Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[NSE] Library: mssql.lua - Adding data types

From: Tom Sellers <nmap () fadedcode net>
Date: Sun, 19 Aug 2012 20:13:52 -0500
While at Defcon this year I had an interesting talk with one of the speakers, Skip Duckwall. He
and a partner have done quite a bit of work with pass-the-hash attacks (http://passing-the-hash.blogspot.com/).

One of the things he brought up was that while nmap could perform MS SQL queries, its ability to
extract that data is pretty limited.  I am working on a few changes that I think should address this.
The first is discussed below.


I have made the following additions to the mssql.lua library:

        Added or enhanced support for the following data types:
                SQLTEXT       = 0x23 - text
                GUIDTYPE      = 0x24 - uniqueidentifier
                NTEXTTYPE     = 0x63 - unicode text (ntext)
                BITNTYPE      = 0x68 - boolean
                DECIMALNTYPE  = 0x6A - decimal
                NUMERICNTYPE  = 0x6C - numeric
                FLTNTYPE      = 0x6D - float/real/double
                MONEYNTYPE    = 0x6E - money / smallmoeny
                BIGBINARYTYPE = 0xAD - binary
                BIGCHARTYPE   = 0xAF - char
                SQLNCHAR      = 0xEF - unicode char (nchar)

        Added detection and handling of null values when processing query responses from the server.

        Added DoneProc response token support

        Reordered ColumnData and ColumnInfo parsers by data type code to make updates easier.

I have tested the changes against a MS SQL 2008 RTM server on a Windows 2008 R2 host.

I have not committed the changes yet.  I have instead attached a diff and a full copy of the
library for anyone that is interested in testing it.  I would appreciate any testing and
feedback that anyone can provide.

The following nmap command line can be used in testing:

sudo nmap -sCSV -p1433,1434 -d2 -vv --script ms-sql-query --packet-trace --script-args 
'mssql.username=sa,mssql.password=mypassword,mssql.database=testdb,ms-sql-query.query="SELECT * FROM
testdb..TestTable"' 10.1.1.1

The following queries also work:
        @@version
        select suser_sname()
        select name, password_hash FROM master.sys.sql_logins
        exec master..sp_addlogin testuser, UserPassword        <- support for this is new


I am concerned that some of the legacy field types such as SYBINTN (0x26), SYBINT2 (0x34)
and SYBINT4 (0x38) may not be implemented correctly but I do not have any older versions of
MS SQL to test with at the moment.

Barring any major issues with the code I will be adding changes to make it easy to save the
results of the queries to a csv file.

Any feedback would be greatly appreciated.

Tom Sellers

Attachment: mssql.lua
Description:

Attachment: mssql.lua_more_types_2012.08.19.diff
Description: 

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: