Nmap Development mailing list archives
Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts
From: David Fifield <david () bamsoftware com>
Date: Thu, 1 Apr 2010 12:20:05 -0600
On Sun, Mar 28, 2010 at 11:18:17AM +0200, Patrik Karlsson wrote:
I've corrected a few mistakes in the MSSql scripts, such as the name of the service and some inconsistencies in output. The column names are now underlined with '=' for clarity. Don't know if that was the "best" character to use, but it's easy to change. As some queries may take some time to process I've increased the socket timeout in the library to 30 seconds. There's a comment on this in the script which explains that this long timeout will only made use of when the scripts are waiting for the MsSQL db to process their queries. The library parses the protocol and only attempts to read from the socket when more byte *should* be there for it to read which means that it's unlikely to trigger the timeout as a result of reading past the end of the buffer. I've added the argument mssql.timeout to the library so that you can specify your own timeout if necessary. So far running all scripts (excluding mssql-brute) against my test environment takes less than a second (on average 0.20). I removed the possibility to supply a database as parameter to most scripts, because it was kind of pointless as it was only used as default database during authentication. As the credentials are handled somewhat differently between scripts I've made no attempt to centralize this code yet. I'm thinking of adding some code in the future to the brute script that attempts to determine the privileges/roles of a guessed account. This information would be stored together with the password in the nmap registry so that other scripts could make use of it. A scripts could then call eg. getAccountWithServerRole('sysdba') to get an account with DBA privileges. Once this is in place it will be easier to centralize the code for handling credentials for the scripts.
I set the password of sa to empty and created an nmap database to test with. This is what I'm seeing now. All scripts produce output except for mssql-xp-cmdshell (which hits an error) and mssql-linked-servers, probably because I would have to do something to set up linked servers. $ ./nmap -Pn -n --datadir . -p 1433 --script=mssql-\* 192.168.0.190 --script-args unpwdb.passlimit=1 -d Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-04-01 10:42 MDT --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- NSE: Loaded 9 scripts for scanning. Initiating Connect Scan at 10:42 Scanning 192.168.0.190 [1 port] Discovered open port 1433/tcp on 192.168.0.190 Completed Connect Scan at 10:42, 0.01s elapsed (1 total ports) Overall sending rates: 159.41 packets / s. NSE: Script scanning 192.168.0.190. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 10:42 NSE: NSE Script Threads (2) running: NSE: Starting mssql-empty-password against 192.168.0.190:1433. NSE: Starting mssql-brute against 192.168.0.190:1433. NSE: Trying root/ ... NSE: Finished mssql-empty-password against 192.168.0.190:1433. NSE: Trying admin/ ... NSE: Trying administrator/ ... NSE: Trying webadmin/ ... NSE: Trying sysadmin/ ... NSE: Trying netadmin/ ... NSE: Trying guest/ ... NSE: Trying user/ ... NSE: Trying web/ ... NSE: Trying test/ ... NSE: Finished mssql-brute against 192.168.0.190:1433. Completed NSE at 10:42, 0.10s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 10:42 NSE: NSE Script Threads (7) running: NSE: Starting mssql-xp-cmdshell against 192.168.0.190:1433. NSE: Starting mssql-tables against 192.168.0.190:1433. NSE: Starting mssql-sp-configure against 192.168.0.190:1433. NSE: Starting mssql-query against 192.168.0.190:1433. NSE: Starting mssql-linked-servers against 192.168.0.190:1433. NSE: Starting mssql-hasdbaccess against 192.168.0.190:1433. NSE: Starting mssql-databases against 192.168.0.190:1433. NSE: mssql-xp-cmdshell against 192.168.0.190:1433 threw an error! ./scripts/mssql-xp-cmdshell.nse:117: variable 'database' is not declared stack traceback: [C]: in function 'error' ./nselib/strict.lua:68: in function <./nselib/strict.lua:59> ./scripts/mssql-xp-cmdshell.nse:117: in function <./scripts/mssql-xp-cmdshell.nse:80> (tail call): ? NSE: Finished mssql-linked-servers against 192.168.0.190:1433. NSE: Finished mssql-query against 192.168.0.190:1433. NSE: Finished mssql-sp-configure against 192.168.0.190:1433. NSE: Finished mssql-databases against 192.168.0.190:1433. NSE: Finished mssql-tables against 192.168.0.190:1433. NSE: Finished mssql-hasdbaccess against 192.168.0.190:1433. Completed NSE at 10:42, 0.31s elapsed NSE: Script Scanning completed. Nmap scan report for 192.168.0.190 Host is up, received user-set (0.00079s latency). Scanned at 2010-04-01 10:42:01 MDT for 0s PORT STATE SERVICE REASON 1433/tcp open ms-sql-s syn-ack | mssql-empty-password: |_ sa:<empty> => Login Success | mssql-query: | version | ======= | Microsoft SQL Server 2008 (SP1) - 10.0.2531.0 (Intel X86) | Mar 29 2009 10:27:29 | Copyright (c) 1988-2008 Microsoft Corporation |_ Express Edition on Windows NT 5.1 <X86> (Build 2600: Service Pack 3) | mssql-sp-configure: | name minimum maximum config_value run_value | ==== ======= ======= ============ ========= | allow updates 0 1 0 0 | clr enabled 0 1 0 0 | cross db ownership chaining 0 1 0 0 | default language 0 9999 0 0 | filestream access level 0 2 0 0 | max text repl size (B) 4294967295 2147483647 65536 65536 | nested triggers 0 1 1 1 | remote access 0 1 1 1 | remote admin connections 0 1 0 0 | remote login timeout (s) 0 2147483647 20 20 | remote proc trans 0 1 0 0 | remote query timeout (s) 0 2147483647 600 600 | server trigger recursion 0 1 1 1 | show advanced options 0 1 0 0 | user instances enabled 0 1 1 1 |_ user options 0 32767 0 0 | mssql-databases: | name | ==== | master | tempdb | model | msdb |_ nmap | mssql-tables: | nmap (Showing 2 first tables) | table column type length | ===== ====== ==== ====== | test fee int 4 | test fie int 4 | test foe int 4 | test foo int 4 | |_INFO: Showing 5 first databases | mssql-hasdbaccess: | sa (Showing 5 first results) | dbname owner | ====== ===== |_ nmap MAC-MINI\david Final times for host: srtt: 786 rttvar: 5000 to: 100000 Read from .: nmap-services. Nmap done: 1 IP address (1 host up) scanned in 0.82 seconds I think it would be good if mssql-query printed out the query string. When the default is used, it should also print a message showing how to use a different query. | mssql-query: (Use --script-args=mssql-query.query='<QUERY>' to change query.) | SELECT @@version version | version | ======= | Microsoft SQL Server 2008 (SP1) - 10.0.2531.0 (Intel X86) | Mar 29 2009 10:27:29 | Copyright (c) 1988-2008 Microsoft Corporation |_ Express Edition on Windows NT 5.1 <X86> (Build 2600: Service Pack 3) I'm going to follow up with thoughts on combining some of the scripts. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts David Fifield (Apr 01)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Apr 01)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts David Fifield (Apr 01)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Apr 01)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts David Fifield (Apr 01)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts David Fifield (Apr 01)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Apr 02)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts David Fifield (Apr 02)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Apr 02)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts David Fifield (Apr 03)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Apr 04)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Fyodor (Apr 04)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Apr 02)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Apr 01)