diff --git a/CHANGELOG b/CHANGELOG index ac13c568e..92ca0bfc4 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,8 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Added ms-sql-dump-hashes, a script that dumps the MS SQL hashes in a + format suitable for offline cracking. [Patrik] + o [NSE] Added bitcoinrpc-info by Toni Ruottu. o Added a TCP Kerberos service probe. [Patrik] diff --git a/scripts/ms-sql-dump-hashes.nse b/scripts/ms-sql-dump-hashes.nse new file mode 100644 index 000000000..e7a1c571d --- /dev/null +++ b/scripts/ms-sql-dump-hashes.nse @@ -0,0 +1,132 @@ +description = [[ +Dumps the password hashes from MS-SQL server in a format suitable for +John-the-ripper. In order to do so the user needs to have the appropriate +privileges. + +Credentials passed as script arguments take precedence over credentials +discovered by other scripts. +]] + +--- +-- @usage +-- nmap -p 1433 --script ms-sql-dump-hashes +-- +-- @output +-- PORT STATE SERVICE +-- 1433/tcp open ms-sql-s +-- | ms-sql-dump-hashes: +-- | nmap_test:0x01001234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF0123 +-- | sa:0x01001234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF0123 +-- |_ webshop_dbo:0x01001234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF0123 + +-- +-- +-- Version 0.1 +-- Created 08/03/2011 - v0.1 - created by Patrik Karlsson +-- + +author = "Patrik Karlsson" +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"discovery", "safe"} + +require 'shortport' +require 'stdnse' +require 'mssql' + +dependencies = {"ms-sql-brute", "ms-sql-empty-password", "ms-sql-discover"} + +hostrule = mssql.Helper.GetHostrule_Standard() +portrule = mssql.Helper.GetPortrule_Standard() + +local function process_instance(instance) + + local helper = mssql.Helper:new() + local status, errorMessage = helper:ConnectEx( instance ) + if ( not(status) ) then + return false, { + ['name'] = string.format( "[%s]", instance:GetName() ), + "ERROR: " .. errorMessage + } + end + + status, errorMessage = helper:LoginEx( instance ) + if ( not(status) ) then + return false, { + ['name'] = string.format( "[%s]", instance:GetName() ), + "ERROR: " .. errorMessage + } + end + + local result + local query = [[ + IF ( OBJECT_ID('master..sysxlogins' ) ) <> 0 + SELECT name, password FROM master..sysxlogins WHERE password IS NOT NULL + ELSE IF ( OBJECT_ID('master.sys.sql_logins') ) <> 0 + SELECT name, password_hash FROM master.sys.sql_logins + ]] + status, result = helper:Query( query ) + + local output = {} + + if ( status ) then + for _, row in ipairs( result.rows ) do + table.insert(output, ("%s:%s"):format(row[1] or "",row[2] or "") ) + end + end + + helper:Disconnect() + local instanceOutput = {} + instanceOutput["name"] = string.format( "[%s]", instance:GetName() ) + table.insert( instanceOutput, output ) + + return true, instanceOutput + +end + +-- Saves the hashes to file +-- @param filename string name of the file +-- @param response table containing the resultset +-- @return status true on success, false on failure +-- @return err string containing the error if status is false +local function saveToFile(filename, response) + local f = io.open( filename, "w") + if ( not(f) ) then + return false, ("Failed to open file (%s)"):format(filename) + end + for _, row in ipairs(response) do + if ( not(f:write(row .."\n" ) ) ) then + return false, ("Failed to write file (%s)"):format(filename) + end + end + f:close() + return true +end + +action = function( host, port ) + local dir = stdnse.get_script_args("ms-sql-dump-hashes.dir") + local scriptOutput = {} + local status, instanceList = mssql.Helper.GetTargetInstances( host, port ) + + if ( not status ) then + return stdnse.format_output( false, instanceList ) + else + for _, instance in pairs( instanceList ) do + local status, instanceOutput = process_instance( instance ) + if ( status ) then + local filename + if ( dir ) then + local instance = instance:GetName():match("%\\+(.+)$") or instance:GetName() + filename = ("%s/%s_%s_ms-sql_hashes.txt"):format(dir, host.ip, instance) + saveToFile(filename, instanceOutput[1]) + end + end + table.insert( scriptOutput, instanceOutput ) + end + end + + if ( #scriptOutput == 0 ) then return end + + local output = ( #scriptOutput > 1 and scriptOutput or scriptOutput[1] ) + + return stdnse.format_output( true, output ) +end \ No newline at end of file diff --git a/scripts/script.db b/scripts/script.db index 012f00af3..8776df71f 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -134,6 +134,7 @@ Entry { filename = "mongodb-databases.nse", categories = { "default", "discovery Entry { filename = "mongodb-info.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "ms-sql-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "ms-sql-config.nse", categories = { "discovery", "safe", } } +Entry { filename = "ms-sql-dump-hashes.nse", categories = { "discovery", "safe", } } Entry { filename = "ms-sql-empty-password.nse", categories = { "auth", "intrusive", } } Entry { filename = "ms-sql-hasdbaccess.nse", categories = { "auth", "discovery", "safe", } } Entry { filename = "ms-sql-info.nse", categories = { "default", "discovery", "safe", } }