Enumerate Logins

Configuring

Adding SQL Server logings

  1. Login to WEB01 as the Administrator user with password Welcome01!.

  2. Open "Microsoft SQL Server Management Studio".

3. Login with the Administrator user using Windows Authentication.

4. Create two new users copying the following settings. Unfold "Security" and "Logins" folders and right clicking on "Logins" and selecting "New Login".

Username: Bob, Password: Bob

Click "OK" and create the second user: Username: SQLAdmin, Password Winter2022!.

Then open the tab "Server Roles" and select "sysadmin" so the user SQLAdmin is sysadmin.

Creating Domain Group and User to access the SQL Server.

  1. The user AMSTERDAM\Richard already has access to the SQL Server. But lets create a group and a new user and add this user to the group and give it access.

  2. Open the "Active Directory Users and Computers" administration tool on DC02.

3. Open the "Employees" OU and right click on it and select "new" and then "Group". Name the group DatabaseUsers.

4. Right click on the "Employees" OU and select "new" and then "User". Name the user also Bob and set the password Fall2022!. Make sure you deselect "User must change password at next Logon".

5. Right click the user "Bob" and select "Properties". Then open the tab "Member Of" and click "Add". Fill in the group DatabaseUsers and click on "OK"

6. Go back to WEB01 and unfold "Security" and "Logins" folders and right clicking on "Logins" and selecting "New Login". Fill in Amsterdam\DatabaseUsers

Attacking

How it works

SQL Servers can have two type of accounts that could connect to it. Domain user accounts or groups or SQL Server accounts. These accounts can be enumerated by any user with the "Public" role. By enumerating the SQL / Domain users and groups that have access to the SQL server, it might be possible to obtain access with a account that has higher privileges by for example password spraying all these users. Which might result in code execution on the SQL Server.

Tools

Executing the attack

  1. Login to WS01 as Richard with the password Sample123.

  2. Download PowerUpSQL on the kali machine and host it on a webserver:

wget https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/PowerUpSQL.ps1
python3 -m http.server 8090

3. Start PowerShell and download and execute an amsi and PowerUpSQL in memory:

4. With PowerUPSQL loaded and the knowledge that Richard already has access to the SQL Server. We can enumerate the logins manually but since we aren't sysadmin it wont return all the users, only the one we can see from the database we have access to;

Get-SQLInstanceDomain | Get-SQLQuery -Query "SELECT name FROM sys.syslogins
Get-SQLInstanceDomain | Get-SQLQuery -Query "SELECT name FROM sys.server_principals"

5. If we run the queries on the SQL server itself as the Domain Admin we will receive all the users, since it is sysadmin on the SQL Server;

6. So we aren't able to enumerate all the users using these queries. But we are able to query the users with the following query; Select SUSER_NAME(ID). Using the SUSER_NAME function. Where the ID starts with 1 and we keep incrementing it till we have all the users. The id 282 is from the testadmin SQL user.

7. Doing this manually takes a while so luckely the authors of PowerUpSQL automated this by using the Get-SQLFuzzServerLogin cmdlet;

Get-SQLFuzzServerLogin -Instance web01

8. We discovered that the following user/groups can access the SQL Server. The users/groups with AMSTERDAM\ or BANK\ are domain users/groups.

AMSTERDAM\richard
Developer
Developer_test
BANK\administrator
testadmin
bob
SQLAdmin
AMSTERDAM\DatabaseUsers

Defending

Recommendations

  • Restrict access to SQL Servers as much as possible. There is no need to give all "Domain Users" public access to the SQL Database.

Detection

References

PreviousDB-OwnerNextWeak passwords

Last updated