SQL Server Hacking from ISSA Kentuckiana workshop 7 - Jeremy Druin (Hacking Illustrated Series InfoSec Tutorial Videos)

SQL Server Hacking from ISSA Kentuckiana workshop 7 - Jeremy Druin

    This is the 7th in a line of classes Jeremy Druin will be giving on pen-testing and web app security featuring Mutillidae (or other tools) for the Kentuckiana ISSA. This one covers SQL Server Hacking.

Details:

Video Tutorials: www.youtube.com/user/webpwnized
Video Index URL: http://www.irongeek.com/i.php?page=videos/web-application-pen-testing-tutorials-with-mutillidae 
YouTube Channel:  http://www.youtube.com/user/webpwnized
Twitter Updates: @webpwnized


 

 

Notes:
	Database Exploitation/Post Exploitation

		SQL Server

			How does SQL Server handle connections?
				Server vs. Instance vs. Port vs. Database

			Where are remote connections configured?
				SQL Server Connection Manager

			How does the client know where instances are listening?
				SQL Browser Service
				Configuration
					services.msc
					SQL Server Connection Manager					

			Recon: Detecting SQL Server (Passive)
				DNS Hostnames
				Remediation

			Scanning: Detecting SQL Server (Active)
				SQL Server Browser Service (nmap, sqlscan)
				Metasploit mssql_ping
				Scapy MS SQL Browser Inquiry (Advanced Workshop)
				Remediation

			Browsing SQL Server
				Microsoft SQL Server Management Studio
				Microsoft osql.exe (Advanced Workshop)
					[Remote]: osql -U brokerage_qa -S JEREMY-8GNO9J7F\SQLEXPRESS -P brokerage_qa
					[Localhost]:osql -U brokerage_qa -S localhost\SQLEXPRESS -P brokerage_qa
				SQL Injection
				Remediation
					least-privilege
					schema-containment
					application accounts
				
			Bruteforcing passwords
				Metasploit mssql_login
				username = password
				silly passwords
				remediation
					smart cards
					active directory integration
					password policy
					Audit: SSMS -> Management -> Policy Management -> Policies

			Locating Passwords
				SQL Injection
				VB Scripts
				Applications
				Service Accounts
				Windows Shares
				Developer Workstations
				DTS and DTSX files (Data Transformation Services)
				Remediation
					Stop treating development environment like a development environment
			
			Capturing Passwords
				Metasploit auxiliary/server/capture/mssql

			Post Exploitation
				Metasploit Microsoft SQL Server Configuration Enumerator
					auxiliary/admin/mssql/mssql_enum
				Metasploit XP Command Shell
					auxiliary/admin/mssql/mssql_exec 
				Listing Databases (use browser service)
				Listing Tables/Columns (SSMS)
				Listing Tables/Columns (Information Schema) (Advanced Workshop)

				Dump Hashes
					Metasploit auxiliary/scanner/mssql/mssql_hashdump
					Query master..syslogins LOGINPROPERTY(name, 'PasswordHash' ) (Advanced Workshop)
						SELECT name, LOGINPROPERTY(name, 'PasswordHash' ) hash FROM master.sys.syslogins

				john mssql05 hashcrack
					john --format=mssql05 /tmp/mssql-pwhash.txt
					Format <username>:<0Xhex_format_password_hash>

				Linked Servers
				Logins (AD vs. Windows vs. SQL Server logins vs. Users)
				Listing Logins ([master].[sys].[server_principals]) (Advanced Workshop)
				Listing Credentials (SSMS)
				Listing Credentials ([master].[sys].[credentials]) (Advanced Workshop)
				Listing backup device properties
				Running Commands
					Metasploit auxiliary/admin/mssql/mssql_exec
					Microsoft osql.exe (Advanced Workshop)
						[Remote]: osql -U brokerage_qa -S JEREMY-8GNO9J7F\SQLEXPRESS -P brokerage_qa
						[Localhost]:osql -U brokerage_qa -S localhost\SQLEXPRESS -P brokerage_qa
					SSMS


			How do these tools work? (Advanced Workshop)
				
				tcpdump
				code reviews

 

 

Download from:
http://archive.org/download/SqlServerHackingByJeremyDruin/sql-server-hacking-jeremy-druin-webpwnized.avi



If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek