System administrators and penetration testers often need to check for weak passwords as part of the organization's security policy. Nmap can help us to perform dictionary attacks against MS SQL servers.
This recipe shows how to perform brute force password auditing of MS SQL servers by using Nmap.
To perform brute force password auditing against an MS SQL server, run the following Nmap command:
$ nmap -p1433 --script ms-sql-brute <target>
If any valid accounts are found, they will be included in the script output section:
PORT STATE SERVICE 1433/tcp open ms-sql-s | ms-sql-brute: | [192.168.1.102:1433] | Credentials found: |_ sa:<empty>
MS SQL servers usually run on TCP port 1433. The arguments -p1433 --script ms-sql-brute initiate the NSE script ms-sql-brute if an MS SQL server is found running on port 1433.
The script ms-sql-brute was written by Patrik Karlsson. It performs brute force password auditing against MS SQL databases. This script depends on the library mssql. You can learn more about it at http://nmap.org/nsedoc/lib/mssql.html.
The database server might be running on a non-standard port. You can set the port manually by specifying the -p argument or by using Nmap's service detection:
$ nmap -sV --script ms-sql-brute <target>$ nmap -p1234 --script ms-sql-brute <target>
Remember that if an SMB port is open, we can use pipes to run this script by setting the argument mssql.instance-all or mssql.instance-name:
$ nmap -p445 --script ms-sql-brute --script-args mssql.instance-all <target>
The output is as follows:
PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | ms-sql-brute: | [192.168.1.102MSSQLSERVER] | Credentials found: |_ sa:<empty> => Login Success
The script ms-sql-brute depends on the NSE libraries unpwdb and brute. These libraries have several script arguments that can be used to tune your brute force password auditing.
- To use different username and password lists, set the arguments
userdbandpassdb:$ nmap -p1433 --script ms-sql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt <target> - To quit after finding one valid account, use the argument
brute.firstOnly:$ nmap -p1433 --script ms-sql-brute --script-args brute.firstOnly <target> - To set a different timeout limit, use the argument
unpwd.timelimit. To run it indefinitely, set it to0:$ nmap -p1433 --script ms-sql-brute --script-args unpwdb.timelimit=0 <target>$ nmap -p1433 --script ms-sql-brute --script-args unpwdb.timelimit=60m <target>
The brute library supports different modes that alter the username/password combinations used in the attack. The available modes are:
user: For each user listed inuserdb, every password inpassdbwill be tried$ nmap --script ms-sql-brute --script-args brute.mode=user <target>pass: For each password listed inpassdb, every user inuserdbwill be tried$ nmap --script ms-sql-brute --script-args brute.mode=pass <target>creds: This requires the additional argumentbrute.credfile$ nmap --script ms-sql-brute --script-args brute.mode=creds,brute.credfile=./creds.txt <target>