Weak passwords
Configuring
Prerequisite
The weak passwords were configured during the creation of the SQL Server users and Domain users in the section "Enumerate Logins".
pageEnumerate LoginsAttacking
How it works
SQL Servers can have two type of accounts that could connect to it. Domain user accounts and groups or SQL Server accounts. These accounts have access to the SQL server and might have higher privileges then we currently have. By spraying passwords against these user we might get access to them.
Password spraying
Password spraying is a type of brute force attack. An attacker will try a default password against a list of usernames. For example, an attacker uses the password Welcome2022! against many different accounts to avoid account lockout that would normally occur when brute-forcing a single account with many passwords.
A old habit what a lot of companies enforce is the requirement to change passwords every 30, 60 or 90 days. Which results in people changing their password often, forgetting it and eventually choosing a easy guessable password. Another habbit is adding a increment to the same password or using months/seasons. Which means we can easily create a password list of common passwords and things people would choose using following formats:
season+year+! (Summer2022!)
month+year+! (March2022!)
companyname+year+! (Amsterdambank2022!)
city+! (Amsterdam!)
etc.
Tools
Executing the attack
So during the enumeration we discovered that there are three domain users or groups:
AMSTERDAM\richard,BANK\administratorandAMSTERDAM\DatabaseUsers.To check which of these are users and groups, login to
WS01asRichardwith the passwordSample123.Download PowerView on the kali machine and host it on a webserver:
4. Start PowerShell and download and execute an amsi and PowerView in memory:
5. Now we can query these objects using PowerView and the Get-DomainObject cmdlet. We already know who Richard is and the Administrator is a well known user. We will query DatabaseUsers:
6. The output shows us that the DatabasUsers is a group object and that bob is its only member.
7. We already sprayed passwords at the SQL server during the initial access steps. We will do it again here. First we need to make a list of the enumerated logins, we will split them in sqlusers.txt and domainusers.txt.
8. Secondly create a passwords.txt file and copy the following passwords like we did during the password spraying attack earlier and we will also add the usernames since sometimes admin set the username as the password:
9. First we will run Crackmapexec to connect to the MSSQL service running on WEB01 and spray with local SQL users. We have to use the --local-auth flag otherwise it will spray under the domain context. We will also use the --continue-on-success flag so it doesn't stop after the first successfull hit.
We found the password for three users and it seems thats SQLAdmin has sysadmin rights since it shows Pwn3d! , this means it has admin rights. Since we are spraying MSSQL logins this means sysadmin rights. If we were spraying with SMB it meant the user was localadmin on the machine.
10. We can also run Crackmapexec with the domain context:
We discovered the password of another user bob, but this time the Domain User. We already connected to the SQL service using both SQL accounts and Domain user accounts. This can be done with tools such as mssql-cli or heidiSQL.
11. Something we didn't show is that its possible to execute sql queries with crackmapexec:
There will always be loads of tools which can do the same stuff, it will always come down to convenience and where you are used too or like the most. Check the executing commands page under SQL Server Attacks to read how to execute cmd commands:
pageExecuting CommandsDefending
Recommendations
Implement a strong password policy:
Detection
References
Last updated
