mirror of
https://github.com/nmap/nmap.git
synced 2025-12-06 20:51:30 +00:00
c3d54f1fac
MS SQL NSE scripts run on database instances, which can be TCP or named pipes. With this change, all TCP instances on scanned ports will have script output attached under the port as a portrule script. Named pipe instances and TCP instances on unscanned ports will be displayed in the hostrule script output at the end of the host's output. Utility function mssql.Helper.InitScript makes it easy to write scripts that just work on a per-instance basis, without bothering where to put the output. Discovery will be done once per host, regardless of how many scripts are run, and can be guaranteed to be done before the script's action takes place.
164 lines
6.4 KiB
Lua
164 lines
6.4 KiB
Lua
local mssql = require "mssql"
|
|
local nmap = require "nmap"
|
|
local stdnse = require "stdnse"
|
|
local string = require "string"
|
|
local table = require "table"
|
|
|
|
-- -*- mode: lua -*-
|
|
-- vim: set filetype=lua :
|
|
|
|
description = [[
|
|
Attempts to authenticate to Microsoft SQL Servers using an empty password for
|
|
the sysadmin (sa) account.
|
|
|
|
SQL Server credentials required: No (will not benefit from
|
|
<code>mssql.username</code> & <code>mssql.password</code>).
|
|
Run criteria:
|
|
* Host script: Will run if the <code>mssql.instance-all</code>, <code>mssql.instance-name</code>
|
|
or <code>mssql.instance-port</code> script arguments are used (see mssql.lua).
|
|
* Port script: Will run against any services identified as SQL Servers, but only
|
|
if the <code>mssql.instance-all</code>, <code>mssql.instance-name</code>
|
|
and <code>mssql.instance-port</code> script arguments are NOT used.
|
|
|
|
WARNING: SQL Server 2005 and later versions include support for account lockout
|
|
policies (which are enforced on a per-user basis).
|
|
|
|
NOTE: Communication with instances via named pipes depends on the <code>smb</code>
|
|
library. To communicate with (and possibly to discover) instances via named pipes,
|
|
the host must have at least one SMB port (e.g. TCP 445) that was scanned and
|
|
found to be open. Additionally, named pipe connections may require Windows
|
|
authentication to connect to the Windows host (via SMB) in addition to the
|
|
authentication required to connect to the SQL Server instances itself. See the
|
|
documentation and arguments for the <code>smb</code> library for more information.
|
|
|
|
NOTE: By default, the ms-sql-* scripts may attempt to connect to and communicate
|
|
with ports that were not included in the port list for the Nmap scan. This can
|
|
be disabled using the <code>mssql.scanned-ports-only</code> script argument.
|
|
]]
|
|
|
|
---
|
|
-- @see ms-sql-brute.nse
|
|
--
|
|
-- @usage
|
|
-- nmap -p 445 --script ms-sql-empty-password --script-args mssql.instance-all <host>
|
|
-- nmap -p 1433 --script ms-sql-empty-password <host>
|
|
--
|
|
-- @output
|
|
-- | ms-sql-empty-password:
|
|
-- | [192.168.100.128\PROD]
|
|
-- |_ sa:<empty> => Login Success
|
|
--
|
|
|
|
-- Created 01/17/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
|
|
-- Revised 02/01/2011 - v0.2 (Chris Woodbury)
|
|
-- - Added ability to run against all instances on a host;
|
|
-- - Added storage of credentials on a per-instance basis
|
|
-- - Added compatibility with changes in mssql.lua
|
|
|
|
author = "Patrik Karlsson"
|
|
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
|
|
categories = {"auth","intrusive"}
|
|
|
|
dependencies = {"broadcast-ms-sql-discover"}
|
|
|
|
local function test_credentials( instance, helper, username, password )
|
|
local database = "tempdb"
|
|
|
|
local status, result = helper:ConnectEx( instance )
|
|
local loginErrorCode
|
|
if( status ) then
|
|
stdnse.debug2("Attempting login to %s", instance:GetName() )
|
|
status, result, loginErrorCode = helper:Login( username, password, database, instance.host.ip )
|
|
end
|
|
helper:Disconnect()
|
|
|
|
local passwordIsGood, canLogin
|
|
if status then
|
|
passwordIsGood = true
|
|
canLogin = true
|
|
elseif ( loginErrorCode ) then
|
|
if ( loginErrorCode == mssql.LoginErrorType.PasswordExpired ) then passwordIsGood = true end
|
|
if ( loginErrorCode == mssql.LoginErrorType.PasswordMustChange ) then passwordIsGood = true end
|
|
if ( loginErrorCode == mssql.LoginErrorType.AccountLockedOut ) then
|
|
stdnse.debug1("Account %s locked out on %s", username, instance:GetName() )
|
|
table.insert( instance.ms_sql_empty, "'sa' account is locked out." )
|
|
end
|
|
if ( mssql.LoginErrorMessage[ loginErrorCode ] == nil ) then
|
|
stdnse.debug2("Attemping login to %s: Unknown login error number: %s", instance:GetName(), loginErrorCode )
|
|
table.insert( instance.ms_sql_empty, string.format( "Unknown login error number: %s", loginErrorCode ) )
|
|
end
|
|
else
|
|
table.insert( instance.ms_sql_empty, string.format("Network error. Error: %s", result ) )
|
|
end
|
|
|
|
if ( passwordIsGood ) then
|
|
local loginResultMessage = "Login Success"
|
|
if loginErrorCode then
|
|
loginResultMessage = mssql.LoginErrorMessage[ loginErrorCode ] or "unknown error"
|
|
end
|
|
table.insert( instance.ms_sql_empty, string.format( "%s:%s => %s", username, password:len()>0 and password or "<empty>", loginResultMessage ) )
|
|
|
|
-- Add credentials for other ms-sql scripts to use but don't
|
|
-- add accounts that need to change passwords
|
|
if ( canLogin ) then
|
|
instance.credentials[ username ] = password
|
|
-- Legacy storage method (does not distinguish between instances)
|
|
nmap.registry.mssqlusers = nmap.registry.mssqlusers or {}
|
|
nmap.registry.mssqlusers[username]=password
|
|
end
|
|
end
|
|
end
|
|
|
|
--- Processes a single instance, attempting to detect an empty password for "sa"
|
|
local function process_instance( instance )
|
|
|
|
-- One of this script's features is that it will report an instance's
|
|
-- in both the port-script results and the host-script results. In order to
|
|
-- avoid redundant login attempts on an instance, we will just make the
|
|
-- attempt once and then re-use the results. We'll use a mutex to make sure
|
|
-- that multiple script instances (e.g. a host-script and a port-script)
|
|
-- working on the same SQL Server instance can only enter this block one at
|
|
-- a time.
|
|
local mutex = nmap.mutex( instance )
|
|
mutex( "lock" )
|
|
|
|
local status, result
|
|
|
|
-- If this instance has already been tested (e.g. if we got to it by both the
|
|
-- hostrule and the portrule), don't test it again. This will reduce the risk
|
|
-- of locking out accounts.
|
|
if ( instance.tested_empty ~= true ) then
|
|
instance.tested_empty = true
|
|
|
|
instance.credentials = instance.credentials or {}
|
|
instance.ms_sql_empty = instance.ms_sql_empty or {}
|
|
|
|
if not instance:HasNetworkProtocols() then
|
|
stdnse.debug1("%s has no network protocols enabled.", instance:GetName() )
|
|
table.insert( instance.ms_sql_empty, "No network protocols enabled." )
|
|
end
|
|
|
|
local helper = mssql.Helper:new()
|
|
test_credentials( instance, helper, "sa", "" )
|
|
end
|
|
|
|
-- The password testing has been finished. Unlock the mutex.
|
|
mutex( "done" )
|
|
|
|
local instanceOutput
|
|
if ( instance.ms_sql_empty ) then
|
|
instanceOutput = {}
|
|
for _, message in ipairs( instance.ms_sql_empty ) do
|
|
table.insert( instanceOutput, message )
|
|
end
|
|
if ( nmap.verbosity() > 1 and #instance.ms_sql_empty == 0 ) then
|
|
table.insert( instanceOutput, "'sa' account password is not blank." )
|
|
end
|
|
end
|
|
|
|
return instanceOutput
|
|
|
|
end
|
|
|
|
action, portrule, hostrule = mssql.Helper.InitScript(process_instance)
|