Nmap Development mailing list archives
Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts
From: Patrik Karlsson <patrik () cqure net>
Date: Tue, 30 Mar 2010 20:18:22 +0200
On 30 mar 2010, at 18.59, David Fifield wrote:
On Mon, Mar 22, 2010 at 01:46:07PM +0100, Patrik Karlsson wrote:I should have probably described the scripts in the zipfile and attached some sample output last time I posted: http://seclists.org/nmap-dev/2010/q1/1000 The zipfile contains the mssql.lua library and the following scripts: mssql-brute - does password guessing against Microsoft SQL Server mssql-databases - list all databases for the server/instance mssql-empty-password - detects servers with empty passwords for the sa account mssql-hasdbaccess - list what databases a user has access to (depends on mssql-brute and iterates over all found accounts) mssql-linked-servers - lists linked servers available on the server/instance mssql-query - allows the user to run arbitrary queries against the server mssql-sp-configure - lists a bunch of configuration options mssql-tables - iterates over all databases and lists tables, columns and their data types mssql-xp-cmdshell - allows privileged users to execute OS commandsI found that there's a no-cost "express" version of SQL Server at http://www.microsoft.com/express/Database/. I installed that and enabled remote access. Here's the result of running the scripts: $ ./nmap --datadir . -p 1433 192.168.0.190 -Pn -n --script=mssql-\* -d --script-args unpwdb.userlimit=1,unpwdb.passlimit=1 NSE: Script scanning 192.168.0.190. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 10:47 NSE: NSE Script Threads (2) running: NSE: Starting mssql-empty-password against 192.168.0.190:1433. NSE: Starting mssql-brute against 192.168.0.190:1433. NSE: Trying root/ ... NSE: Finished mssql-empty-password against 192.168.0.190:1433. NSE: Finished mssql-brute against 192.168.0.190:1433. Completed NSE at 10:47, 0.05s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 10:47 NSE: NSE Script Threads (7) running: NSE: Starting mssql-xp-cmdshell against 192.168.0.190:1433. NSE: Starting mssql-tables against 192.168.0.190:1433. NSE: Starting mssql-sp-configure against 192.168.0.190:1433. NSE: Starting mssql-query against 192.168.0.190:1433. NSE: Starting mssql-linked-servers against 192.168.0.190:1433. NSE: Starting mssql-hasdbaccess against 192.168.0.190:1433. NSE: Starting mssql-databases against 192.168.0.190:1433. NSE: mssql-tables against 192.168.0.190:1433 threw an error! ./scripts/mssql-tables.nse:186: attempt to concatenate local 'output' (a nil value) stack traceback: ./scripts/mssql-tables.nse:186: in function <./scripts/mssql-tables.nse:88> (tail call): ? NSE: Finished mssql-xp-cmdshell against 192.168.0.190:1433. NSE: Finished mssql-sp-configure against 192.168.0.190:1433. NSE: Finished mssql-databases against 192.168.0.190:1433. NSE: Finished mssql-linked-servers against 192.168.0.190:1433. NSE: Finished mssql-query against 192.168.0.190:1433. NSE: Finished mssql-hasdbaccess against 192.168.0.190:1433. Completed NSE at 10:47, 0.04s elapsed NSE: Script Scanning completed. Nmap scan report for 192.168.0.190 Host is up, received user-set (0.00080s latency). Scanned at 2010-03-30 10:47:16 MDT for 0s PORT STATE SERVICE REASON 1433/tcp open ms-sql-s syn-ack Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds So there's no output. mssql-tables had an error. Do I need to create some databases first?
As the default databases will not be shown, creating a few sample/test databases is required to see some relevant output for some of the scripts. I haven't tried this myself but here's some information on how to install the AdventureWorks sample database: http://msftdbprodsamples.codeplex.com/wikipage?title=Installing%20Databases
Do I need to supply authentication for all of the scripts? If so, how do I create an account?
Yes, all of the scripts require that you are authenticated to the database to retrieve the information.
I was prompted for a password when I installed the server, but I don't know what the username would be.
It's most likely the password for the 'sa' system administrator database account. Microsoft SQL Server supports two modes of authentication (mixed or integrated). Mixed allows you to authenticate using either a database account or an OS account that has been granted DB access. Integrated mode only supports the OS account authentication. The current library does NOT support authentication against OS accounts. I'm attaching a patch for the error your seeing:
Attachment:
mssql-tables.diff
Description:
Hopefully this time the attachment will get all the way to the list too. Oh, and make sure your running the last batch of scripts I sent: http://seclists.org/nmap-dev/2010/q1/1138 Let me know if you need any more information! //Patrik
David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
-- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts, (continued)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Fyodor (Mar 22)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Ron (Mar 22)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Mar 23)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Fyodor (Mar 28)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Ron (Mar 28)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Fyodor (Mar 22)
- [NSE] Feature suggestion (GSoC?) Martin Holst Swende (Mar 25)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Kris Katterjohn (Mar 28)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Fyodor (Mar 28)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Kris Katterjohn (Mar 28)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Mar 30)