Nmap Development mailing list archives

Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts

From: Patrik Karlsson <patrik () cqure net>
Date: Thu, 1 Apr 2010 20:49:57 +0200


On 1 apr 2010, at 20.20, David Fifield wrote:


I set the password of sa to empty and created an nmap database to test
with. This is what I'm seeing now. All scripts produce output except for
mssql-xp-cmdshell (which hits an error) and mssql-linked-servers,
probably because I would have to do something to set up linked servers.


I've fixed the error for mssql-xp-cmdshell it should work now.
If you want to test the linked servers script there's more info on how to create a db link over here:
http://msdn.microsoft.com/en-us/library/aa259589%28v=SQL.80%29.aspx


$ ./nmap -Pn -n --datadir . -p 1433 --script=mssql-\* 192.168.0.190 --script-args unpwdb.passlimit=1 -d

Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-04-01 10:42 MDT
--------------- Timing report ---------------
 hostgroups: min 1, max 100000
 rtt-timeouts: init 1000, min 100, max 10000
 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
 parallelism: min 0, max 0
 max-retries: 10, host-timeout: 0
 min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Loaded 9 scripts for scanning.
Initiating Connect Scan at 10:42
Scanning 192.168.0.190 [1 port]
Discovered open port 1433/tcp on 192.168.0.190
Completed Connect Scan at 10:42, 0.01s elapsed (1 total ports)
Overall sending rates: 159.41 packets / s.
NSE: Script scanning 192.168.0.190.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 10:42
NSE: NSE Script Threads (2) running:
NSE: Starting mssql-empty-password against 192.168.0.190:1433.
NSE: Starting mssql-brute against 192.168.0.190:1433.
NSE: Trying root/ ...
NSE: Finished mssql-empty-password against 192.168.0.190:1433.
NSE: Trying admin/ ...
NSE: Trying administrator/ ...
NSE: Trying webadmin/ ...
NSE: Trying sysadmin/ ...
NSE: Trying netadmin/ ...
NSE: Trying guest/ ...
NSE: Trying user/ ...
NSE: Trying web/ ...
NSE: Trying test/ ...
NSE: Finished mssql-brute against 192.168.0.190:1433.
Completed NSE at 10:42, 0.10s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 10:42
NSE: NSE Script Threads (7) running:
NSE: Starting mssql-xp-cmdshell against 192.168.0.190:1433.
NSE: Starting mssql-tables against 192.168.0.190:1433.
NSE: Starting mssql-sp-configure against 192.168.0.190:1433.
NSE: Starting mssql-query against 192.168.0.190:1433.
NSE: Starting mssql-linked-servers against 192.168.0.190:1433.
NSE: Starting mssql-hasdbaccess against 192.168.0.190:1433.
NSE: Starting mssql-databases against 192.168.0.190:1433.
NSE: mssql-xp-cmdshell against 192.168.0.190:1433 threw an error!
./scripts/mssql-xp-cmdshell.nse:117: variable 'database' is not declared
stack traceback:
       [C]: in function 'error'
       ./nselib/strict.lua:68: in function <./nselib/strict.lua:59>
       ./scripts/mssql-xp-cmdshell.nse:117: in function <./scripts/mssql-xp-cmdshell.nse:80>
       (tail call): ?

NSE: Finished mssql-linked-servers against 192.168.0.190:1433.
NSE: Finished mssql-query against 192.168.0.190:1433.
NSE: Finished mssql-sp-configure against 192.168.0.190:1433.
NSE: Finished mssql-databases against 192.168.0.190:1433.
NSE: Finished mssql-tables against 192.168.0.190:1433.
NSE: Finished mssql-hasdbaccess against 192.168.0.190:1433.
Completed NSE at 10:42, 0.31s elapsed
NSE: Script Scanning completed.
Nmap scan report for 192.168.0.190
Host is up, received user-set (0.00079s latency).
Scanned at 2010-04-01 10:42:01 MDT for 0s
PORT     STATE SERVICE  REASON
1433/tcp open  ms-sql-s syn-ack
| mssql-empty-password:
|_  sa:<empty> => Login Success
| mssql-query:
|   version
|   =======
|   Microsoft SQL Server 2008 (SP1) - 10.0.2531.0 (Intel X86)
|       Mar 29 2009 10:27:29
|       Copyright (c) 1988-2008 Microsoft Corporation
|_      Express Edition on Windows NT 5.1 <X86> (Build 2600: Service Pack 3)
| mssql-sp-configure:
|   name        minimum maximum config_value    run_value
|   ====        ======= ======= ============    =========
|   allow updates       0       1       0       0
|   clr enabled 0       1       0       0
|   cross db ownership chaining 0       1       0       0
|   default language    0       9999    0       0
|   filestream access level     0       2       0       0
|   max text repl size (B)      4294967295      2147483647      65536   65536
|   nested triggers     0       1       1       1
|   remote access       0       1       1       1
|   remote admin connections    0       1       0       0
|   remote login timeout (s)    0       2147483647      20      20
|   remote proc trans   0       1       0       0
|   remote query timeout (s)    0       2147483647      600     600
|   server trigger recursion    0       1       1       1
|   show advanced options       0       1       0       0
|   user instances enabled      0       1       1       1
|_  user options        0       32767   0       0
| mssql-databases:
|   name
|   ====
|   master
|   tempdb
|   model
|   msdb
|_  nmap
| mssql-tables:
|   nmap (Showing 2 first tables)
|     table     column  type    length
|     =====     ======  ====    ======
|     test      fee     int     4
|     test      fie     int     4
|     test      foe     int     4
|     test      foo     int     4
|
|_INFO: Showing 5 first databases
| mssql-hasdbaccess:
|   sa (Showing 5 first results)
|     dbname    owner
|     ======    =====
|_    nmap      MAC-MINI\david
Final times for host: srtt: 786 rttvar: 5000  to: 100000

Read from .: nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 0.82 seconds

I think it would be good if mssql-query printed out the query string.
When the default is used, it should also print a message showing how to
use a different query.

I've added this to mssql-query and followed the same principle for mssql-xp-cmdshell.


| mssql-query: (Use --script-args=mssql-query.query='<QUERY>' to change query.)
| SELECT @@version version
|   version
|   =======
|   Microsoft SQL Server 2008 (SP1) - 10.0.2531.0 (Intel X86)
|       Mar 29 2009 10:27:29
|       Copyright (c) 1988-2008 Microsoft Corporation
|_      Express Edition on Windows NT 5.1 <X86> (Build 2600: Service Pack 3)

I'm going to follow up with thoughts on combining some of the scripts.

Great! Looking forward to it.


David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



//Patrik

Attachment: mssql-xp-cmdshell.nse
Description:

Attachment: mssql-query.nse
Description:


--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts David Fifield (Apr 01)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Apr 01)
  - Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts David Fifield (Apr 01)
    - Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Apr 01)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts David Fifield (Apr 01)
  - Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Apr 02)
    - Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts David Fifield (Apr 02)
    - Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Apr 02)
    - Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts David Fifield (Apr 03)
    - Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Patrik Karlsson (Apr 04)
    - Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts Fyodor (Apr 04)
- Re: [NSE] Microsoft SQL Server (MSSQL) library and scripts David Fifield (Apr 01)