Nmap Development mailing list archives
[NSE] Library: mssql.lua - Adding data types
From: Tom Sellers <nmap () fadedcode net>
Date: Sun, 19 Aug 2012 20:13:52 -0500
While at Defcon this year I had an interesting talk with one of the speakers, Skip Duckwall. He and a partner have done quite a bit of work with pass-the-hash attacks (http://passing-the-hash.blogspot.com/). One of the things he brought up was that while nmap could perform MS SQL queries, its ability to extract that data is pretty limited. I am working on a few changes that I think should address this. The first is discussed below. I have made the following additions to the mssql.lua library: Added or enhanced support for the following data types: SQLTEXT = 0x23 - text GUIDTYPE = 0x24 - uniqueidentifier NTEXTTYPE = 0x63 - unicode text (ntext) BITNTYPE = 0x68 - boolean DECIMALNTYPE = 0x6A - decimal NUMERICNTYPE = 0x6C - numeric FLTNTYPE = 0x6D - float/real/double MONEYNTYPE = 0x6E - money / smallmoeny BIGBINARYTYPE = 0xAD - binary BIGCHARTYPE = 0xAF - char SQLNCHAR = 0xEF - unicode char (nchar) Added detection and handling of null values when processing query responses from the server. Added DoneProc response token support Reordered ColumnData and ColumnInfo parsers by data type code to make updates easier. I have tested the changes against a MS SQL 2008 RTM server on a Windows 2008 R2 host. I have not committed the changes yet. I have instead attached a diff and a full copy of the library for anyone that is interested in testing it. I would appreciate any testing and feedback that anyone can provide. The following nmap command line can be used in testing: sudo nmap -sCSV -p1433,1434 -d2 -vv --script ms-sql-query --packet-trace --script-args 'mssql.username=sa,mssql.password=mypassword,mssql.database=testdb,ms-sql-query.query="SELECT * FROM testdb..TestTable"' 10.1.1.1 The following queries also work: @@version select suser_sname() select name, password_hash FROM master.sys.sql_logins exec master..sp_addlogin testuser, UserPassword <- support for this is new I am concerned that some of the legacy field types such as SYBINTN (0x26), SYBINT2 (0x34) and SYBINT4 (0x38) may not be implemented correctly but I do not have any older versions of MS SQL to test with at the moment. Barring any major issues with the code I will be adding changes to make it easy to save the results of the queries to a csv file. Any feedback would be greatly appreciated. Tom Sellers
Attachment:
mssql.lua
Description:
Attachment:
mssql.lua_more_types_2012.08.19.diff
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Library: mssql.lua - Adding data types Tom Sellers (Aug 19)
- Re: [NSE] Library: mssql.lua - Adding data types David Fifield (Aug 21)
- Re: [NSE] Library: mssql.lua - Adding data types Tom Sellers (Aug 24)
- Re: [NSE] Library: mssql.lua - Adding data types David Fifield (Aug 21)