Today is the first day of the PASS SUMMIT 2017 in Seattle (WA). The weather is cloudy and we have only 11°C… but where is the problem? Everything happens inside! (at the Convention Center).
![IMG_9474[1]](https://www.dbi-services.com/blog/wp-content/uploads/sites/2/2022/04/IMG_94741-e1509562436568-scaled.jpg)
In this blog, I will make a summary of main attack vectors against MSSQL environments, based on Argenis FERANDEZ’s session called “Modern Security Attack Vectors Against SQL Server Environments”.
METASPLOIT
Metasploit is a penetration testing framework to exploit known security vulnerabilities. This tool is able to scan a server by providing an IP address, and to list all security vulnerabilities you can find on TechNet.
After your environment has been scanned, you can exploit these vulnerabilities on every non-patched server. This kind of tool remind us how it is important to keep environments up-to-date with security updates!
Metasploit can also be used to hack SQL Server login password with a Brute-Force method. Time to remain Windows Logins are recommended over SQL Logins.
If you want to learn more, please read this article Metasploit Cheat Sheet by Team Keary. It lists the essential commands providing in the Framework.
PowerSploit
PowerSploit is a collection of PowerShell modules (CodeExecution, ScriptModification, Exfiltration…) which can be used to exploit information / data from a compromised machine. This module includes the famous Mimikatz cmdlet which can be used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.
SQLMAP
sqlmap is a penetration testing tool. It can detect and exploit different SQL injection types, like Boolean-based blind or Time-based blind.
RDP Hijacking
Imagine a Domain Admin (or a SQL Admin) connects to a remote Windows server. When his work is done, he disconnects from his session (so the session is still available). It happens to many administrators, doesn’t it? And now imagine this Windows server has been compromised and the hacker has local administrator privileges. He is able to hijack the domain admin session, and so retrieve all his privileges…
But how is it possible? You can either use PSEXEC Sysinternals tool (but it needs to be there), or either create a service which will hijack user’s session. You can find the demonstration made by Alexander Korznikov.
As a consequence, it highly recommended to completely logoff from your rdp sessions!
CONCLUSION
This session was pretty interesting because it provided various approaches which can be used to attack your MSSQL environment. It also provided different best practices to take care about, and I know I will always log off from my sessions 😉
![Thumbnail [60x60]](https://www.dbi-services.com/blog/wp-content/uploads/2022/08/NAC_web-min-scaled.jpg)
![Thumbnail [90x90]](https://www.dbi-services.com/blog/wp-content/uploads/2022/08/DWE_web-min-scaled.jpg)