Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts

[Patrik Karlsson <patrik () cqure net>]

On 30 mar 2010, at 18.59, David Fifield wrote:

> On Mon, Mar 22, 2010 at 01:46:07PM +0100, Patrik Karlsson wrote:
> > I should have probably described the scripts in the zipfile and attached some sample output last time I posted:
> > http://seclists.org/nmap-dev/2010/q1/1000
> >
> > The zipfile contains the mssql.lua library and the following scripts:
> > mssql-brute - does password guessing against Microsoft SQL Server
> > mssql-databases - list all databases for the server/instance
> > mssql-empty-password - detects servers with empty passwords for the sa account
> > mssql-hasdbaccess - list what databases a user has access to (depends on mssql-brute and iterates over all found 
> > accounts)
> > mssql-linked-servers - lists linked servers available on the server/instance
> > mssql-query - allows the user to run arbitrary queries against the server
> > mssql-sp-configure - lists a bunch of configuration options
> > mssql-tables - iterates over all databases and lists tables, columns and their data types
> > mssql-xp-cmdshell - allows privileged users to execute OS commands
>
> I found that there's a no-cost "express" version of SQL Server at
> http://www.microsoft.com/express/Database/. I installed that and enabled
> remote access. Here's the result of running the scripts:
>
> $ ./nmap --datadir . -p 1433 192.168.0.190 -Pn -n --script=mssql-\* -d --script-args 
> unpwdb.userlimit=1,unpwdb.passlimit=1
> NSE: Script scanning 192.168.0.190.
> NSE: Starting runlevel 1 (of 2) scan.
> Initiating NSE at 10:47
> NSE: NSE Script Threads (2) running:
> NSE: Starting mssql-empty-password against 192.168.0.190:1433.
> NSE: Starting mssql-brute against 192.168.0.190:1433.
> NSE: Trying root/ ...
> NSE: Finished mssql-empty-password against 192.168.0.190:1433.
> NSE: Finished mssql-brute against 192.168.0.190:1433.
> Completed NSE at 10:47, 0.05s elapsed
> NSE: Starting runlevel 2 (of 2) scan.
> Initiating NSE at 10:47
> NSE: NSE Script Threads (7) running:
> NSE: Starting mssql-xp-cmdshell against 192.168.0.190:1433.
> NSE: Starting mssql-tables against 192.168.0.190:1433.
> NSE: Starting mssql-sp-configure against 192.168.0.190:1433.
> NSE: Starting mssql-query against 192.168.0.190:1433.
> NSE: Starting mssql-linked-servers against 192.168.0.190:1433.
> NSE: Starting mssql-hasdbaccess against 192.168.0.190:1433.
> NSE: Starting mssql-databases against 192.168.0.190:1433.
> NSE: mssql-tables against 192.168.0.190:1433 threw an error!
> ./scripts/mssql-tables.nse:186: attempt to concatenate local 'output' (a nil value)
> stack traceback:
>        ./scripts/mssql-tables.nse:186: in function <./scripts/mssql-tables.nse:88>
>        (tail call): ?
>
> NSE: Finished mssql-xp-cmdshell against 192.168.0.190:1433.
> NSE: Finished mssql-sp-configure against 192.168.0.190:1433.
> NSE: Finished mssql-databases against 192.168.0.190:1433.
> NSE: Finished mssql-linked-servers against 192.168.0.190:1433.
> NSE: Finished mssql-query against 192.168.0.190:1433.
> NSE: Finished mssql-hasdbaccess against 192.168.0.190:1433.
> Completed NSE at 10:47, 0.04s elapsed
> NSE: Script Scanning completed.
> Nmap scan report for 192.168.0.190
> Host is up, received user-set (0.00080s latency).
> Scanned at 2010-03-30 10:47:16 MDT for 0s
> PORT     STATE SERVICE  REASON
> 1433/tcp open  ms-sql-s syn-ack
> Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds
>
> So there's no output. mssql-tables had an error. Do I need to create
> some databases first?
As the default databases will not be shown, creating a few sample/test databases is required to see some relevant 
output for some of the scripts.
I haven't tried this myself but here's some information on how to install the AdventureWorks sample database:
http://msftdbprodsamples.codeplex.com/wikipage?title=Installing%20Databases

> Do I need to supply authentication for all of the
> scripts? If so, how do I create an account?
Yes, all of the scripts require that you are authenticated to the database to retrieve the information.

> I was prompted for a
> password when I installed the server, but I don't know what the username
> would be.
It's most likely the password for the 'sa' system administrator database account.
Microsoft SQL Server supports two modes of authentication (mixed or integrated).
Mixed allows you to authenticate using either a database account or an OS account that has been granted DB access.
Integrated mode only supports the OS account authentication. The current library does NOT support authentication 
against OS accounts.

I'm attaching a patch for the error your seeing:

Attachment: mssql-tables.diff
Description:

Hopefully this time the attachment will get all the way to the list too.
Oh, and make sure your running the last batch of scripts I sent:
http://seclists.org/nmap-dev/2010/q1/1138

Let me know if you need any more information!
//Patrik

> David Fifield
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/


--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/