Nmap Development mailing list archives
Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts
From: Patrik Karlsson <patrik () cqure net>
Date: Thu, 1 Apr 2010 20:49:57 +0200
On 1 apr 2010, at 20.20, David Fifield wrote:
I set the password of sa to empty and created an nmap database to test with. This is what I'm seeing now. All scripts produce output except for mssql-xp-cmdshell (which hits an error) and mssql-linked-servers, probably because I would have to do something to set up linked servers.
I've fixed the error for mssql-xp-cmdshell it should work now. If you want to test the linked servers script there's more info on how to create a db link over here: http://msdn.microsoft.com/en-us/library/aa259589%28v=SQL.80%29.aspx
$ ./nmap -Pn -n --datadir . -p 1433 --script=mssql-\* 192.168.0.190 --script-args unpwdb.passlimit=1 -d Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-04-01 10:42 MDT --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- NSE: Loaded 9 scripts for scanning. Initiating Connect Scan at 10:42 Scanning 192.168.0.190 [1 port] Discovered open port 1433/tcp on 192.168.0.190 Completed Connect Scan at 10:42, 0.01s elapsed (1 total ports) Overall sending rates: 159.41 packets / s. NSE: Script scanning 192.168.0.190. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 10:42 NSE: NSE Script Threads (2) running: NSE: Starting mssql-empty-password against 192.168.0.190:1433. NSE: Starting mssql-brute against 192.168.0.190:1433. NSE: Trying root/ ... NSE: Finished mssql-empty-password against 192.168.0.190:1433. NSE: Trying admin/ ... NSE: Trying administrator/ ... NSE: Trying webadmin/ ... NSE: Trying sysadmin/ ... NSE: Trying netadmin/ ... NSE: Trying guest/ ... NSE: Trying user/ ... NSE: Trying web/ ... NSE: Trying test/ ... NSE: Finished mssql-brute against 192.168.0.190:1433. Completed NSE at 10:42, 0.10s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 10:42 NSE: NSE Script Threads (7) running: NSE: Starting mssql-xp-cmdshell against 192.168.0.190:1433. NSE: Starting mssql-tables against 192.168.0.190:1433. NSE: Starting mssql-sp-configure against 192.168.0.190:1433. NSE: Starting mssql-query against 192.168.0.190:1433. NSE: Starting mssql-linked-servers against 192.168.0.190:1433. NSE: Starting mssql-hasdbaccess against 192.168.0.190:1433. NSE: Starting mssql-databases against 192.168.0.190:1433. NSE: mssql-xp-cmdshell against 192.168.0.190:1433 threw an error! ./scripts/mssql-xp-cmdshell.nse:117: variable 'database' is not declared stack traceback: [C]: in function 'error' ./nselib/strict.lua:68: in function <./nselib/strict.lua:59> ./scripts/mssql-xp-cmdshell.nse:117: in function <./scripts/mssql-xp-cmdshell.nse:80> (tail call): ? NSE: Finished mssql-linked-servers against 192.168.0.190:1433. NSE: Finished mssql-query against 192.168.0.190:1433. NSE: Finished mssql-sp-configure against 192.168.0.190:1433. NSE: Finished mssql-databases against 192.168.0.190:1433. NSE: Finished mssql-tables against 192.168.0.190:1433. NSE: Finished mssql-hasdbaccess against 192.168.0.190:1433. Completed NSE at 10:42, 0.31s elapsed NSE: Script Scanning completed. Nmap scan report for 192.168.0.190 Host is up, received user-set (0.00079s latency). Scanned at 2010-04-01 10:42:01 MDT for 0s PORT STATE SERVICE REASON 1433/tcp open ms-sql-s syn-ack | mssql-empty-password: |_ sa:<empty> => Login Success | mssql-query: | version | ======= | Microsoft SQL Server 2008 (SP1) - 10.0.2531.0 (Intel X86) | Mar 29 2009 10:27:29 | Copyright (c) 1988-2008 Microsoft Corporation |_ Express Edition on Windows NT 5.1 <X86> (Build 2600: Service Pack 3) | mssql-sp-configure: | name minimum maximum config_value run_value | ==== ======= ======= ============ ========= | allow updates 0 1 0 0 | clr enabled 0 1 0 0 | cross db ownership chaining 0 1 0 0 | default language 0 9999 0 0 | filestream access level 0 2 0 0 | max text repl size (B) 4294967295 2147483647 65536 65536 | nested triggers 0 1 1 1 | remote access 0 1 1 1 | remote admin connections 0 1 0 0 | remote login timeout (s) 0 2147483647 20 20 | remote proc trans 0 1 0 0 | remote query timeout (s) 0 2147483647 600 600 | server trigger recursion 0 1 1 1 | show advanced options 0 1 0 0 | user instances enabled 0 1 1 1 |_ user options 0 32767 0 0 | mssql-databases: | name | ==== | master | tempdb | model | msdb |_ nmap | mssql-tables: | nmap (Showing 2 first tables) | table column type length | ===== ====== ==== ====== | test fee int 4 | test fie int 4 | test foe int 4 | test foo int 4 | |_INFO: Showing 5 first databases | mssql-hasdbaccess: | sa (Showing 5 first results) | dbname owner | ====== ===== |_ nmap MAC-MINI\david Final times for host: srtt: 786 rttvar: 5000 to: 100000 Read from .: nmap-services. Nmap done: 1 IP address (1 host up) scanned in 0.82 seconds I think it would be good if mssql-query printed out the query string. When the default is used, it should also print a message showing how to use a different query.
I've added this to mssql-query and followed the same principle for mssql-xp-cmdshell.
| mssql-query: (Use --script-args=mssql-query.query='<QUERY>' to change query.) | SELECT @@version version | version | ======= | Microsoft SQL Server 2008 (SP1) - 10.0.2531.0 (Intel X86) | Mar 29 2009 10:27:29 | Copyright (c) 1988-2008 Microsoft Corporation |_ Express Edition on Windows NT 5.1 <X86> (Build 2600: Service Pack 3) I'm going to follow up with thoughts on combining some of the scripts.
Great! Looking forward to it.
David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
//Patrik
Attachment:
mssql-xp-cmdshell.nse
Description:
Attachment:
mssql-query.nse
Description:
-- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts David Fifield (Apr 01)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Apr 01)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts David Fifield (Apr 01)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Apr 01)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts David Fifield (Apr 01)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts David Fifield (Apr 01)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Apr 02)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts David Fifield (Apr 02)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Apr 02)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts David Fifield (Apr 03)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Apr 04)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Fyodor (Apr 04)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Apr 02)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Apr 01)