Nmap Development mailing list archives
Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts
From: Patrik Karlsson <patrik () cqure net>
Date: Mon, 22 Mar 2010 20:38:50 +0100
On 22 mar 2010, at 20.08, David Fifield wrote:
On Mon, Mar 22, 2010 at 01:46:07PM +0100, Patrik Karlsson wrote:I should have probably described the scripts in the zipfile and attached some sample output last time I posted: http://seclists.org/nmap-dev/2010/q1/1000 The zipfile contains the mssql.lua library and the following scripts: mssql-brute - does password guessing against Microsoft SQL Server mssql-databases - list all databases for the server/instance mssql-empty-password - detects servers with empty passwords for the sa account mssql-hasdbaccess - list what databases a user has access to (depends on mssql-brute and iterates over all found accounts) mssql-linked-servers - lists linked servers available on the server/instance mssql-query - allows the user to run arbitrary queries against the server mssql-sp-configure - lists a bunch of configuration options mssql-tables - iterates over all databases and lists tables, columns and their data types mssql-xp-cmdshell - allows privileged users to execute OS commandsWow! I don't have an MS-SQL server on hand to test against. I want to invite those of you reading to assist with the code review. If you want to get involved in NSE, reading and commenting on other people's code is a great way to get familiar. If you're thinking of applying to NSE for the Summer of Code, this is a good way to show your ability. Your primary responsibility as a reviewer is to ask questions about things you don't understand. Don't be embarrassed at not understanding something. Sometimes just asking a question can suggest to the author a better implementation. Knowing Patrik, most of the complexity will be in the library mssql.lua, so that should be the focus of review.
I think your right. Most of the complexity is in mssql.lua and it makes use of Lua OO. For a good laugh have a look at the function TDS7CryptPass ...
Here is hwo to do it: Download http://seclists.org/nmap-dev/2010/q1/att-1000/mssql_zip.bin. Then, cd ~/nmap unzip mssql_zip.bin Test the scripts that interest you and write back with the output you get. ./nmap --datadir . -Pn -d -p 1433 --script mssql-databases <target> Patrik, here are some initial questions from a quick look over mssql.lua. You write in mssql.lua: -- o The library does not support SSL. The foremost reason being the akward -- choice of implementation where the SSL handshake is performed within -- the TDS data block. By default, servers support connections over non -- SSL connections though. Is this anything like the way STARTTLS works in SMTP? If so, there's an example of using that to make an SSL connection in ssl-cert.nse. The reconnect_ssl function lets you upgrade a socket with SSL.
I'm not certain, but I don't thinks so. According to the documentation that comes with the jTDS Java JDBC driver they SSL implementation seems kinda funky. http://jtds.cvs.sourceforge.net/viewvc/jtds/jtds/README.SSL?view=markup As long as the server does not enforce SSL it won't be a problem that the library is missing it. I'll probably implement it some rainy day anyway.
Does MS-SQL work over UDP? We have a commented-out payload for it on 1434/udp. All the scripts' portrules look for 1433/tcp.
The Microsoft SQL Server browser service runs on 1434/udp. It's a service that keeps track of SQL server instances. A server instance can be exposed to the network over named pipes or IP sockets. If running over IP each instance will be allocated it's own port. The first instance usually sits on 1433/tcp and other instances are either dynamically allocated or set to static ports. The browser service is queried by the script ms-sql-info written by Thomas Buchanan. So, for now, the script will only run against the instance on 1433/tcp OR any port identified as mssql. This is probably incorrect btw. as it should be ms-sql-s. The browser service responds to UDP broadcast or unicast, so this might be another script to implement as a once-per-scan.
You might handle the mssql.username and mssql.database script arguments in a centralized way in mssql.lua, instead of in every script.
Good point! Currently some of the output is prepended by column headers/names. Currently they appear as if they were part of the output, which might be confusing. In order to introduce additional confusion some scripts don't have column headers. Any thought on what to do here? Underline? "brackets []" or simply make sure all output has column headers?
David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Thanks for the feedback! //Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Mar 21)
- <Possible follow-ups>
- [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Mar 22)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts David Fifield (Mar 22)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Mar 22)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Fyodor (Mar 22)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Ron (Mar 22)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Mar 23)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Fyodor (Mar 28)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Ron (Mar 28)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts David Fifield (Mar 22)
- [NSE] Feature suggestion (GSoC?) Martin Holst Swende (Mar 25)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Kris Katterjohn (Mar 28)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Fyodor (Mar 28)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Kris Katterjohn (Mar 28)