The Nmap Scripting Engine has transform Nmap from a regular port scanner to a penetration testing machine.With the variety of the scripts that exists so far we can even perform a full penetration test to an SQL database without the need of any other tool.In this tutorial we will have a look in these scripts,what kind of information these extract from the database and how we can exploit the SQL server and execute system commands through Nmap.
Most SQL databases run on port 1433 so in order to discover information regarding the database we need to execute the following script:
So we already have the database version and the instance name.The next step is to check whether there is a weak password for authentication with the database.In order to achieve that we need to run the following nmap script which it will perform a brute force attack.
As we can see in this case we didn’t discover any credentials.If we want we can use this script with our own username and password lists in order to discover a valid database account with this command:
nmap -p1433 –script ms-sql-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt
However we can always try another script which can check for the existence of null passwords on Microsoft SQL Servers.
Now we know that the sa account has not a password.We can use this information in order to connect with the database directly or to continue to execute further Nmap scripts that require valid credentials.If we want to know in which databases the sa account has access to or any other account that we have discovered we can run the ms-sql-hasdbaccess script with the following arguments:
We can even query the Microsoft SQL Server via Nmap in order to obtain the database tables.
In 2000 version of SQL Server xp_cmdshell is enabled by default so we can even execute operating system commands through Nmap scripts as it can be seen in the image below:
Last but not least we can run a script to extract the database password hashes for cracking with tools like john the ripper.
In this case we didn’t have any hashes because there was only one account on the database the sa which has null password.