MSSQL ATTACK TOOL – A swiss army knife for pentesting MSSQL servers

MSSQL ATTACK TOOL

The MSSQL ATTACK TOOL (M.A.T) was developed at SySS internally in a Research & Development project. The tool, programmed in C#, allows for the fast discovery and exploitation of vulnerabilities in MSSQL servers.

EXAMPLE SCENARIO

During a penetration test, the user COM1\user is compromised. A local MSSQL Server instance is identified on the local server. Instead of manually connecting to the instance with various pentesting tools, the MSSQL ATTACK TOOL is used.

The tool indicates that the compromised Windows user can log in to the SQL Server “COM1” (Windows Integrated Authentication – no need to enter username/password). The tool provides the following output:

The user is in the “sysadmin” group. This allows the user to activate the XP_CMD shell and execute system commands or list SQL user logins (which will be important later).

After the XP_cmdshell has been activated (MAT.exe –server localhost -e), system commands can be executed subsequently (MAT.exe –server localhost –os-command “whoami”).

The usage of the parameter ‘–os-command’ without using the additional parameter ‘–linked-server’ tells the tool to execute the command locally, on the entry SQL Server (COM1).

In the next step, it can be tested whether the user COM1\user can be used to access a Linked Server. The following Linked Servers were previously identified by the MSSQL ATTACK TOOL:

When querying Linked Servers on the SQL Server, the server itself (in this case COM1) is always listed as well. The actual Linked Server here is “COM2”. The direct attempt to use the compromised user to execute SQL commands on this Linked Server fails (the MSSQL Tool performs these checks automatically).

This is because there is no login mapping for the current user on COM1 (see diagram below: SQL users and permissions). The login mapping determines which user from SQL Server COM1 is associated with which user from COM2.

Therefore, it is important to know which users exist on COM1 in order to test whether a login mapping exists for any of these users (if the permissions are high enough, it is possible to directly check this in the linked server object “COM2” (on COM1) via SQL Management Studio). Previously, the MSSQL ATTACK TOOL detected the following user logins:

Thus, an attempt can be made to impersonate the user “userx.” By referring to the diagram with users/permissions (at the bottom), it becomes apparent that the impersonated user “userx” can execute SQL commands on COM2 as “usery.” It is important to note that all actions performed after impersonation occur as the impersonated user. The following command was used:

The use of the tool yields the following result:

In this demo scenario, the tool is not only capable of executing OS-commands locally or on the Linked Server COM2 (via 1 link) but can also use the SQL Server COM1 as a Linked Server from there (via 2 links). In a Triple Link scenario, COM1 would first connect to COM2 via a link, then back to COM1, and then again to COM2 via a link. The indication “Pwn3d!” indicates that the mapped user on the Linked Server is in the “sysadmin” group and therefore has full control over the SQL Server.

The following illustration shows the existing users of each MSSQL server along with their mappings.

Download & Use

Copyright (c) 2024 Marvin Ramsperger, SySS GmbH