Posted on

Pen Testing SQL Servers With Nmap

The Nmap Scripting Engine has transform Nmap from a regular port scanner to a penetration testing machine.With the variety of the scripts that exists so far we can even perform a full penetration test to an SQL database without the need of any other tool.In this tutorial we will have a look in these scripts,what kind of information these extract from the database and how we can exploit the SQL server and execute system commands through Nmap.

Most SQL databases run on port 1433 so in order to discover information regarding the database we need to execute the following script:

Obtain SQL Information - Nmap
Obtain SQL Information – Nmap

 

So we already have the database version and the instance name.The next step is to check whether there is a weak password for authentication with the database.In order to achieve that we need to run the following nmap script which it will perform a brute force attack.

Brute Force Weak MS-SQL Accounts - Nmap
Brute Force Weak MS-SQL Accounts – Nmap

 

As we can see in this case we didn’t discover any credentials.If we want we can use this script with our own username and password lists in order to discover a valid database account with this command:

nmap -p1433 –script ms-sql-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt

However we can always try another script which can check for the existence of null passwords on Microsoft SQL Servers.

Check For Null passwords on SA accounts - Nmap
Check For Null passwords on SA accounts – Nmap

 

Now we know that the sa account has not a password.We can use this information in order to connect with the database directly or to continue to execute further Nmap scripts that require valid credentials.If we want to know in which databases the sa account has access to or any other account that we have discovered we can run the ms-sql-hasdbaccess script with the following arguments:

Discover which user has access to which db - Nmap
Discover which user has access to which db – Nmap

 

We can even query the Microsoft SQL Server via Nmap in order to obtain the database tables.

List Tables - Nmap
List Tables – Nmap

 

In 2000 version of SQL Server xp_cmdshell is enabled by default so we can even execute operating system commands through Nmap scripts as it can be seen in the image below:

 

Run OS command via xp_cmdshell - Nmap
Run OS command via xp_cmdshell – Nmap

 

Run net users via xp_cmdshell - Nmap
Run net users via xp_cmdshell – Nmap

 

Last but not least we can run a script to extract the database password hashes for cracking with tools like john the ripper.

 

Dump MS-SQL hashes - Nmap
Dump MS-SQL hashes – Nmap

 

In this case we didn’t have any hashes because there was only one account on the database the sa which has null password.