Database Service Enumeration
Ok in this scenario we care going assume SQL login credentials (sqluser) are exposed and that firewall rules are wide (so we have layer 3 connectivity to the target).
We have loaded Metasploit and will be using the msssql_enum modue
Now that we have configured our target options we can run the module:
Let’s look at the output in detail:
Initially we have some great intel on the target. We can see the following:
- The SQL Server Version
- The OS Version and BUILD number (including architecture)
Next, we can see a series of SQL server configuration parameters:
- C2 Audit mode (https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/c2-audit-mode-server-configuration-option?view=sql-server-2017)
- Xp_cmdshell state (https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option?view=sql-server-2017)
- Remote access state
Next, we can see the databases configured on this server:
After this we get logon account information
So here we have struck gold, not only does the sa account exists and is not disabled (we could attempt brute force this if we didn’t have creds or we weren’t sa) but more importantly, our user account that we have already stolen the credentials for has SYSTEM level access. We can see here there is further info that may be useful to us.
Finally, we get into a juicy area:
Here we can see all the stored procedures that we can leverage as well as the service account that sql is running as.
Key questions for pwnage we are looking for are:
- Is xp_dirtree enabled
- Is the service running as a named account (rather than SYSTEM or NT AUTHORITY)?
This module lets us know if we should go further down the rabbit hole either by:
- Crawling for data assets (including applications credentials etc.)
- Look to execute system commands
- Understand if we are in a position to attempt escalation in SQL and execute commands (xp_cmdshell)
- Understand if we are able to attempt to steal password hashes using SMB (xp_dirtree)
Using the example scenario, we are in we can see that we are likely in a position to move further into this target:
- We have SA rights (sqluser)
- Xp_cmdshell is disabled (however we can enable it)
- Xp_dirtree is enabled
- The service is running as a named user account (sql_svc)
Summary
Here we have looked at how enumeration is really the key to all pwnage (as well as defence). With this example we are likely in a position whereby we can escalate from remote SQL public access through to a shell on the target server running in at least user land where we can start to attempt privilege escalation!