Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts

[David Fifield <david () bamsoftware com>]

On Mon, Mar 22, 2010 at 01:46:07PM +0100, Patrik Karlsson wrote:
> I should have probably described the scripts in the zipfile and attached some sample output last time I posted:
> http://seclists.org/nmap-dev/2010/q1/1000
>
> The zipfile contains the mssql.lua library and the following scripts:
> mssql-brute - does password guessing against Microsoft SQL Server
> mssql-databases - list all databases for the server/instance
> mssql-empty-password - detects servers with empty passwords for the sa account
> mssql-hasdbaccess - list what databases a user has access to (depends on mssql-brute and iterates over all found 
> accounts)
> mssql-linked-servers - lists linked servers available on the server/instance
> mssql-query - allows the user to run arbitrary queries against the server
> mssql-sp-configure - lists a bunch of configuration options
> mssql-tables - iterates over all databases and lists tables, columns and their data types
> mssql-xp-cmdshell - allows privileged users to execute OS commands

I found that there's a no-cost "express" version of SQL Server at
http://www.microsoft.com/express/Database/. I installed that and enabled
remote access. Here's the result of running the scripts:

$ ./nmap --datadir . -p 1433 192.168.0.190 -Pn -n --script=mssql-\* -d --script-args 
unpwdb.userlimit=1,unpwdb.passlimit=1
NSE: Script scanning 192.168.0.190.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:47
NSE: NSE Script Threads (2) running:
NSE: Starting mssql-empty-password against 192.168.0.190:1433.
NSE: Starting mssql-brute against 192.168.0.190:1433.
NSE: Trying root/ ...
NSE: Finished mssql-empty-password against 192.168.0.190:1433.
NSE: Finished mssql-brute against 192.168.0.190:1433.
Completed NSE at 10:47, 0.05s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:47
NSE: NSE Script Threads (7) running:
NSE: Starting mssql-xp-cmdshell against 192.168.0.190:1433.
NSE: Starting mssql-tables against 192.168.0.190:1433.
NSE: Starting mssql-sp-configure against 192.168.0.190:1433.
NSE: Starting mssql-query against 192.168.0.190:1433.
NSE: Starting mssql-linked-servers against 192.168.0.190:1433.
NSE: Starting mssql-hasdbaccess against 192.168.0.190:1433.
NSE: Starting mssql-databases against 192.168.0.190:1433.
NSE: mssql-tables against 192.168.0.190:1433 threw an error!
./scripts/mssql-tables.nse:186: attempt to concatenate local 'output' (a nil value)
stack traceback:
        ./scripts/mssql-tables.nse:186: in function <./scripts/mssql-tables.nse:88>
        (tail call): ?

NSE: Finished mssql-xp-cmdshell against 192.168.0.190:1433.
NSE: Finished mssql-sp-configure against 192.168.0.190:1433.
NSE: Finished mssql-databases against 192.168.0.190:1433.
NSE: Finished mssql-linked-servers against 192.168.0.190:1433.
NSE: Finished mssql-query against 192.168.0.190:1433.
NSE: Finished mssql-hasdbaccess against 192.168.0.190:1433.
Completed NSE at 10:47, 0.04s elapsed
NSE: Script Scanning completed.
Nmap scan report for 192.168.0.190
Host is up, received user-set (0.00080s latency).
Scanned at 2010-03-30 10:47:16 MDT for 0s
PORT     STATE SERVICE  REASON
1433/tcp open  ms-sql-s syn-ack
Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds

So there's no output. mssql-tables had an error. Do I need to create
some databases first? Do I need to supply authentication for all of the
scripts? If so, how do I create an account? I was prompted for a
password when I installed the server, but I don't know what the username
would be.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/