Module 16

Question 1

What type of database management system is Microsoft SQL Server?

Answer 1

It is a proprietary relational database management system.

Question 2

What is one way to enumerate SQL server instances that use Kerberos authentication?

Answer 2

Query for the Service Principal Names (SPNs) associated with the SQL service.

Question 3

What information can be obtained by enumerating MSSQLSvc SPNs?

Answer 3

The hostname of the SQL servers and the service accounts used to run them.

Question 4

What is the ldapsearch filter used to find MS SQL Server SPNs?

Answer 4

(&(samAccountType=805306368)(servicePrincipalName=MSSQLSvc*))

Question 5

If a SQL server isn’t configured for Kerberos, what is an alternative enumeration method?

Answer 5

Scanning for open ports commonly used by MS SQL Server, such as TCP port 1433.

Question 6

What service, if running, allows for minimal information gathering about a SQL instance without any specific roles?

Answer 6

The SQLBrowser service, which typically runs on port 1434/UDP.

Question 7

What is the command in the provided material to query the SQLBrowser service?

Answer 7

beacon> sql-1434udp [ip_address]

Question 8

What is the minimum role a user needs on a SQL instance to perform further interaction beyond basic SQLBrowser enumeration?

Answer 8

The ‘public’ role.

Question 9

What is the SQL-BOF command to get detailed information about a SQL server instance, like its version, service account, and authentication mode?

Answer 9

beacon> sql-info [hostname]

Question 10

Which SQL-BOF command is used to query for the current user’s roles and permissions on a SQL instance?

Answer 10

beacon> sql-whoami [hostname]

Question 11

Name three privileged roles on a SQL instance that are of particular interest to an attacker.

Answer 11

serveradmin, securityadmin, and sysadmin.

Question 12

What permission does the ‘public’ role grant that is useful for data-hunting?

Answer 12

It grants permission to query the database instance.

Question 13

What is the SQL-BOF command to execute an arbitrary SQL query?

Answer 13

beacon> sql-query [hostname] “[SQL_QUERY]”

Question 14

What SQL query can be used to retrieve the name of the current SQL server?

Answer 14

SELECT @@SERVERNAME

Question 15

What does the sql-databases command do?

Answer 15

It lists the available databases on the SQL instance.

Question 16

Which command is used to list the tables within a specific database?

Answer 16

The sql-tables command.

Question 17

In MS SQL exploitation, what is the most common prerequisite role needed to enable code execution techniques?

Answer 17

The ‘sysadmin’ role.

Question 18

The _____ stored procedure is the most well-known method for executing shell commands via a SQL server.

Answer 18

xp_cmdshell

Question 19

What SQL query is used to check if xp_cmdshell is enabled?

Answer 19

SELECT name,value FROM sys.configurations WHERE name = ‘xp_cmdshell’

Question 20

In the configuration table, what value indicates that xp_cmdshell is disabled?

Answer 20

A value of 0.

Question 21

What SQL-BOF command enables the xp_cmdshell stored procedure?

Answer 21

beacon> sql-enablexp [hostname]

Question 22

Under what user context are commands executed via xp_cmdshell typically run?

Answer 22

The context of the principal running the sqlservr process, often SYSTEM or a service account.

Question 23

What is the SQL-BOF command for executing a system command using xp_cmdshell?

Answer 23

beacon> sql-xpcmd [hostname] “[command]”

Question 24

Which of the code execution techniques discussed (xp_cmdshell, OLE, CLR) is the only one that can return command output directly?

Answer 24

xp_cmdshell

Question 25

What is the SQL-BOF command to disable `xp_cmdshell` after use?

Answer 25

beacon> sql-disablexp [hostname]

Question 26

What does OLE stand for in the context of SQL Server?

Answer 26

Object Linking and Embedding.

Question 27

Which set of stored procedures allows a SQL server to interact with arbitrary COM objects?

Answer 27

OLE Automation stored procedures.

Question 28

Name two of the OLE Automation stored procedures.

Answer 28

sp_OACreate, sp_OADestroy, sp_OAGetProperty, sp_OAMethod, etc.

Question 29

The `sql-olecmd` BOF uses which COM object to run shell commands?

Answer 29

WScript.Shell

Question 30

What SQL query checks if OLE Automation Procedures are enabled?

Answer 30

SELECT name,value FROM sys.configurations WHERE name = 'Ole Automation Procedures'

Question 31

What is the SQL-BOF command to enable OLE Automation Procedures?

Answer 31

beacon> sql-enableole [hostname]

Question 32

What is a major limitation of using OLE Automation for code execution compared to `xp_cmdshell`?

Answer 32

It cannot return output from the executed command.

Question 33

What is the SQL-BOF command for executing a system command via OLE Automation?

Answer 33

beacon> sql-olecmd [hostname] "[command]"

Question 34

What is the SQL-BOF command to disable OLE Automation Procedures?

Answer 34

beacon> sql-disableole [hostname]

Question 35

What feature introduced in SQL Server 2005 integrated the .NET Framework, allowing stored procedures to be written in languages like C#?

Answer 35

SQL Common Language Runtime (CLR).

Question 36

For a C# method to be compatible with SQL CLR, it must be decorated with what attribute?

Answer 36

The SqlProcedureAttribute.

Question 37

What SQL query checks if SQL CLR is enabled?

Answer 37

SELECT value FROM sys.configurations WHERE name = 'clr enabled'

Question 38

What SQL-BOF command is used to enable SQL CLR?

Answer 38

beacon> sql-enableclr [hostname]

Question 39

What is the SQL-BOF command to load a custom .NET assembly and execute a procedure from it via SQL CLR?

Answer 39

beacon> sql-clr [hostname] [path_to_dll] [procedure_name]

Question 40

What should be done with SQL CLR after a successful attack?

Answer 40

It should be disabled using the `sql-disableclr` command.

Question 41

What feature in SQL Server allows an instance to connect with other data sources, including other SQL servers?

Answer 41

Linked Servers.

Question 42

What is the SQL-BOF command to enumerate the links a server has with other SQL instances?

Answer 42

beacon> sql-links [hostname]

Question 43

How can you execute a query on a linked server using the `sql-query` BOF?

Answer 43

By specifying the linked server's name in the final argument of the command.

Question 44

The security context you receive on a linked server depends on what?

Answer 44

It depends on how the link itself is configured (e.g., hardcoded credentials or inherited context).

Question 45

It is possible to have _____ privileges on a linked server even if you don't have that access on the initial server.

Answer 45

sysadmin

Question 46

What setting must be enabled on a server link to allow the calling of stored procedures (like `sp_configure`) on the linked server?

Answer 46

RPC Out.

Question 47

Which SQL-BOF command can be used to check the RPC status of a server's links?

Answer 47

beacon> sql-checkrpc [hostname]

Question 48

What is the command to enable `RPC Out` on a specific link?

Answer 48

beacon> sql-enablerpc [hostname] [linked_server_name]

Question 49

What kind of account is `NT Service\MSSQLSERVER`?

Answer 49

A local virtual account that can access network resources using the computer account's credentials.

Question 50

SQL service accounts often have interesting token privileges that can be abused for _____.

Answer 50

privilege escalation

Question 51

What specific token privilege, often held by service accounts, can be abused to impersonate a SYSTEM process and escalate privileges?

Answer 51

SeImpersonatePrivilege.

Question 52

What is the name of the tool mentioned in the source material for exploiting token privileges like SeImpersonatePrivilege?

Answer 52

SweetPotato.

Question 53

Describe the general process by which SweetPotato escalates privileges.

Answer 53

It creates a named pipe, coerces a SYSTEM process to connect, impersonates that process's token, and uses it to spawn a new process as SYSTEM.