Nmap Development mailing list archives
[NSE] Microsoft SQL Server (MSSQL) library and scripts
From: Patrik Karlsson <patrik () cqure net>
Date: Mon, 22 Mar 2010 13:46:07 +0100
Hi again, I should have probably described the scripts in the zipfile and attached some sample output last time I posted: http://seclists.org/nmap-dev/2010/q1/1000 The zipfile contains the mssql.lua library and the following scripts: mssql-brute - does password guessing against Microsoft SQL Server mssql-databases - list all databases for the server/instance mssql-empty-password - detects servers with empty passwords for the sa account mssql-hasdbaccess - list what databases a user has access to (depends on mssql-brute and iterates over all found accounts) mssql-linked-servers - lists linked servers available on the server/instance mssql-query - allows the user to run arbitrary queries against the server mssql-sp-configure - lists a bunch of configuration options mssql-tables - iterates over all databases and lists tables, columns and their data types mssql-xp-cmdshell - allows privileged users to execute OS commands Here's some sample output: PORT STATE SERVICE 1433/tcp open ms-sql-s | mssql-empty-password: |_ sa:<empty> => Login Correct | mssql-brute: |_ webshop_reader:secret => Login Success | mssql-query: | | Microsoft SQL Server 2005 - 9.00.3068.00 (Intel X86) | Feb 26 2008 18:15:01 | Copyright (c) 1988-2005 Microsoft Corporation |_ Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2) | mssql-linked-servers: | srvname srvproduct providername |_ SQLDB2 SQL Server SQLOLEDB | mssql-sp-configure: | name minimum maximum config_value run_value | Ad Hoc Distributed Queries 0 1 0 0 | affinity I/O mask 2147483648 2147483647 0 0 | affinity mask 2147483648 2147483647 0 0 | Agent XPs 0 1 0 0 | allow updates 0 1 0 0 | awe enabled 0 1 0 0 | blocked process threshold 0 86400 0 0 | c2 audit mode 0 1 0 0 | clr enabled 0 1 0 0 | cost threshold for parallelism 0 32767 5 5 | cross db ownership chaining 0 1 0 0 | cursor threshold 4294967295 2147483647 4294967295 4294967295 | Database Mail XPs 0 1 0 0 | default full-text language 0 2147483647 1033 1033 | default language 0 9999 0 0 | default trace enabled 0 1 1 1 | disallow results from triggers 0 1 0 0 | fill factor (%) 0 100 0 0 | ft crawl bandwidth (max) 0 32767 100 100 | ft crawl bandwidth (min) 0 32767 0 0 | ft notify bandwidth (max) 0 32767 100 100 | ft notify bandwidth (min) 0 32767 0 0 | index create memory (KB) 704 2147483647 0 0 | in-doubt xact resolution 0 2 0 0 | lightweight pooling 0 1 0 0 | locks 5000 2147483647 0 0 | max degree of parallelism 0 64 0 0 | max full-text crawl range 0 256 4 4 | max server memory (MB) 16 2147483647 2147483647 2147483647 | max text repl size (B) 0 2147483647 65536 65536 | max worker threads 128 32767 0 0 | media retention 0 365 0 0 | min memory per query (KB) 512 2147483647 1024 1024 | min server memory (MB) 0 2147483647 0 8 | nested triggers 0 1 1 1 | network packet size (B) 512 32767 4096 4096 | Ole Automation Procedures 0 1 0 0 | open objects 0 2147483647 0 0 | PH timeout (s) 1 3600 60 60 | precompute rank 0 1 0 0 | priority boost 0 1 0 0 | query governor cost limit 0 2147483647 0 0 | query wait (s) 4294967295 2147483647 4294967295 4294967295 | recovery interval (min) 0 32767 0 0 | remote access 0 1 1 1 | remote admin connections 0 1 0 0 | remote login timeout (s) 0 2147483647 20 20 | remote proc trans 0 1 0 0 | remote query timeout (s) 0 2147483647 600 600 | Replication XPs 0 1 0 0 | scan for startup procs 0 1 0 0 | server trigger recursion 0 1 1 1 | set working set size 0 1 0 0 | show advanced options 0 1 1 1 | SMO and DMO XPs 0 1 1 1 | SQL Mail XPs 0 1 0 0 | transform noise words 0 1 0 0 | two digit year cutoff 1753 9999 2049 2049 | user connections 0 32767 0 0 | user instance timeout 5 65535 60 60 | user instances enabled 0 1 1 1 | user options 0 32767 0 0 | Web Assistant Procedures 0 1 0 0 |_ xp_cmdshell 0 1 1 1 | mssql-databases: | name | master | tempdb | model | msdb | webshop |_ testdb | mssql-xp-cmdshell: | Command: ipconfig /all; User: sa | output | | Windows IP Configuration | | Host Name . . . . . . . . . . . . : SQLDB01 | Primary Dns Suffix . . . . . . . : cqure.net | Node Type . . . . . . . . . . . . : Unknown | IP Routing Enabled. . . . . . . . : No | WINS Proxy Enabled. . . . . . . . : No | DNS Suffix Search List. . . . . . : cqure.net | | Ethernet adapter Local Area Connection 3: | | Connection-specific DNS Suffix . : | Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter #2 | Physical Address. . . . . . . . . : 08-00-DE-AD-C0-DE | DHCP Enabled. . . . . . . . . . . : Yes | Autoconfiguration Enabled . . . . : Yes | IP Address. . . . . . . . . . . . : 192.168.56.3 | Subnet Mask . . . . . . . . . . . : 255.255.255.0 | Default Gateway . . . . . . . . . : | DHCP Server . . . . . . . . . . . : 192.168.56.2 | Lease Obtained. . . . . . . . . . : den 21 mars 2010 21:15:43 | Lease Expires . . . . . . . . . . : den 21 mars 2010 22:15:43 |_ | mssql-tables: | testdb | webshop (Showing 2 first tables) | table column type length | products description text 16 | payments user_id int 4 | payments purchase_id int 4 | products id int 4 | products quantity int 4 | products price float 8 | payments cardholder varchar 50 | payments cardtype varchar 50 | payments cardno varchar 50 | payments expiry varchar 50 | payments cvv varchar 4 | products manu varchar 50 | products model varchar 50 | products productname varchar 100 | products imagefile varchar 255 | products keywords varchar 100 | |_INFO: Showing 5 first databases | mssql-hasdbaccess: | sa (Showing 5 first results) | dbname owner | testdb CQURE-NETAdministr | webshop sa | webshop_reader (Showing 5 first results) | dbname owner |_ webshop sa //Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Mar 21)
- <Possible follow-ups>
- [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Mar 22)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts David Fifield (Mar 22)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Mar 22)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Fyodor (Mar 22)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Ron (Mar 22)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Mar 23)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Fyodor (Mar 28)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Ron (Mar 28)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts David Fifield (Mar 22)
- [NSE] Feature suggestion (GSoC?) Martin Holst Swende (Mar 25)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Kris Katterjohn (Mar 28)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Fyodor (Mar 28)