Skip to content

Commit

Permalink
Merge pull request #717 from IamLeandrooooo/patch-1
Browse files Browse the repository at this point in the history
Adding SQL Server Linked Servers Passwords Attack
  • Loading branch information
carlospolop authored Oct 11, 2023
2 parents adac2ec + a3d33f1 commit a0e0e09
Showing 1 changed file with 20 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -495,6 +495,26 @@ Invoke-SqlServer-Escalate-ExecuteAs -SqlServerInstance 10.2.9.101 -SqlUser myuse
[https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/](https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/)
## Extracting passwords from SQL Server Linked Servers
An attacker can extract SQL Server Linked Servers passwords from the SQL Instances and get them in clear text, granting the attacker passwords that can be used to acquire a greater foothold on the target.
The script to extract and decrypt the passwords stored for the Linked Servers can be found [here](https://www.richardswinbank.net/admin/extract_linked_server_passwords)
Some requirements, and configurations must be done in order for this exploit to work.
First of all, you must have Administrator rights on the machine, or the ability to manage the SQL Server Configurations.
After validating your permissions, you need to configure three things, which are the following:
1. Enable TCP/IP on the SQL Server instances;
2. Add a Start Up parameter, in this case, a trace flag will be added, which is -T7806.
3. Enable remote admin connection.
To automate these configurations, [this repository ](https://github.com/IamLeandrooooo/SQLServerLinkedServersPasswords/) has the needed scripts.
Besides having a powershell script for each step of the configuration, the repository also has a full script which combines the configuration scripts and the extraction and decryption of the passwords.
For further information, refer to the following links regarding this attack:
[Decrypting MSSQL Database Link Server Passwords](https://www.netspi.com/blog/technical/adversary-simulation/decrypting-mssql-database-link-server-passwords/)
[Troubleshooting the SQL Server Dedicated Administrator Connection](https://www.mssqltips.com/sqlservertip/5364/troubleshooting-the-sql-server-dedicated-administrator-connection/)
## Local Privilege Escalation
The user running MSSQL server will have enabled the privilege token **SeImpersonatePrivilege.**\
Expand Down

0 comments on commit a0e0e09

Please sign in to comment.