Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[NSE] Microsoft SQL Server (MSSQL) library and scripts

From: Patrik Karlsson <patrik () cqure net>
Date: Mon, 22 Mar 2010 13:46:07 +0100
Hi again,

I should have probably described the scripts in the zipfile and attached some sample output last time I posted:
http://seclists.org/nmap-dev/2010/q1/1000

The zipfile contains the mssql.lua library and the following scripts:
mssql-brute - does password guessing against Microsoft SQL Server
mssql-databases - list all databases for the server/instance
mssql-empty-password - detects servers with empty passwords for the sa account
mssql-hasdbaccess - list what databases a user has access to (depends on mssql-brute and iterates over all found 
accounts)
mssql-linked-servers - lists linked servers available on the server/instance
mssql-query - allows the user to run arbitrary queries against the server
mssql-sp-configure - lists a bunch of configuration options
mssql-tables - iterates over all databases and lists tables, columns and their data types
mssql-xp-cmdshell - allows privileged users to execute OS commands

Here's some sample output:
PORT     STATE SERVICE
1433/tcp open  ms-sql-s
| mssql-empty-password:  
|_  sa:<empty> => Login Correct
| mssql-brute:  
|_  webshop_reader:secret => Login Success
| mssql-query:  
|   
|   Microsoft SQL Server 2005 - 9.00.3068.00 (Intel X86) 
|       Feb 26 2008 18:15:01 
|       Copyright (c) 1988-2005 Microsoft Corporation
|_      Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
| mssql-linked-servers:  
|   srvname     srvproduct      providername
|_  SQLDB2      SQL Server      SQLOLEDB
| mssql-sp-configure:  
|   name        minimum maximum config_value    run_value
|   Ad Hoc Distributed Queries  0       1       0       0
|   affinity I/O mask   2147483648      2147483647      0       0
|   affinity mask       2147483648      2147483647      0       0
|   Agent XPs   0       1       0       0
|   allow updates       0       1       0       0
|   awe enabled 0       1       0       0
|   blocked process threshold   0       86400   0       0
|   c2 audit mode       0       1       0       0
|   clr enabled 0       1       0       0
|   cost threshold for parallelism      0       32767   5       5
|   cross db ownership chaining 0       1       0       0
|   cursor threshold    4294967295      2147483647      4294967295      4294967295
|   Database Mail XPs   0       1       0       0
|   default full-text language  0       2147483647      1033    1033
|   default language    0       9999    0       0
|   default trace enabled       0       1       1       1
|   disallow results from triggers      0       1       0       0
|   fill factor (%)     0       100     0       0
|   ft crawl bandwidth (max)    0       32767   100     100
|   ft crawl bandwidth (min)    0       32767   0       0
|   ft notify bandwidth (max)   0       32767   100     100
|   ft notify bandwidth (min)   0       32767   0       0
|   index create memory (KB)    704     2147483647      0       0
|   in-doubt xact resolution    0       2       0       0
|   lightweight pooling 0       1       0       0
|   locks       5000    2147483647      0       0
|   max degree of parallelism   0       64      0       0
|   max full-text crawl range   0       256     4       4
|   max server memory (MB)      16      2147483647      2147483647      2147483647
|   max text repl size (B)      0       2147483647      65536   65536
|   max worker threads  128     32767   0       0
|   media retention     0       365     0       0
|   min memory per query (KB)   512     2147483647      1024    1024
|   min server memory (MB)      0       2147483647      0       8
|   nested triggers     0       1       1       1
|   network packet size (B)     512     32767   4096    4096
|   Ole Automation Procedures   0       1       0       0
|   open objects        0       2147483647      0       0
|   PH timeout (s)      1       3600    60      60
|   precompute rank     0       1       0       0
|   priority boost      0       1       0       0
|   query governor cost limit   0       2147483647      0       0
|   query wait (s)      4294967295      2147483647      4294967295      4294967295
|   recovery interval (min)     0       32767   0       0
|   remote access       0       1       1       1
|   remote admin connections    0       1       0       0
|   remote login timeout (s)    0       2147483647      20      20
|   remote proc trans   0       1       0       0
|   remote query timeout (s)    0       2147483647      600     600
|   Replication XPs     0       1       0       0
|   scan for startup procs      0       1       0       0
|   server trigger recursion    0       1       1       1
|   set working set size        0       1       0       0
|   show advanced options       0       1       1       1
|   SMO and DMO XPs     0       1       1       1
|   SQL Mail XPs        0       1       0       0
|   transform noise words       0       1       0       0
|   two digit year cutoff       1753    9999    2049    2049
|   user connections    0       32767   0       0
|   user instance timeout       5       65535   60      60
|   user instances enabled      0       1       1       1
|   user options        0       32767   0       0
|   Web Assistant Procedures    0       1       0       0
|_  xp_cmdshell 0       1       1       1
| mssql-databases:  
|   name
|   master
|   tempdb
|   model
|   msdb
|   webshop
|_  testdb
| mssql-xp-cmdshell:  
|   Command: ipconfig /all; User: sa
|   output
|   
|   Windows IP Configuration
|   
|      Host Name . . . . . . . . . . . . : SQLDB01
|      Primary Dns Suffix  . . . . . . . : cqure.net
|      Node Type . . . . . . . . . . . . : Unknown
|      IP Routing Enabled. . . . . . . . : No
|      WINS Proxy Enabled. . . . . . . . : No
|      DNS Suffix Search List. . . . . . : cqure.net
|   
|   Ethernet adapter Local Area Connection 3:
|   
|      Connection-specific DNS Suffix  . : 
|      Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter #2
|      Physical Address. . . . . . . . . : 08-00-DE-AD-C0-DE
|      DHCP Enabled. . . . . . . . . . . : Yes
|      Autoconfiguration Enabled . . . . : Yes
|      IP Address. . . . . . . . . . . . : 192.168.56.3
|      Subnet Mask . . . . . . . . . . . : 255.255.255.0
|      Default Gateway . . . . . . . . . : 
|      DHCP Server . . . . . . . . . . . : 192.168.56.2
|      Lease Obtained. . . . . . . . . . : den 21 mars 2010 21:15:43
|      Lease Expires . . . . . . . . . . : den 21 mars 2010 22:15:43
|_  
| mssql-tables:  
|   testdb
|   webshop (Showing 2 first tables)
|     table     column  type    length
|     products  description     text    16
|     payments  user_id int     4
|     payments  purchase_id     int     4
|     products  id      int     4
|     products  quantity        int     4
|     products  price   float   8
|     payments  cardholder      varchar 50
|     payments  cardtype        varchar 50
|     payments  cardno  varchar 50
|     payments  expiry  varchar 50
|     payments  cvv     varchar 4
|     products  manu    varchar 50
|     products  model   varchar 50
|     products  productname     varchar 100
|     products  imagefile       varchar 255
|     products  keywords        varchar 100
|   
|_INFO: Showing 5 first databases
| mssql-hasdbaccess:  
|   sa (Showing 5 first results)
|     dbname    owner
|     testdb    CQURE-NETAdministr
|     webshop   sa
|   webshop_reader (Showing 5 first results)
|     dbname    owner
|_    webshop   sa

//Patrik

--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: