search

NetSPI / PowerUpSQL

PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server
Other
2.44k stars 460 forks source link

Cheat Sheet - Add UNC Injection Help for WEBDAV #54

Open nullbind opened 4 years ago

nullbind commented 4 years ago

Requester: kevin @GuhnooPlusLinux

Question: @nullbind Is there anything special you have to do for webdav auth in MSSQL? Tested all formats listed in the PowerUpSQL UNC path cheatsheet but no dice.

Invoke-Mimikatz commented 4 years ago

@nullbind Bump... I'll buy you lunch or a beer if you can figure out how to reliably force webdav auth from MSSQL server.

mubix commented 4 years ago

There are a few ways to do this, but unfortunately it requires a few things to be in place. 1st "Desktop Experience" must be installed, so that the WebClient service is present. Then it has to be enabled/running. You can trigger the WebClient service to start programatically as a non privileged user, but there isn't a way to install the "Desktop Experience" feature that way. Another option is that MSSQL is installed on a client operating system like Win7 or Win10, in which case you still have to deal with starting the WebClient service, which as far as I can tell, you can't do from functions inside of MSSQL. Maybe @nullbind can figure that piece out.

Once you are over that hurdle, you still have to deal with having a attack tool that supports WebDAV's process for authentication, which isn't straight HTTP. It does a OPTION request, then a PROPFIND (which expects an XML response), then it starts down the NTLM authentication route, but if Auth is required or a correctly formatted response isn't given, then the auth won't be performed. I don't believe that Inveigh (which is what PowerUpSQL uses if I remember correctly), doesn't support WebDAV based authentication. I could be wrong here, but if it isn't, then that's up to @Kevin-Robertson to fix, not @nullbind .

Finally, once you have that perfect storm in place, you can get PowerUpSQL to perform an xp_dirtree on a WebDAV path, but it's a long road to get here. Just wanted to make sure you knew what you were asking for :)

Kevin-Robertson commented 4 years ago

I can confirm that I don't have the standard WebDAV auth in Inveigh. To further complicate things though, the Microsoft-WebDAV-MiniRedir does seem to trigger auth through straight HTTP:) So for example, Inveigh should capture auth for an incoming webdav connection that is redirected from a port 445 UNC on a redirect capable system.

I could add the standard webdav auth if there is a need.