PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-12 10:49:02 +00:00
Code Issues Projects Releases Wiki Activity

New script: ms-sql-ntlm-info

Browse Source
This commit is contained in:
dmiller
2016-01-08 19:34:04 +00:00
parent 1accb103d1
commit cdb5e5b9d8
3 changed files with 125 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG
View File

@@ -1,5 +1,8 @@
# Nmap Changelog ($Id$); -*-text-*- # Nmap Changelog ($Id$); -*-text-*-
o [NSE] Added ms-sql-ntlm-info for extracting OS version and sometimes hostname
from MS SQL Server instances via the NTLM challenge message. [Justin Cacak]
o [NSE] Added nntp-ntlm-info for extracting hostname and sometimes OS version o [NSE] Added nntp-ntlm-info for extracting hostname and sometimes OS version
from NTLM-auth-enabled NNTP services. [Justin Cacak] from NTLM-auth-enabled NNTP services. [Justin Cacak]

121
scripts/ms-sql-ntlm-info.nse Normal file
View File

@@ -0,0 +1,121 @@
local bin = require "bin"
local mssql = require "mssql"
local shortport = require "shortport"
local stdnse = require "stdnse"
local smbauth = require "smbauth"
local string = require "string"
description = [[
This script enumerates information from remote Microsoft SQL services with NTLM
authentication enabled.
Sending a MS-TDS NTLM authentication request with an invalid domain and null
credentials will cause the remote service to respond with a NTLMSSP message
disclosing information to include NetBIOS, DNS, and OS build version.
]]
---
-- @usage
-- nmap -p 1433 --script ms-sql-ntlm-info <target>
--
-- @output
-- 1433/tcp open ms-sql-s
-- | ms-sql-ntlm-info:
-- | Target_Name: ACTIVESQL
-- | NetBIOS_Domain_Name: ACTIVESQL
-- | NetBIOS_Computer_Name: DB-TEST2
-- | DNS_Domain_Name: somedomain.com
-- | DNS_Computer_Name: db-test2.somedomain.com
-- | DNS_Tree_Name: somedomain.com
-- |_ Product_Version: 6.1.7601
--
--@xmloutput
-- <elem key="Target_Name">ACTIVESQL</elem>
-- <elem key="NetBIOS_Domain_Name">ACTIVESQL</elem>
-- <elem key="NetBIOS_Computer_Name">DB-TEST2</elem>
-- <elem key="DNS_Domain_Name">somedomain.com</elem>
-- <elem key="DNS_Computer_Name">db-test2.somedomain.com</elem>
-- <elem key="DNS_Tree_Name">somedomain.com</elem>
-- <elem key="Product_Version">6.1.7601</elem>
author = "Justin Cacak"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"default", "discovery", "safe"}
portrule = shortport.port_or_service(1433, "ms-sql-s")
action = function(host, port)
local output = stdnse.output_table()
local tdsstream = mssql.TDSStream:new()
local status, result = tdsstream:Connect(host, port)
if not status then
return nil
end
local lp = mssql.LoginPacket:new()
lp:SetUsername("")
lp:SetPassword("")
lp:SetDatabase("")
lp:SetServer(stdnse.get_hostname(host))
-- Setting domain forces NTLM authentication
lp:SetDomain(".")
status, result = tdsstream:Send( lp:ToString() )
if not status then
tdsstream:Disconnect()
return nil
end
local status, response, errorDetail = tdsstream:Receive()
tdsstream:Disconnect()
local pos, ttype = bin.unpack("C", response)
if ttype ~= mssql.TokenType.NTLMSSP_CHALLENGE then
return nil
end
local pos, data = bin.unpack("<P", response, pos)
if not string.match(data, "^NTLMSSP") then
return nil
end
-- Leverage smbauth.get_host_info_from_security_blob() for decoding
local ntlm_decoded = smbauth.get_host_info_from_security_blob(data)
-- Target Name will always be returned under any implementation
output.Target_Name = ntlm_decoded.target_realm
-- Display information returned & ignore responses with null values
if ntlm_decoded.netbios_domain_name and #ntlm_decoded.netbios_domain_name > 0 then
output.NetBIOS_Domain_Name = ntlm_decoded.netbios_domain_name
end
if ntlm_decoded.netbios_computer_name and #ntlm_decoded.netbios_computer_name > 0 then
output.NetBIOS_Computer_Name = ntlm_decoded.netbios_computer_name
end
if ntlm_decoded.dns_domain_name and #ntlm_decoded.dns_domain_name > 0 then
output.DNS_Domain_Name = ntlm_decoded.dns_domain_name
end
if ntlm_decoded.fqdn and #ntlm_decoded.fqdn > 0 then
output.DNS_Computer_Name = ntlm_decoded.fqdn
end
if ntlm_decoded.dns_forest_name and #ntlm_decoded.dns_forest_name > 0 then
output.DNS_Tree_Name = ntlm_decoded.dns_forest_name
end
if ntlm_decoded.os_major_version then
output.Product_Version = string.format("%d.%d.%d",
ntlm_decoded.os_major_version, ntlm_decoded.os_minor_version, ntlm_decoded.os_build)
end
return output
end

1
scripts/script.db
View File

@@ -320,6 +320,7 @@ Entry { filename = "ms-sql-dump-hashes.nse", categories = { "auth", "discovery",
Entry { filename = "ms-sql-empty-password.nse", categories = { "auth", "intrusive", } } Entry { filename = "ms-sql-empty-password.nse", categories = { "auth", "intrusive", } }
Entry { filename = "ms-sql-hasdbaccess.nse", categories = { "auth", "discovery", "safe", } } Entry { filename = "ms-sql-hasdbaccess.nse", categories = { "auth", "discovery", "safe", } }
Entry { filename = "ms-sql-info.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "ms-sql-info.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "ms-sql-ntlm-info.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "ms-sql-query.nse", categories = { "discovery", "safe", } } Entry { filename = "ms-sql-query.nse", categories = { "discovery", "safe", } }
Entry { filename = "ms-sql-tables.nse", categories = { "discovery", "safe", } } Entry { filename = "ms-sql-tables.nse", categories = { "discovery", "safe", } }
Entry { filename = "ms-sql-xp-cmdshell.nse", categories = { "intrusive", } } Entry { filename = "ms-sql-xp-cmdshell.nse", categories = { "intrusive", } }