Jump to content
Nytro

Pen Testing SQL Servers With Nmap

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Pen Testing SQL Servers With Nmap

The Nmap Scripting Engine has transform Nmap from a regular port scanner to a penetration testing machine.With the variety of the scripts that exists so far we can even perform a full penetration test to an SQL database without the need of any other tool.In this tutorial we will have a look in these scripts,what kind of information these extract from the database and how we can exploit the SQL server and execute system commands through Nmap.

Most SQL databases run on port 1433 so in order to discover information regarding the database we need to execute the following script:

screenshot.png?w=645

Obtain SQL Information – Nmap

So we already have the database version and the instance name.The next step is to check whether there is a weak password for authentication with the database.In order to achieve that we need to run the following nmap script which it will perform a brute force attack.

screenshot1.png?w=645

Brute Force Weak MS-SQL Accounts – Nmap

As we can see in this case we didn’t discover any credentials.If we want we can use this script with our own username and password lists in order to discover a valid database account with this command:

nmap -p1433 –script ms-sql-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt

However we can always try another script which can check for the existence of null passwords on Microsoft SQL Servers.

screenshot-1.png?w=645

Check For Null passwords on SA accounts – Nmap

Now we know that the sa account has not a password.We can use this information in order to connect with the database directly or to continue to execute further Nmap scripts that require valid credentials.If we want to know in which databases the sa account has access to or any other account that we have discovered we can run the ms-sql-hasdbaccess script with the following arguments:

screenshot2.png?w=645Discover which user has access to which db – Nmap

We can even query the Microsoft SQL Server via Nmap in order to obtain the database tables.

screenshot-11.png?w=645

List Tables – Nmap

In 2000 version of SQL Server xp_cmdshell is enabled by default so we can even execute operating system commands through Nmap scripts as it can be seen in the image below:

screenshot-2.png?w=645

Run OS command via xp_cmdshell – Nmap

screenshot-3.png?w=645

Run net users via xp_cmdshell – Nmap

Last but not least we can run a script to extract the database password hashes for cracking with tools like john the ripper.

screenshot-4.png?w=645

Dump MS-SQL hashes – Nmap

In this case we didn’t have any hashes because there was only one account on the database the sa which has null password.

Sursa: Pen Testing SQL Servers With Nmap | Penetration Testing Lab

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...