Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts

[Patrik Karlsson <patrik () cqure net>]

On 22 mar 2010, at 20.08, David Fifield wrote:

> On Mon, Mar 22, 2010 at 01:46:07PM +0100, Patrik Karlsson wrote:
> > I should have probably described the scripts in the zipfile and attached some sample output last time I posted:
> > http://seclists.org/nmap-dev/2010/q1/1000
> >
> > The zipfile contains the mssql.lua library and the following scripts:
> > mssql-brute - does password guessing against Microsoft SQL Server
> > mssql-databases - list all databases for the server/instance
> > mssql-empty-password - detects servers with empty passwords for the sa account
> > mssql-hasdbaccess - list what databases a user has access to (depends on mssql-brute and iterates over all found 
> > accounts)
> > mssql-linked-servers - lists linked servers available on the server/instance
> > mssql-query - allows the user to run arbitrary queries against the server
> > mssql-sp-configure - lists a bunch of configuration options
> > mssql-tables - iterates over all databases and lists tables, columns and their data types
> > mssql-xp-cmdshell - allows privileged users to execute OS commands
>
> Wow! I don't have an MS-SQL server on hand to test against. I want to
> invite those of you reading to assist with the code review. If you want
> to get involved in NSE, reading and commenting on other people's code is
> a great way to get familiar. If you're thinking of applying to NSE for
> the Summer of Code, this is a good way to show your ability.
>
> Your primary responsibility as a reviewer is to ask questions about
> things you don't understand. Don't be embarrassed at not understanding
> something. Sometimes just asking a question can suggest to the author a
> better implementation. Knowing Patrik, most of the complexity will be in
> the library mssql.lua, so that should be the focus of review.

I think your right. Most of the complexity is in mssql.lua and it makes use of Lua OO.
For a good laugh have a look at the function TDS7CryptPass ...

> Here is hwo to do it: Download
> http://seclists.org/nmap-dev/2010/q1/att-1000/mssql_zip.bin. Then,
>       cd ~/nmap
>       unzip mssql_zip.bin
> Test the scripts that interest you and write back with the output you get.
>       ./nmap --datadir . -Pn -d -p 1433 --script mssql-databases <target>
>
> Patrik, here are some initial questions from a quick look over
> mssql.lua.
>
> You write in mssql.lua:
> -- o The library does not support SSL. The foremost reason being the akward
> --   choice of implementation where the SSL handshake is performed within
> --   the TDS data block. By default, servers support connections over non
> --   SSL connections though.
> Is this anything like the way STARTTLS works in SMTP? If so, there's an
> example of using that to make an SSL connection in ssl-cert.nse. The
> reconnect_ssl function lets you upgrade a socket with SSL.

I'm not certain, but I don't thinks so. According to the documentation that comes with the jTDS Java JDBC driver they 
SSL implementation seems kinda funky.
http://jtds.cvs.sourceforge.net/viewvc/jtds/jtds/README.SSL?view=markup
As long as the server does not enforce SSL it won't be a problem that the library is missing it.
I'll probably implement it some rainy day anyway.

> Does MS-SQL work over UDP? We have a commented-out payload for it on
> 1434/udp. All the scripts' portrules look for 1433/tcp.

The Microsoft SQL Server browser service runs on 1434/udp. It's a service that keeps track of SQL server instances.
A server instance can be exposed to the network over named pipes or IP sockets. If running over IP each instance will 
be allocated it's own port.
The first instance usually sits on 1433/tcp and other instances are either dynamically allocated or set to static ports.

The browser service is queried by the script ms-sql-info written by Thomas Buchanan.
So, for now, the script will only run against the instance on 1433/tcp OR any port identified as mssql. This is 
probably incorrect btw. as it should be ms-sql-s.

The browser service responds to UDP broadcast or unicast, so this might be another script to implement as a 
once-per-scan.

> You might handle the mssql.username and mssql.database script arguments
> in a centralized way in mssql.lua, instead of in every script.
Good point!

Currently some of the output is prepended by column headers/names.
Currently they appear as if they were part of the output, which might be confusing.
In order to introduce additional confusion some scripts don't have column headers.
Any thought on what to do here? Underline? "brackets []" or simply make sure all output has column headers?

> David Fifield
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/


Thanks for the feedback!

//Patrik

--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/