0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

Adding SQL Server Linked Servers Passwords Attack 

Adding a section to the pentesting-mssql-microsoft-sql-server playbook where SQL Server Linked Servers Passwords Attack is detailed with information and scripts to handle the needed configurations. Also a script for the extraction and decryption of the passwords is added.
Furthermore, additional information is provided to better understand the attack.
This commit is contained in:
Leandro 2023-10-09 20:52:49 +01:00 committed by GitHub
parent 4e747159b1
commit a3d33f13c3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md
View File

@ -495,6 +495,26 @@ Invoke-SqlServer-Escalate-ExecuteAs -SqlServerInstance 10.2.9.101 -SqlUser myuse
[https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/](https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/)
## Extracting passwords from SQL Server Linked Servers
An attacker can extract SQL Server Linked Servers passwords from the SQL Instances and get them in clear text, granting the attacker passwords that can be used to acquire a greater foothold on the target.
The script to extract and decrypt the passwords stored for the Linked Servers can be found [here](https://www.richardswinbank.net/admin/extract_linked_server_passwords)
Some requirements, and configurations must be done in order for this exploit to work.
First of all, you must have Administrator rights on the machine, or the ability to manage the SQL Server Configurations.
After validating your permissions, you need to configure three things, which are the following:
1. Enable TCP/IP on the SQL Server instances;
2. Add a Start Up parameter, in this case, a trace flag will be added, which is -T7806.
3. Enable remote admin connection.
To automate these configurations, [this repository ](https://github.com/IamLeandrooooo/SQLServerLinkedServersPasswords/) has the needed scripts.
Besides having a powershell script for each step of the configuration, the repository also has a full script which combines the configuration scripts and the extraction and decryption of the passwords.
For further information, refer to the following links regarding this attack:
[Decrypting MSSQL Database Link Server Passwords](https://www.netspi.com/blog/technical/adversary-simulation/decrypting-mssql-database-link-server-passwords/)
[Troubleshooting the SQL Server Dedicated Administrator Connection](https://www.mssqltips.com/sqlservertip/5364/troubleshooting-the-sql-server-dedicated-administrator-connection/)
## Local Privilege Escalation
The user running MSSQL server will have enabled the privilege token **SeImpersonatePrivilege.**\