RSS

Pen Testing SQL Servers With Nmap

21 Apr

The Nmap Scripting Engine has transform Nmap from a regular port scanner to a penetration testing machine.With the variety of the scripts that exists so far we can even perform a full penetration test to an SQL database without the need of any other tool.In this tutorial we will have a look in these scripts,what kind of information these extract from the database and how we can exploit the SQL server and execute system commands through Nmap.

Most SQL databases run on port 1433 so in order to discover information regarding the database we need to execute the following script:

Obtain SQL Information - Nmap

Obtain SQL Information – Nmap

 

So we already have the database version and the instance name.The next step is to check whether there is a weak password for authentication with the database.In order to achieve that we need to run the following nmap script which it will perform a brute force attack.

Brute Force Weak MS-SQL Accounts - Nmap

Brute Force Weak MS-SQL Accounts – Nmap

 

As we can see in this case we didn’t discover any credentials.If we want we can use this script with our own username and password lists in order to discover a valid database account with this command:

nmap -p1433 –script ms-sql-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt

However we can always try another script which can check for the existence of null passwords on Microsoft SQL Servers.

Check For Null passwords on SA accounts - Nmap

Check For Null passwords on SA accounts – Nmap

 

Now we know that the sa account has not a password.We can use this information in order to connect with the database directly or to continue to execute further Nmap scripts that require valid credentials.If we want to know in which databases the sa account has access to or any other account that we have discovered we can run the ms-sql-hasdbaccess script with the following arguments:

Discover which user has access to which db - Nmap

Discover which user has access to which db – Nmap

 

We can even query the Microsoft SQL Server via Nmap in order to obtain the database tables.

List Tables - Nmap

List Tables – Nmap

 

In 2000 version of SQL Server xp_cmdshell is enabled by default so we can even execute operating system commands through Nmap scripts as it can be seen in the image below:

 

Run OS command via xp_cmdshell - Nmap

Run OS command via xp_cmdshell – Nmap

 

Run net users via xp_cmdshell - Nmap

Run net users via xp_cmdshell – Nmap

 

Last but not least we can run a script to extract the database password hashes for cracking with tools like john the ripper.

 

Dump MS-SQL hashes - Nmap

Dump MS-SQL hashes – Nmap

 

In this case we didn’t have any hashes because there was only one account on the database the sa which has null password.

About these ads
 
5 Comments

Posted by on April 21, 2013 in Exploitation Techniques

 

Tags: , , ,

5 responses to “Pen Testing SQL Servers With Nmap

  1. Super Man

    April 24, 2013 at 3:02 pm

    Very nice article

     
    • Raj Chandel

      April 29, 2013 at 2:34 pm

      Nice Article. Thaksx for sharing

       
  2. Emilio Martin Uribe

    July 8, 2013 at 12:09 am

    Very Nicee!! exelentt!

     

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 662 other followers

%d bloggers like this: