H3-2024-0056¶

Microsoft SQL Server NTLM Credential Coercion Vulnerability

Description¶

By design SQL Server permits authenticated users to invoke certain stored procedures (e.g. xp_dirtree, xp_fileexist) that accept UNC paths. This can be abused by attackers to leak the NTLMv2 hash of the Windows service account used to run SQL Server.

Impact¶

An attacker can invoke these procedures with a UNC path argument pointing back to an attacker-controlled server. An attacker can then capture and potentially crack the NTLMv2 hash of the Windows service account used to run SQL Server, or conduct an NTLM relay attack to access other hosts or services on the network.

References¶

• Executing SMB Relay Attacks via SQL Server using Metasploit
• MITRE ATT&CK Technique: T1187: Forced Authentication
• Metasploit: Microsoft SQL Server NTLM Stealer