, you can use the tool already mentioned in previous articles PowerUpSQL.
Get-SQLServerLinkCrawl can be used to scan all available paths of linked servers, as well as listing software versions and privileges with which links are configured. To start it
Get-SQLServerLinkCrawl, you will need to provide information about the database instance for the initial connection to the database and the credentials used for authorization. By default, the script is executed using built-in authentication, but you can optionally specify alternative domain credentials and SQL Server credentials.
To output to the console, use the command
Continuation is available only to participants
Materials from the latest issues become available separately only two months after publication. To continue reading, you must become a member of the Xakep.ru community.
Join the Xakep.ru Community!
Membership in the community during the specified period will open you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score!
I am already a member of Xakep.ru