Executing SMB Relay Attacks via SQL Server using Metasploit

In this blog, I’ll provide a brief overview of SMB Relay attacks and show how they can be initiated through a Microsoft SQL Server.  I will also provide some practical examples that show how to use new Metasploit modules to gain unauthorized access to SQL Servers during a penetration test.    Below is a summary of what will be covered in this blog:

  • A Brief History of SMB Relay
  • Using SQL Server to Iniate SMB Authentication Attacks
  • Using Metasploit Modules to Capture and Crack Hashes
  • Using Metasploit Modules to Relay Authentication

A Brief History of SMB Relay

In summary, an SMB Relay attack can be loosely defined as the process of relaying SMB authentication from one system to another via a man-in-the-middle (MITM) position. Based on my five whole minutes of wiki research I now know that the issues that allow smb attacks to be succesful were identified as a threat in the late 90’s.  However, it wasn’t until 2001 that Sir Dystic publicly released a tool that could be used to perform practical attacks.   Seven years later Microsoft got around to partially fixing the issue with a patch, but it only prevents attackers from relaying back to the originating system. I guess the good news is that SMB relay attacks can be prevented by enabling and requiring smb message signing, but the bad news is that most environments are configured in such a way that attackers can still relay authentication to other systems. 2001 was a while ago, so I got out my calculator and did some hardcore math to figure out that this has been a well known and practiced attack for at least 11 years.  During that time there have been many tools and projects dedicated to taking advantage of the attack technique. Some of the more popular ones include Metasploit, Squirtle, and ZackAttack. Anyway, let’s get back on track…

Using SQL Server to Initiate SMB Authentication Attacks

So how can we initiate SMB authentication through a SQL Server?  As it turns out, SQL Server can interact with the file system in a number of different ways.  For example, it supports functions for reading from files, providing directory listings, and checking if files exist.  The xp_dirtree and xp_fileexist stored procedures are especially handy, because by default they can be executed by any login with the PUBLIC role in SQL Server 2000 to 2012.

How does this help us?  Both the xp_dirtree and xp_fileexist stored procedures can support more then just local drives.  They also support remote UNC paths (\serverfile).  Also, everytime the SQL Server attempts to access a remote file server via a UNC path it automatically attempts to authenticate to it with the SQL Server service account.

The normal authentication process that would occur when a SQL Server accesses a remote file share via a UNC path looks something like the diagram below:

In most enterprise environments the SQL Server service is configured with a domain account.  What that means is an attacker could execute one of the prelisted stored procedures via SQL injection (or a valid SQL login) and relay the authentication to another database server to obtain a shell.  Alternatively, an attacker could simply capture and crack the hashes offline.  However, it should be noted that the SQL Server service can be configured with a number of different accounts.  Below is a table showing the basic account configuration options and potential attacks.

Service Account  Network Communication SMB Capture SMB Relay
NetworkService Computer Account Yes No
Local Administrator Local Administrator Yes Yes
Domain User Domain User Yes Yes
Domain Admin Domain Admin Yes Yes

 

Using Metasploit Modules to Capture and Crack Hashes

So now that you understand how the basics work, let’s walk through how to initate SMB authentication through SQL server with the intent of gathering and cracking credentials for later use.  In the diagram below, I’ve tried to illustrate what it would look like if an attacker initiated a connection from the SQL server to their evil server and captured hashes using a static nonce.

The attack scenario above can be automated using  the “auxiliary/server/capture/smb” and “auxiliary/admin/mssql/mssql_ntlm_stealer” Metasploit modules.  Below is a step by step example of how to capture and crack the credentials using those modules.

Systems for the scenario:

  • SQL  Server 1: 192.168.1.100
  • Attacker System: 192.168.1.102

  

  1. Crack the second half with john the ripper to obtain the case insensitive full LM password. Use the netntlm.pl script from the jumbo pack. They can be downloaded from http://www.openwall.com/john/.

  2. Run the same command again to obtain the case sensitve password.

If you’re interested in automating the process a little, Karl Fosaaen has created a PowerShell script to do it for you: https://github.com/NetSPI/PS_MultiCrack

Using Metasploit Modules to Relay SMB Authentication

Ok, now for the classic relay example.  Below is basic diagram showing how an attacker would be able to leverage a shared SQL Server service acccount being used by two SQL servers.  All that’s required is a SQL injection or a SQL login that has the PUBLIC role. 

 

Now that we have covered the visual, let’s walkthrough the practical attack  using the mssql_ntlm_stealer module.  This can be used during penetration tests to obtain a meterpreter session on SQL Servers that are using a shared service account. Systems for the scenario:
  • SQL  Server 1: 192.168.1.100
  • SQL  Server 2: 192.168.1.101
  • Attacker System: 192.168.1.102

 

  1. Configure and execute the “mssql_ntlm_stealer” Metasploit module against SQL Server 1:

I know my text examples can be a little lame, so I’ve put together a video example to how this attack can be done via SQL injection.  Hopefully it can provide some additional insight into the attack process.


Wrap Up

I would like to make it clear that none of these are original ideas. Techniques for initiating SMB relay attacks through SQL injection on database platforms like SQL Server have been around a long time. My hope is that the Metasploit modules can be used during penetration tests to help generate more awareness.  To those out there trying to do a little good with a little bad – have fun and hack responsibly!

Comments

  • Hello Scott, why do you use rcraki to crack only half of the hash? I think it’s easier to use rcacki to crack whole hash or is there any advantatage in the procedure that you shown (crack first half of hash by rcracki and second half by that perl script)?

Leave a Reply

Your email address will not be published. Required fields are marked *

Scott Sutherland

Read our White Papers for more information

Lean more about our Whitepapers