mirror of
https://github.com/nmap/nmap.git
synced 2025-12-09 06:01:28 +00:00
1d26975ede
scripts are:
- ms-sql-brute.nse uses the unpwdb library to guess credentials for MSSQL
- ms-sql-config retrieves various configuration details from the server
- ms-sql-empty-password checks if the sa account has an empty password
- ms-sql-hasdbaccess lists database access per user
- ms-sql-query add support for running custom queries against the database
- ms-sql-tables lists databases, tables, columns and datatypes with optional
keyword filtering
- ms-sql-xp-cmdshell adds support for OS command execution to privileged
users
[Patrik]
93 lines
2.4 KiB
Lua
93 lines
2.4 KiB
Lua
description = [[
|
|
Performs password guessing against Microsoft SQL Server (mssql)
|
|
]]
|
|
|
|
author = "Patrik Karlsson"
|
|
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
|
|
categories = {"auth", "intrusive"}
|
|
|
|
require 'shortport'
|
|
require 'stdnse'
|
|
require 'mssql'
|
|
require 'unpwdb'
|
|
|
|
---
|
|
--
|
|
-- @output
|
|
-- PORT STATE SERVICE
|
|
-- 1433/tcp open ms-sql-s
|
|
-- | mssql-brute:
|
|
-- | webshop_reader:secret => Login Success
|
|
-- | testuser:secret1234 => Must change password at next logon
|
|
-- |_ lordvader:secret1234 => Login Success
|
|
--
|
|
--
|
|
|
|
-- Version 0.1
|
|
-- Created 01/17/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
|
|
|
|
portrule = shortport.port_or_service(1433, "ms-sql-s")
|
|
|
|
action = function( host, port )
|
|
|
|
local result, response, status, aborted = {}, nil, nil, false
|
|
local valid_accounts = {}
|
|
local usernames, passwords
|
|
local username, password
|
|
local max_time = unpwdb.timelimit() ~= nil and unpwdb.timelimit() * 1000 or -1
|
|
local clock_start = nmap.clock_ms()
|
|
local helper = mssql.Helper:new()
|
|
|
|
status, usernames = unpwdb.usernames()
|
|
if ( not(status) ) then
|
|
return " \n\nFailed to load usernames.lst"
|
|
end
|
|
status, passwords = unpwdb.passwords()
|
|
if ( not(status) ) then
|
|
return " \n\nFailed to load usernames.lst"
|
|
end
|
|
|
|
for username in usernames do
|
|
for password in passwords do
|
|
|
|
if max_time>0 and nmap.clock_ms() - clock_start > max_time then
|
|
aborted=true
|
|
break
|
|
end
|
|
|
|
status, result = helper:Connect(host, port)
|
|
if( not(status) ) then
|
|
return " \n\n" .. result
|
|
end
|
|
|
|
stdnse.print_debug( "Trying %s/%s ...", username, password )
|
|
status, result = helper:Login( username, password, "tempdb", host.ip )
|
|
helper:Disconnect()
|
|
|
|
if status then
|
|
-- Add credentials for other mysql scripts to use
|
|
table.insert( valid_accounts, string.format("%s:%s => %s", username, password:len()>0 and password or "<empty>", result ) )
|
|
-- don't add accounts that need to change passwords to the registry
|
|
if ( result ~= "Login Success") then
|
|
break
|
|
end
|
|
if nmap.registry.mssqlusers == nil then
|
|
nmap.registry.mssqlusers = {}
|
|
end
|
|
nmap.registry.mssqlusers[username]=password
|
|
|
|
break
|
|
end
|
|
|
|
end
|
|
passwords("reset")
|
|
end
|
|
|
|
local output = stdnse.format_output(true, valid_accounts)
|
|
|
|
if max_time > 0 and aborted then
|
|
output = output .. string.format(" \n\nscript aborted execution after %d seconds", max_time/1000 )
|
|
end
|
|
|
|
return output
|
|
end |