Thursday, July 26, 2012

Update to the NMAP Pass the Hash script

I've had a lot of questions about this, so let's see if this helps. When I score a password or a hash, I use an nmap script to quickly determine if this gives me local admin rights to the workstations and servers:

nmap --script=smb-enum-shares.nse --script-args=smbuser=[ADMIN],smbpass=[PASSWORD],smbdomain=[DOMAIN],smbbasic=1,smbtype=v1  -p445 --open -vv -Pn [IP RANGE TO TEST] -oA [FILENAME].txt 

smbuser=[ADMIN] = Shared administrator account name
smbpass=[PASSWORD] = The shared account password
Alternatively you can Pass-the-Hash using:
smbdomain=[DOMAIN] = WORKGROUP or AD

[FILENAME] = The filename for the results output
[IP RANGE TO TEST] = The IP ranges in CIDR notation. 
Alternatively, you could make a list of all IPs and IP ranges and pass them to the scan using:
 "–iL [INPUT LIST TO SCAN].txt" 
Forces the authentication to use basic security, as opposed to "extended security". 
--          Against most modern systems, extended security should work, but there may be cases
--          where you want to force basic. There's a chance that you'll get better results for 
--          enumerating users if you turn on basic authentication.
The type of SMB authentication to use. These are the possible options:
-- * <code>v1</code>:     Sends LMv1 and NTLMv1.
-- * <code>LMv1</code>:   Sends LMv1 only.
-- * <code>NTLMv1</code>: Sends NTLMv1 only (default).
-- * <code>v2</code>:     Sends LMv2 and NTLMv2.
-- * <code>LMv2</code>:   Sends LMv2 only.
-- * <code>NTLMv2</code>: Doesn't exist; the protocol doesn't support NTLMv2 alone.

If you have local administrator rights, the scan will show READ/WRITE access to the SMB shares:

Starting Nmap 5.51 ( ) at 2012-12-22 15:41 PDT
Nmap scan report for
Host is up (0.00069s latency).
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   ADMIN$
|     Comment: Remote Admin
|     Users: 0, Max: <unlimited>
|     Path: C:\Windows
|     Anonymous access: <none>
|     Current user ('admin') access: READ/WRITE
|   C$
|     Comment: Default share
|     Users: 0, Max: <unlimited>
|     Path: C:\
|     Anonymous access: <none>
|     Current user ('admin') access: READ/WRITE
|   D$
|     Comment: Default share
|     Users: 0, Max: <unlimited>
|     Path: D:\
|     Anonymous access: <none>
|     Current user ('admin') access: READ/WRITE
|   IPC$
|     Comment: Remote IPC
|     Users: 2, Max: <unlimited>
|     Path: 
|     Anonymous access: READ <not a file share>
|     Current user ('sysadmin') access: READ <not a file share>
|     Comment: 
|     Users: 1, Max: <unlimited>
|     Path: D:\SQLBACKUP
|     Anonymous access: <none>
|_    Current user ('admin') access: READ/WRITE

Thursday, July 5, 2012

Hacking Microsoft SQL Dedicated Admin Connection (DAC)

Microsoft SQL Dedicated Admin Connection (DAC)

Microsoft SQL Server 2005/2008/2012 provides a dedicated administrator connection (DAC). The DAC lets an administrator access a running server to execute diagnostic functions or Transact-SQL statements, or to troubleshoot problems on the server, even when the server is locked or running in an abnormal state and not responding to a SQL Server Database Engine connection. This feature requires pre-allocating dedicated resources during server startup like additional memory ~3.5 megs.  Because of this extra resource, in SQL Express scenarios the DAC feature is disabled. You can enable it by starting SQL Server service with a trace flag. By default, the DAC is only available from a client on the server. To enable client applications on remote computers to use the DAC, use the remote admin connections option of sp_configure.

SQL Server listens for the DAC on TCP port 1434 if available or a TCP port dynamically assigned upon Database Engine startup. The error log contains the port number the DAC is listening on. By default the DAC listener accepts connection on only the local port. To activate remote administration connections, see the remote admin connections Server Configuration Option below.

The following example enables the DAC from a remote computer.

sp_configure 'remote admin connections', 1;

In this example, an administrator notices that server 172.16.x.x is not responding and wants to diagnose the problem. To do this, the user activates the sqlcmd command prompt utility and connects to server 172.16.x.x using -A to indicate the DAC.

C:\Users\Win7>sqlcmd -A -S 172.16.x.x -U sa -P Bob$yourUncl3

DAC with remote admin connections permitted may allow an attacker to bypass access controls, logon triggers, perform brute force attacks or run unauthorized queries.

Ensure DAC is configured per your Microsoft SQL Server Build and Hardening Documentation and Policies.

To determine the state of the DAC:

sp_configure 'remote admin connections'

0: Indicates only local connections are allowed by using the DAC.
1: Indicates remote connections are allowed by using the DAC.

Detecting DAC using NMap:

bash-3.2$ nmap 172.16.1-3.1-254 -p1434 -vv --open -Pn -n

Starting Nmap 5.51 ( ) at 2012-06-28 09:56 PDT
Initiating Connect Scan at 09:56
Scanning 762 hosts [1 port/host]
Discovered open port 1434/tcp on 172.16.x.1
Discovered open port 1434/tcp on 172.16.x.2

Failed Logons will appear in the Windows Application Event Log:

Windows Event Log:

Event Type:    Failure Audit
Event Source:    MSSQLSERVER
Event Category:    (4)
Event ID:    18456
Date:        6/28/2012
Time:        10:08:18 AM
User:        N/A
Computer:    SQL01PRD
Login failed for user 'sa'. [CLIENT: 10.16.x.x]

Additional DAC related messages to monitor for:


Dedicated administrator connection support was not started because it is disabled on this edition of SQL Server. If you want to use a dedicated administrator connection, restart SQL Server using the trace flag %d. This is an informational message only. No user action is required.


Changing the remote access settings for the Dedicated Admin Connection failed with error 0x%lx, status code 0x%lx.


Dedicated admin connection support was established for listening remotely on port %d.


Could not connect because the maximum number of '%ld' dedicated administrator connections already exists. Before a new connection can be made, the existing dedicated administrator connection must be dropped, either by logging off or ending the process.%.*ls

SQL Server Management Studio Tips

How do I indicate a different port number when connecting to the server using SQL management Studio?,6283 add a comma between the ip and port

How do I Connect To A Database Using Windows Authentication With Different Credentials Using SQL Server Management Studio?

runas /netonly /user:domain\name "C:\Program Files\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe"