Sidestepping Microsoft SQL Server Authentication

Sunday, October 21, 2012

Brandon Knight


While we, as penetration testers, love compromising systems during assessments we all know the most important portion of a penetration test is actually getting access to critical data and systems. So, post exploitation I generally head for the database servers. However, depending on the permissions model of the target database there may still be another hurdle to bypass.

I have come across environments where administrators, even Domain Admins, did not have authentication rights to a Microsoft SQL Server even when logged on locally. One method previously used to gain access to the database at that point would be to try to determine what groups or accounts did have access and add a new account or impersonate an authorized user. I’ve also spent time going searching across file shares and other server for the raw credentials to perform SQL Server Authentication. While these all work it eats up valuable time which is a resource already in short supply during a penetration test.

While trying to find a better way I discovered a method that cuts straight to the point and means not having to waste time with the other methods. The NT-AUTHORITY\SYSTEM account actually does have full access to the database server so we can leverage that. The following steps can be performed after getting a terminal services connection to the MS SQL Server.

1.       Download the standard psexec.exe binary on to the SQL Server

2.       Start a privileged command prompt by right-clicking the Command Prompt shortcut and selecting run as administrator

3.       Start psexec with the following option:

psexec -s -I "C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe"

(The –s says to start as SYSTEM and the –I will start the application interactively)

(Note: For SQL Server 2005 the path may be 100 rather than 90.)


After following the steps above a window like the one above should appear in which you can select the database to connect to as SYSTEM. At this point you can begin pillaging to your heart’s content. This works for SQL Server 2008 R2 systems and before. Thank you to Argenis Fernandez for his article which provided an invaluable reference on how to perform this.

Cross posted from SecureState


Possibly Related Articles:
General Operating Systems Enterprise Security DB Vulns
Information Security
Microsoft Authentication SQL Servers
Post Rating I Like this!
Carmelo I remember the first time I learned about psexec and using a system as system. My jaw dropped and I immediately downloaded psexec for my toolkit.
Marc Quibell :|
psexec is just a remote way of starting a local command on the server, requiring those admin rights on the server. So, yes, assuming you have local admin rights to a server, you could probably get admin rights the the local server SQL instance...
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked