Quick SQL Server pentest with NMAP

SQL server info & empty password with username=sa check & ms-sql-dac test:

sudo nmap -d  -p 1433 –script ms-sql-info,ms-sql-empty-password 
sudo nmap -sU -p 1434 –script ms-sql-dac

Brute force usernames and passwords OR to check login success or not:

sudo nmap -p 1433 –script ms-sql-brute –script-args userdb=”/home/user/customuser.txt”,passdb=”/home/user/passsql.txt”

Server info + brute:

sudo nmap -p 1433 –script ms-sql-info,ms-sql-brute –script-args ms-sql-brute.ignore-lockout,userdb=”/home/user/customuser.txt”,passdb=”/home/user/passsql.txt”

See the configuration file and databases, to dump password users&hashes, to list databases and its ouwners list:

sudo nmap -p 1433 <ip> –script ms-sql-dump-hashes
sudo nmap -p 1433 –script ms-sql-dump-hashes,ms-sql-hasdbaccess,ms-sql-config –script-args mssql.username=UNAME,mssql.password=UPWD
sudo nmap -p 1433 –script ms-sql-dump-hashes,ms-sql-hasdbaccess,ms-sql-config –script-args mssql.username=UNAME,mssql.password=UPWD,ms-sql-config.showall

Execute custom QUERIES:

sudo nmap -p 1433 –script ms-sql-query –script-args mssql.username=UNAME,mssql.password=UPWD,ms-sql-query.query=”SELECT @@version version”
sudo nmap -p 1433 –script ms-sql-query –script-args mssql.username=UNAME,mssql.password=UPWD,mssql.database=tempdb,ms-sql-query.query=”SELECT * FROM master..syslogins”

Listing  the tables:

sudo nmap -p 1433 –script ms-sql-tables –script-args  ms-sql-tables.maxdb=0,ms-sql-tables.maxtables=0,mssql.username=UNAME,mssql.password=UPWD

Finding SQL server in broadcast network:

nmap –script broadcast-ms-sql-discover,ms-sql-info –script-args=newtargets
nmap –script broadcast-ms-sql-discover

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s