Come join Noelle Murata and myself (Rob Beck) for a hands-on workshop at ToorCon 2014 in San Diego this October. It’s been a while in the making, but we’re looking forward to delivering 2 days of Microsoft SQL Server shenanigans, code samples, workshops, and general database nerdery in the MS-SQL environment. Registration is open and the workshop is scheduled for October 22nd and 23rd at the San Diego Westin Emerald Plaza!
The MS-SQL Post-exploitation In-depth workshop demonstrates the tactics an attacker can employ to maintain persistence in a Microsoft SQL Server database, while harnessing the available facilities to expand their influence in an environment. Plenty of resources exist today that show methods for compromising SQL and SQL-dependent applications to achieve access to the environment, very few provide methods for maintaining control of a SQL instances or performing attacks against the host and environment from within the SQL service.
This course will offer attendees an understanding of the various facilities that are available for executing system level commands, scripting, and compiling code… all from inside the SQL environment, once privileged access has been acquired. Students will walk away from this two-day course with a greater understanding of:
- MS-SQL specific functionality
- Stored procedures
- Extended stored procedures
- SQL assemblies
- SQL agent
- SQL internals
- Conducting attacks and assessments from inside the SQL environment
- Methods employed for stealth inside of SQL
Upon the completion of this workshop, attendees will:
- Be familiar with multiple facilities in the SQL Server environment for executing system commands.
- Understand ways to execute arbitrary code and scripts from within the database.
- Understand methods for operating with stealth in the SQL service.
- Know ways an attacker can rootkit or backdoor the SQL service for persistence.
- Be familiar with hooking internal SQL functions for data manipulation.
- Harvest credentials and password hashes of the SQL server.
- Have familiarity with the extended stored procedure API.
- Be able to create and deploy SQL assemblies.
- Have the ability to impersonate system and domain level users for performing escalation in the environment.
Attendee requirements for this workshop:
- Modern laptop with wired or wireless networking capabilities.
- Ability to use Microsoft remote desktop from their system.
- Basic understanding of the T-SQL language and syntax.
- Ability to follow along with coding/scripting concepts (coding experience a plus, but not required – languages include: C, C++, C#, vbscript, jscript, and powershell)
- Ability to navigate Visual Studio and OllyDBG (previous experience a plus, but not required.)
Attendees will be provided with:
- Hosted VMs for testing and workshop labs.
- Training materials – presentation materials and lab examples.
Who should attend this workshop?
- SQL administrators and security personnel.
- Professional pen-testers and corporate security team members.
- Incident response analysts for new methods of attack detection.
- Forensic team members unfamiliar with SQL related attack patterns.
- Anyone interested in furthering their understanding of SQL Server.