Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts

[David Fifield <david () bamsoftware com>]

On Mon, Mar 22, 2010 at 01:46:07PM +0100, Patrik Karlsson wrote:
> I should have probably described the scripts in the zipfile and attached some sample output last time I posted:
> http://seclists.org/nmap-dev/2010/q1/1000
>
> The zipfile contains the mssql.lua library and the following scripts:
> mssql-brute - does password guessing against Microsoft SQL Server
> mssql-databases - list all databases for the server/instance
> mssql-empty-password - detects servers with empty passwords for the sa account
> mssql-hasdbaccess - list what databases a user has access to (depends on mssql-brute and iterates over all found 
> accounts)
> mssql-linked-servers - lists linked servers available on the server/instance
> mssql-query - allows the user to run arbitrary queries against the server
> mssql-sp-configure - lists a bunch of configuration options
> mssql-tables - iterates over all databases and lists tables, columns and their data types
> mssql-xp-cmdshell - allows privileged users to execute OS commands

Wow! I don't have an MS-SQL server on hand to test against. I want to
invite those of you reading to assist with the code review. If you want
to get involved in NSE, reading and commenting on other people's code is
a great way to get familiar. If you're thinking of applying to NSE for
the Summer of Code, this is a good way to show your ability.

Your primary responsibility as a reviewer is to ask questions about
things you don't understand. Don't be embarrassed at not understanding
something. Sometimes just asking a question can suggest to the author a
better implementation. Knowing Patrik, most of the complexity will be in
the library mssql.lua, so that should be the focus of review.

Here is hwo to do it: Download
http://seclists.org/nmap-dev/2010/q1/att-1000/mssql_zip.bin. Then,
        cd ~/nmap
        unzip mssql_zip.bin
Test the scripts that interest you and write back with the output you get.
        ./nmap --datadir . -Pn -d -p 1433 --script mssql-databases <target>

Patrik, here are some initial questions from a quick look over
mssql.lua.

You write in mssql.lua:
-- o The library does not support SSL. The foremost reason being the akward
--   choice of implementation where the SSL handshake is performed within
--   the TDS data block. By default, servers support connections over non
--   SSL connections though.
Is this anything like the way STARTTLS works in SMTP? If so, there's an
example of using that to make an SSL connection in ssl-cert.nse. The
reconnect_ssl function lets you upgrade a socket with SSL.

Does MS-SQL work over UDP? We have a commented-out payload for it on
1434/udp. All the scripts' portrules look for 1433/tcp.

You might handle the mssql.username and mssql.database script arguments
in a centralized way in mssql.lua, instead of in every script.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/