[NSE] ms-sql-info broadcast split

[Patrik Karlsson <patrik () cqure net>]

Hi all,

I've been working on splitting the broadcast functionality from the ms-sql-info script for a while.
I decided to make the broadcast script somewhat different than the unicast script, hence the different name.
The foremost reason is that I would like the broadcast script to be non intrusive and just discover hosts and instances.
Unfortunately I came to this conclusion after doing considerable work on the ms-sql-info script to make it more 
suitable for re-using the code in both scripts.
During the process I also managed to fix a few bugs that I've run into during the last few weeks so maybe its not all 
bad.

The script supports the newtargets option and can be used like this to scan all SQL servers on the network using all of 
the ms-sql scripts:
sudo ./nmap -PN -sT -p U:1434,T:1433 --script broadcast-mssql-discover,ms-sql-* -d3 --script-args newtargets

Anyway, In order to split out the broadcast functionality we could either use this re-worked new ms-sql-info script or 
we would simply revert to a version before the broadcast code was added.
Any thoughts or feedback on this is most welcome!

Here are the major changes to the new ms-sql-info script:
* a new Discover method was added to the mssql library

* a new DecodeBrowserInfoVersion method was added to the mssql library 

* the mssql library is now used in order to attempt to extract the "real version" from the database
   this solves a few problems I was having when the script failed to retrieve the real version.

* when an instance is found the script now attempts to resolve the server name reported by the browser service
   it then attempts to connect to the port at the new ip in order to retrieve the real version
   this solve a problem I was having when the browser service reported instances on different ip's then the browser 
service itself
   if the resolve fails for some reason, the script falls back to the same IP as the browser service

* there's a slight change to the script output and the way it's built up, see below:

This is the output from the script when it can't authenticate and retrieve the real version:

| ms-sql-info: 
|   Instance: SQLEXPRESS
|     Microsoft SQL Server 2005 Express Edition
|       Server version: 9.00.3042.00 (SP2) - UNVERIFIED
|       Clustered: No
|       Server name: SQLSRV001
|       Tcp port: 1444
|   Instance: MSSQLSERVER
|     Microsoft SQL Server 2000
|       Server version: 8.00.194 - UNVERIFIED
|       Named pipe: \\SQLSRV001\pipe\sql\query
|       Clustered: No
|       Server name: SQLSRV001
|_      Tcp port: 1433

This is the output from the script when it succeeds to authenticate an verify the version:

| ms-sql-info: 
|   Instance: SQLEXPRESS
|     Microsoft SQL Server 2008 Express Edition
|       Server version: 10.0.1600.22 (RTM)
|       Clustered: No
|       Server name: WIN2K3-EPI-1
|       Tcp port: 1052
|       Server edition: Express Edition with Advanced Services on Windows NT 5.2 <X86> (Build 3790: Service Pack 2)
|_      WARNING: Database was accessible as SA with empty password!


I've already commited the new mssql library (r21149) as it contains an important bugfix that lowers the timeout for the 
connect function.
If nobody objects I'll commit the new ms-sql-info and broadcast-ms-sql-discover within the next few days.

Attachment: broadcast-ms-sql-discover.nse
Description:

Attachment: ms-sql-info.nse
Description:

//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/