After all the posts about attacking different parts of IT infrastructure, it seems impossible that we have never used nmap as a tool before. Nmap is one of the most reliable and well-known tools of the trade for attackers. More than that, it is used by security pros and IT admins for a huge number of tasks. In their own words, the makers of nmap say it is a “utility for network discovery and security auditing.” I think that sells it short by a long shot. We don’t have even a fraction of the time needed to cover everything nmap can do here – but you can literally read the book about it if you really want to know. We will focus on how we used it to scan our little lab network and find MS SQL in order to zero in for the attack. We could have used it for many other parts of this as well, but we will give some other tools a chance as well.
MS SQL will listen on a number of ports on the network to serve SQL requests. This may in include a “Browser” service that hands out connection information to anyone who requests it and a standard port (1433 by default) to answer transaction requests. Nmap will scan a given network for posts like this across a huge array of well-known services and (true to its name) map out what it finds. There are literally thousands of options you can feed into nmap, and the choices you make will affect how the scan runs in important ways. The scan we used to run our discovery was this:
A quick breakdown of this command is:
The results of this scan give me this:
This isn’t the complete results of the scan, just the results section. It reads out every attempt it makes that has any sensible reason for output. After all that noise, it summarizes the signal if finds as you see here. Because the scan wasn’t restricted to MS SQL, you see the results for the NetBIOS service as well. But the important bit for us is this gives us the fact that MS SQL is here, it’s on the default port, and it gives us the version and patch info about it as well. The MS SQL I have running on this host is pretty much default options in every case. So this is close to what you may expect to see on your systems if you were to run the same scan.
Taking Advantage of Soft Targets
Another widely used tool for initial stages of a compromise is medusa. Medusa is a multi-homed, brute force password cracker. Essentially, you feed it places to try lists of passwords, and it does so quickly and efficiently. It has modules for testing out passwords on a large number of platforms, and MS SQL is one of them. The command we ran against our systems looks like this:
As with nmap, it can be run against many systems at once, even though we only point it at my one system here. A quick break down of this command:
Here are the results when we run medusa against my MSSQL server:
What To Do Next For MS SQL Attacks – And Preventing Them
On my little lab network, we’ve found a MS SQL server running, we know a bit about its version and patching status, and we even know the sa password. In our next step for the blog, we’ll dive into the PowerUpSQL PowerShell toolkit to exploit the SQL Sever even more. It’s worth mentioning that we could have accomplished everything we did here with a similar toolkit called metasploit. Metasploit, similar to PowerUp SQL, would automate some of the choices we made here, as well as given us one unified toolkit to do what we did separately with nmap and medusa (also worth nothing is that nmap could have done most of what medusa did as well). All that is to say that there are lots of ways to achieve the kind of progress we made today, which should make you feel more push to see all this stuff mitigated in your own world.
The other question is how could we have stopped some or all of this from happening? At this level of the attack, we’re dealing with the meat and potatoes advice security pros will always give. Let’s run through that meal:
Post #1: Attacking Microsoft SQL Server Databases
Learn about how STEALTHbits addresses SQL auditing and monitoring with StealthAUDIT for SQL here.
Jonathan Sander is STEALTHbits’ Chief Technology Officer (CTO). As CTO, he is responsible for driving technical innovation, ensuring that STEALTHbits is well positioned in their current and emerging markets, and he will also lead corporate development efforts. Jonathan also plays the role of evangelist at STEALTHbits venues large and small. Prior to STEALTHbits, Jonathan was VP of Product Strategy for Lieberman Software.
As part of Quest Software from 1999 through 2013, he worked with the security and ITSM portfolios. He helped launch Quest’s IAM solutions, directing all business development and product strategy efforts. Previous to that, Mr. Sander was a consultant at Platinum Technology focusing on the security, access control and SSO solutions. He graduated from Fordham University with a degree in Philosophy.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.Read more
Start a Free Stealthbits Trial!
No risk. No obligation.
Leave a Reply