![]() Below is a summary of the process used by the script. In addition, if UAC is enabled, the script must be ran as an administrator. ![]() The user executing the script must also have sysadmin access to all the database instances (for the DAC connection) and local admin privileges on the Windows server (to access the entropy bytes in registry). The script must be run locally on the MSSQL server (as DPAPI requires access to the local machine key). To automate the decryption of linked server credentials I wrote a PowerShell script called “Get-MSSQLLinkPasswords.psm1”. Decrypting Linked Server Passwords with PowerShell – Get-MSSQLLinkPasswords.psm1 So now, using the SMK, it is possible to extract all of the link credentials (when SQL Server account is used, not Windows authentication) in cleartext. The first answer referring Pro T-SQL Programmer’s guide at got me on the right track even though the byte format didn’t seem to match exactly like detailed on the page, it wasn’t too hard to find the right bytes to encrypt. In additional, the pwdhash value has to be parsed a bit to find the encrypted password. Decrypting Linked Server Passwordsīased on the length of the SMK (or the MSSQL version) we can determine the encryption algorithm: MSSQL 2012 uses AES, earlier versions use 3DES. The entropy is stored in the registry for each MSSQL instance as shown below:Īfter that (and removing some padding / metadata from the encrypted value) we can decrypt the SMK using DPAPI. Once again, local administrator privileges are needed to access the registry key. Below is an example of what that looks like:Īdditional entropy is added to strengthen the encryption but the entropy bytes can be found in the registry at HKLM:SOFTWAREMicrosoftMicrosoft SQL ServerSecurityEntropy. ![]() We’ll choose the former to extract the key as LocalMachine encryption uses the Machinekey for encryption and it can be decrypted without impersonating the service account. SMK is encrypted using Windows Data Protection API (DPAPI) and there are two versions of it in the database one encrypted as LocalMachine and the other in the context of CurrentUser (meaning the SQL Server service account here). It is generated automatically the first time it is needed to encrypt another key.” SMK is stored in _encryptions table and it can be identified by the key_id 102. According to “The Service Master Key is the root of the SQL Server encryption hierarchy. To move ahead, access to the Service Master Key (SMK) is required (more information about SMK at ). Time to introduce some MSSQL encryption basics. More details on this can be found on Scott’s blog at. If local administrators don’t have sysadmin privileges you’ll just have to impersonate the MSSQL server account or local SYSTEM account. Sysadmin privileges are needed to start a DAC connection, but as local administrator privileges are needed anyways, that shouldn’t be a problem. The table cannot be accessed using a normal SQL connection, but rather a Dedicated Administrative Connection (DAC) is needed (more information about DAC at ). Specifically, the encrypted password is stored in the “pwdhash” column (even though it’s not a hash). MSSQL stores link server information, including the encrypted password, in table. The remainder of this blog will focus on how that happens. So, if the credentials are encrypted and not hashed, there must be a way for the SQL server to decrypt them prior to use. A one-way hash cannot be used, because the SQL server has to be able to access the cleartext credentials to authenticate to other servers. If SQL server credentials are used, the user account and password are saved to the database encrypted and thus they are stored in a reversible format. When these links are created, they can be configured to use the current security context or static SQL server credentials. Microsoft SQL Server allows users to create links to external data sources, typically to other MSSQL servers. This blog should be interesting to database hackers and admins interested in learning more. From the defensive point of view, this is just another reminder that unnecessary database links, database links with excessive privileges, and the use of SQL server authentication rather than integrated authentication can result in unnecessary risk. From the offensive point of view, this is pretty far into post exploitation as sysadmin privileges are needed on the SQL server and local administrator privileges are needed on the Windows server. And if MSSQL can decrypt them, so can you using the PowerShell script released along with this blog. While MSSQL server hashes local SQL credentials in the database, linked server credentials are stored encrypted. Extracting cleartext credentials from critical systems is always fun.
0 Comments
Leave a Reply. |