Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts

From: David Fifield <david () bamsoftware com>
Date: Thu, 1 Apr 2010 12:20:05 -0600
On Sun, Mar 28, 2010 at 11:18:17AM +0200, Patrik Karlsson wrote:

I've corrected a few mistakes in the MSSql scripts, such as the name
of the service and some inconsistencies in output.
The column names are now underlined with '=' for clarity. Don't know
if that was the "best" character to use, but it's easy to change.

As some queries may take some time to process I've increased the
socket timeout in the library to 30 seconds.
There's a comment on this in the script which explains that this long
timeout will only made use of when the scripts are waiting for the
MsSQL db to process their queries.
The library parses the protocol and only attempts to read from the
socket when more byte *should* be there for it to read which means
that it's unlikely to trigger the timeout as a result of reading past
the end of the buffer. I've added the argument mssql.timeout to the
library so that you can specify your own timeout if necessary.
So far running all scripts (excluding mssql-brute) against my test
environment takes less than a second (on average 0.20). 

I removed the possibility to supply a database as parameter to most
scripts, because it was kind of pointless as it was only used as
default database during authentication.
As the credentials are handled somewhat differently between scripts
I've made no attempt to centralize this code yet. 

I'm thinking of adding some code in the future to the brute script
that attempts to determine the privileges/roles of a guessed account.
This information would be stored together with the password in the
nmap registry so that other scripts could make use of it.
A scripts could then call eg. getAccountWithServerRole('sysdba') to
get an account with DBA privileges.
Once this is in place it will be easier to centralize the code for
handling credentials for the scripts.


I set the password of sa to empty and created an nmap database to test
with. This is what I'm seeing now. All scripts produce output except for
mssql-xp-cmdshell (which hits an error) and mssql-linked-servers,
probably because I would have to do something to set up linked servers.

$ ./nmap -Pn -n --datadir . -p 1433 --script=mssql-\* 192.168.0.190 --script-args unpwdb.passlimit=1 -d

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-04-01 10:42 MDT
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Loaded 9 scripts for scanning.
Initiating Connect Scan at 10:42
Scanning 192.168.0.190 [1 port]
Discovered open port 1433/tcp on 192.168.0.190
Completed Connect Scan at 10:42, 0.01s elapsed (1 total ports)
Overall sending rates: 159.41 packets / s.
NSE: Script scanning 192.168.0.190.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:42
NSE: NSE Script Threads (2) running:
NSE: Starting mssql-empty-password against 192.168.0.190:1433.
NSE: Starting mssql-brute against 192.168.0.190:1433.
NSE: Trying root/ ...
NSE: Finished mssql-empty-password against 192.168.0.190:1433.
NSE: Trying admin/ ...
NSE: Trying administrator/ ...
NSE: Trying webadmin/ ...
NSE: Trying sysadmin/ ...
NSE: Trying netadmin/ ...
NSE: Trying guest/ ...
NSE: Trying user/ ...
NSE: Trying web/ ...
NSE: Trying test/ ...
NSE: Finished mssql-brute against 192.168.0.190:1433.
Completed NSE at 10:42, 0.10s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:42
NSE: NSE Script Threads (7) running:
NSE: Starting mssql-xp-cmdshell against 192.168.0.190:1433.
NSE: Starting mssql-tables against 192.168.0.190:1433.
NSE: Starting mssql-sp-configure against 192.168.0.190:1433.
NSE: Starting mssql-query against 192.168.0.190:1433.
NSE: Starting mssql-linked-servers against 192.168.0.190:1433.
NSE: Starting mssql-hasdbaccess against 192.168.0.190:1433.
NSE: Starting mssql-databases against 192.168.0.190:1433.
NSE: mssql-xp-cmdshell against 192.168.0.190:1433 threw an error!
./scripts/mssql-xp-cmdshell.nse:117: variable 'database' is not declared
stack traceback:
        [C]: in function 'error'
        ./nselib/strict.lua:68: in function <./nselib/strict.lua:59>
        ./scripts/mssql-xp-cmdshell.nse:117: in function <./scripts/mssql-xp-cmdshell.nse:80>
        (tail call): ?

NSE: Finished mssql-linked-servers against 192.168.0.190:1433.
NSE: Finished mssql-query against 192.168.0.190:1433.
NSE: Finished mssql-sp-configure against 192.168.0.190:1433.
NSE: Finished mssql-databases against 192.168.0.190:1433.
NSE: Finished mssql-tables against 192.168.0.190:1433.
NSE: Finished mssql-hasdbaccess against 192.168.0.190:1433.
Completed NSE at 10:42, 0.31s elapsed
NSE: Script Scanning completed.
Nmap scan report for 192.168.0.190
Host is up, received user-set (0.00079s latency).
Scanned at 2010-04-01 10:42:01 MDT for 0s
PORT     STATE SERVICE  REASON
1433/tcp open  ms-sql-s syn-ack
| mssql-empty-password:
|_  sa:<empty> => Login Success
| mssql-query:
|   version
|   =======
|   Microsoft SQL Server 2008 (SP1) - 10.0.2531.0 (Intel X86)
|       Mar 29 2009 10:27:29
|       Copyright (c) 1988-2008 Microsoft Corporation
|_      Express Edition on Windows NT 5.1 <X86> (Build 2600: Service Pack 3)
| mssql-sp-configure:
|   name        minimum maximum config_value    run_value
|   ====        ======= ======= ============    =========
|   allow updates       0       1       0       0
|   clr enabled 0       1       0       0
|   cross db ownership chaining 0       1       0       0
|   default language    0       9999    0       0
|   filestream access level     0       2       0       0
|   max text repl size (B)      4294967295      2147483647      65536   65536
|   nested triggers     0       1       1       1
|   remote access       0       1       1       1
|   remote admin connections    0       1       0       0
|   remote login timeout (s)    0       2147483647      20      20
|   remote proc trans   0       1       0       0
|   remote query timeout (s)    0       2147483647      600     600
|   server trigger recursion    0       1       1       1
|   show advanced options       0       1       0       0
|   user instances enabled      0       1       1       1
|_  user options        0       32767   0       0
| mssql-databases:
|   name
|   ====
|   master
|   tempdb
|   model
|   msdb
|_  nmap
| mssql-tables:
|   nmap (Showing 2 first tables)
|     table     column  type    length
|     =====     ======  ====    ======
|     test      fee     int     4
|     test      fie     int     4
|     test      foe     int     4
|     test      foo     int     4
|
|_INFO: Showing 5 first databases
| mssql-hasdbaccess:
|   sa (Showing 5 first results)
|     dbname    owner
|     ======    =====
|_    nmap      MAC-MINI\david
Final times for host: srtt: 786 rttvar: 5000  to: 100000

Read from .: nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.82 seconds

I think it would be good if mssql-query printed out the query string.
When the default is used, it should also print a message showing how to
use a different query.

| mssql-query: (Use --script-args=mssql-query.query='<QUERY>' to change query.)
| SELECT @@version version
|   version
|   =======
|   Microsoft SQL Server 2008 (SP1) - 10.0.2531.0 (Intel X86)
|       Mar 29 2009 10:27:29
|       Copyright (c) 1988-2008 Microsoft Corporation
|_      Express Edition on Windows NT 5.1 <X86> (Build 2600: Service Pack 3)

I'm going to follow up with thoughts on combining some of the scripts.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: