Wefgod 2014/03/14 12:00
0 x00 background
From:www.netspi.com/blog/entryi…
It is recommended to understand what Linked Server is before looking at it. For example, refer to Microsoft’s related learning materials:
Technet.microsoft.com/zh-cn/libra…
There are a lot of proper nouns in the article, and the way foreigners speak is still too different from China… So there are many parts of the translation is not very good, forgive me.
Getting plaintext passwords from important systems is always fun. The MSSQL server encrypts the passwords stored locally, including the credentials of the connected server. However, the MSSQL server also has its own means to decrypt the credentials of the passwords. You can decrypt the credentials directly using the Powershell script published with this article. From an attacker’s point of view, if we want to decrypt the associated credentials, we need to have the Sysadmin permissions of MSSQL and the system administrator permissions of the local server. From a defensive perspective, the main purpose of this article is to remind administrators that unnecessary database links, high-privilege database links, and authentication using SQL Server can create more unnecessary risks than using integrated authentication. This blog post is recommended for hackers who are interested in databases and administrators who want to learn more.
0x01 Linked Server
Microsoft SQL Server allows users to use MSSQL to manage different types of databases. Generally, the link Server is used to manage different versions of THE MSSQL service from the local Server. When links are established, they can be configured to use secure context and static SQL Server credentials. If SQL Server credentials are added to use, the associated user name and password are encrypted and stored in the associated table, and the encryption is reversible. Unidirectional irreversible hashes cannot be used to link servers because SQL Server must use plaintext password information to access other databases. Therefore, if the password information is encrypted using symmetric encryption rather than one-way hash, SQL Server will naturally have a method to decrypt the relevant ciphertext credentials. This paper mainly introduces the process of encryption and decryption and the implementation of tool.
0x02 Password Storage mode of the Linked Server
MSSQL stores the linked server information (including encrypted passwords) in the master.sys.syslnklgns table. The cryptographic password we are focusing on is stored in the field “pwdhash” (hash but not a normal hash). Here is an example:
The master.sys.syslnklgns table is inaccessible with a normal database connection and must be accessed with a dedicated administrator connection (DAC) (see technet.microsoft.com/en-us/libra… for more information on DAC). . You must have the Sysadmin permission of MSSQL and the administrator permission of the local server to open the dedicated administrator connection.
If the local administrator does not have Sysadmin permissions, you only need to change the MSSQL permissions to the local system account. Please refer to www.netspi.com/blog/entryi for more information…
0 x03 MSSQL encryption
The following describes the basic principles of MSSQL encryption. First we can take a look at the service Master Key (SMK) (see technet.microsoft.com/en-us/libra…). . According to Microsoft, “The service master key is the root of the SQL Server encryption hierarchy.
The service master key is automatically generated when it is first needed to encrypt other keys. The SMK is stored in the master.sys.key_encryptions table. SMK is encrypted using DPAPI, and here it has two versions available, the first using LocalMachine and the other using the context of CurrentUser (meaning the account where the SQL Server service is running). Here we choose to use LocalMachine’s Machinekey to separate encryption, decryption does not rely on SQL Server account format to discuss. Here’s an example:
To increase the strength of encryption, entropy is added to the algorithm, The Entropy bytes used in the algorithm can be found in the registry HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\[instancename]\Security\Entropy. Again, access to this entry requires administrator privileges on the local system. Here’s an example of entropy:
With that done (and padding bytes removed, etc.) we can decrypt SMK using DPAPI.
0x04 Password for Decrypting the Linked Server
From the length of SMK (or version of MSSQL) we can see that there are two different encryption algorithms: MSSQL 2012 uses AES, while earlier versions used 3DES. In addition, pwdhash must be resolved to bit to find the associated encrypted password. Version using the algorithm of reference the advanced T – SQL programmers’ posts, see stackoverflow.com/questions/2…
Even if the format of the data is not quite the same as given in this article, it is not difficult to find the correct encrypted data. At this point, we have a way to decrypt all plaintext credentials using SMK (when using SQL Server accounts instead of Windows authentication).
0x05 Decrypt the password of the linked server using a Script
The following is a link to the source code of the powershell auto-decryption script get-mSSQLLink.psm1:
Github.com/NetSPI/Powe…
The script must be run locally on the MSSQL server (DPAPI must have access to the local machine key), and the user running the script must have sysadmin permission on the database (under DAC) to access all database instances. This account must also have system manager permissions (for reading entropy in the registry). Also, if UAC is enabled, the script must be run as an administrator. The following is a summary of the key steps in running the script:
Obtain all MSSQL instances of the server. 2. Enable DAC access for each instance. Key_encryptions read the SMK for all rows with key_ID 102 from master.sys.key_encryptions and use the thumbprint field to determine the version. Read HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\[instancename]\Security\Entropy 6. Decrypt SMK using the above information 7. The program determines the USE of AES algorithm or 3DES algorithm according to the VERSION of MSSQL and the length of SMK 8. 9. If the program runs successfully, the related password information will be displayed, such as the following is an example:Copy the code
0x06 Translator self test
There were a lot of problems in testing this, either the DAC didn’t log in, or the Powershell script kept having problems.
Two environments are currently being tested:
1. win2003 + mssql2005
2. win2008 + mssql2008
Copy the codeExcept for the script, everything else is available. Most of the script syntax is similar. NET, are basically in the call. NET library, due to some time problems, I will no longer be ugly to change such as big cattle to a “one key access”.
First look at the test chart of 2003:
1.pwdhash
2. Read the encrypted SMK
3. View the registry key
However, when running the script (note above 2.0), an error was reported:
It has been tested that both parameters are non-null and should be correct.
It’s a similar story in 2008. Time relationship is no longer in-depth, such as interested niuniu do again.
In addition, this is a way to “find database connection information”. Although a little strange, but it is expected to be feasible, if we can arrange it in the future, and there is no daniu to modify the above script… I’ll do it again.
The first time to do translation, translation is not good everyone forgive.