Going from a normal domain user to a highly privileged MSSQL Service Account can sometimes be pretty easy with the following Metasploit module:
- auxiliary/admin/mssql/mssql_ntlm_stealer
I have been using this method of escalation when various other methods fail, but also MSSQL databases can often be where the clients personally identifiable information (PII) is held and shows the most impact to higher level employees or execs. The idea of this module is to take a compromised low level user account (compromised by brute-force, netbios spoofing, weak passwords or other) and re-use that information against MSSQL’s integrated domain authentication. If the database accepts domain authentication, the native db procedure ‘xp_dirtree’ is abused by inserting a targeted UNC path that then calls back to the attacker on TCP port 445 where Responder is listening. If successful, the MSSQL service account will authenticate and provide the NetNTLM hash which can subsequently be cracked with JTR or Hashcat.
I usually then attempt to connect to the database manually with the cracked credentials and if the account has administrator level permissions on the host you can seamlessly RDP on or PSEXEC and further penetrate the network and capture in-memory credentials, hashes, and more…….
This can also be used against externally facing MSSQL services if the system allows domain users to authenticate which is usually default in a domain environment. MSSQL should never be exposed externally, however, from experience I have seen this on the Internet. Shodan is full of examples:
https://www.shodan.io/search?query=MSSQL