o [NSE] Added a library for Microsoft SQL Server and 7 new scripts. The new

scripts are:
  - ms-sql-brute.nse uses the unpwdb library to guess credentials for MSSQL
  - ms-sql-config retrieves various configuration details from the server		
  - ms-sql-empty-password checks if the sa account has an empty password
  - ms-sql-hasdbaccess lists database access per user
  - ms-sql-query add support for running custom queries against the database
  - ms-sql-tables lists databases, tables, columns and datatypes with optional
    keyword filtering
  - ms-sql-xp-cmdshell adds support for OS command execution to privileged
    users
  [Patrik]

scripts/ms-sql-brute.nse

@@ -0,0 +1,93 @@
+description = [[
+Performs password guessing against Microsoft SQL Server (mssql)
+]]
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"auth", "intrusive"}
+
+require 'shortport'
+require 'stdnse'
+require 'mssql'
+require 'unpwdb'
+
+---
+--
+-- @output
+-- PORT     STATE SERVICE
+-- 1433/tcp open  ms-sql-s
+-- | mssql-brute:  
+-- |   webshop_reader:secret => Login Success
+-- |   testuser:secret1234 => Must change password at next logon
+-- |_  lordvader:secret1234 => Login Success
+--
+--
+
+-- Version 0.1
+-- Created 01/17/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
+
+portrule = shortport.port_or_service(1433, "ms-sql-s")
+
+action = function( host, port )
+
+	local result, response, status, aborted = {}, nil, nil, false	
+	local valid_accounts = {}	
+	local usernames, passwords
+	local username, password
+	local max_time = unpwdb.timelimit() ~= nil and unpwdb.timelimit() * 1000 or -1
+	local clock_start = nmap.clock_ms()
+	local helper = mssql.Helper:new()
+	
+ 	status, usernames = unpwdb.usernames()
+	if ( not(status) ) then
+		return "  \n\nFailed to load usernames.lst"
+	end
+	status, passwords = unpwdb.passwords()
+	if ( not(status) ) then
+		return "  \n\nFailed to load usernames.lst"
+	end
+		
+	for username in usernames do
+		for password in passwords do
+				
+			if max_time>0 and nmap.clock_ms() - clock_start >  max_time then
+				aborted=true
+				break
+			end
+	
+			status, result = helper:Connect(host, port)
+			if( not(status) ) then
+				return "  \n\n" .. result
+			end
+			
+			stdnse.print_debug( "Trying %s/%s ...", username, password )
+			status, result = helper:Login( username, password, "tempdb", host.ip )			
+			helper:Disconnect()
+			
+			if status then				
+				-- Add credentials for other mysql scripts to use
+				table.insert( valid_accounts, string.format("%s:%s => %s", username, password:len()>0 and password or "<empty>", result ) )
+				-- don't add accounts that need to change passwords to the registry
+				if ( result ~= "Login Success") then
+					break
+				end
+				if nmap.registry.mssqlusers == nil then
+					nmap.registry.mssqlusers = {}
+				end	
+				nmap.registry.mssqlusers[username]=password
+				
+				break
+			end
+			
+		end
+		passwords("reset")
+	end
+
+	local output = stdnse.format_output(true, valid_accounts)	
+
+	if max_time > 0 and aborted then
+		output = output .. string.format(" \n\nscript aborted execution after %d seconds", max_time/1000 )
+	end
+	
+	return output
+end