System administrators and penetration testers often need to check for weak passwords as part of the organization's security policy. Nmap can help us to perform dictionary attacks against MS SQL servers.
This recipe shows how to perform brute force password auditing of MS SQL servers by using Nmap.
To perform brute force password auditing against an MS SQL server, run the following Nmap command:
$ nmap -p1433 --script ms-sql-brute <target>
If any valid accounts are found, they will be included in the script output section:
PORT STATE SERVICE 1433/tcp open ms-sql-s | ms-sql-brute: | [192.168.1.102:1433] | Credentials found: |_ sa:<empty>
MS SQL servers usually run on TCP port 1433. The arguments -p1433 --script ms-sql-brute
initiate the NSE script ms-sql-brute
if an MS SQL server is found running on port 1433.
The script ms-sql-brute
was written by Patrik Karlsson. It performs brute force password auditing against MS SQL databases. This script depends on the library mssql
. You can learn more about it at http://nmap.org/nsedoc/lib/mssql.html
.
The database server might be running on a non-standard port. You can set the port manually by specifying the -p
argument or by using Nmap's service detection:
$ nmap -sV --script ms-sql-brute <target>$ nmap -p1234 --script ms-sql-brute <target>
Remember that if an SMB port is open, we can use pipes to run this script by setting the argument mssql.instance-all
or mssql.instance-name
:
$ nmap -p445 --script ms-sql-brute --script-args mssql.instance-all <target>
The output is as follows:
PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | ms-sql-brute: | [192.168.1.102MSSQLSERVER] | Credentials found: |_ sa:<empty> => Login Success
The script ms-sql-brute
depends on the NSE libraries unpwdb
and brute
. These libraries have several script arguments that can be used to tune your brute force password auditing.
userdb
and passdb
:$ nmap -p1433 --script ms-sql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target>
brute.firstOnly
:$ nmap -p1433 --script ms-sql-brute --script-args brute.firstOnly <target>
unpwd.timelimit
. To run it indefinitely, set it to 0
:$ nmap -p1433 --script ms-sql-brute --script-args unpwdb.timelimit=0 <target>$ nmap -p1433 --script ms-sql-brute --script-args unpwdb.timelimit=60m <target>
The brute library supports different modes that alter the username/password combinations used in the attack. The available modes are:
user
: For each user listed in userdb
, every password in passdb
will be tried$ nmap --script ms-sql-brute --script-args brute.mode=user <target>
pass
: For each password listed in passdb
, every user in userdb
will be tried$ nmap --script ms-sql-brute --script-args brute.mode=pass <target>
creds
: This requires the additional argument brute.credfile
$ nmap --script ms-sql-brute --script-args brute.mode=creds,brute.credfile=./creds.txt <target>
3.146.178.165