Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nmapPatrik KarlssonNMAP:MS-SQL-DAC.NSE
HistoryJul 10, 2012 - 9:50 a.m.

ms-sql-dac NSE Script

2012-07-1009:50:51
Patrik Karlsson
nmap.org
159

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON

Queries the Microsoft SQL Browser service for the DAC (Dedicated Admin Connection) port of a given (or all) SQL Server instance. The DAC port is used to connect to the database instance when normal connection attempts fail, for example, when server is hanging, out of memory or in other bad states. In addition, the DAC port provides an admin with access to system objects otherwise not accessible over normal connections.

The DAC feature is accessible on the loopback adapter per default, but can be activated for remote access by setting the ‘remote admin connection’ configuration value to 1. In some cases, when DAC has been remotely enabled but later disabled, the sql browser service may incorrectly report it as available. The script therefore attempts to connect to the reported port in order to verify whether it’s accessible or not.

Script Arguments

mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username

See the documentation for the mssql library.

randomseed, smbbasic, smbport, smbsign

See the documentation for the smb library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

sudo nmap -sU -p 1434 --script ms-sql-dac <ip>

Script Output

| ms-sql-dac:
|   SQLSERVER:
|     port: 1533
|_    state: open

Requires

local mssql = require "mssql"
local nmap = require "nmap"
local stdnse = require "stdnse"

description = [[
Queries the Microsoft SQL Browser service for the DAC (Dedicated Admin
Connection) port of a given (or all) SQL Server instance. The DAC port
is used to connect to the database instance when normal connection
attempts fail, for example, when server is hanging, out of memory or
in other bad states. In addition, the DAC port provides an admin with
access to system objects otherwise not accessible over normal
connections.

The DAC feature is accessible on the loopback adapter per default, but
can be activated for remote access by setting the 'remote admin
connection' configuration value to 1. In some cases, when DAC has been
remotely enabled but later disabled, the sql browser service may
incorrectly report it as available. The script therefore attempts to
connect to the reported port in order to verify whether it's
accessible or not.
]]

---
-- @usage
-- sudo nmap -sU -p 1434 --script ms-sql-dac <ip>
--
-- @output
-- | ms-sql-dac:
-- |   SQLSERVER:
-- |     port: 1533
-- |_    state: open
--

author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "safe"}

dependencies = {"broadcast-ms-sql-discover"}

local function checkPort(host, port)
  local scanport = nmap.get_port_state(host, {number=port, protocol="tcp"})
  if scanport then
    return scanport.state
  end
  local s = nmap.new_socket()
  s:set_timeout(5000)
  local status, err = s:connect(host, port, "tcp")
  s:close()
  return (status and "open" or "closed"), err
end

local function discoverDAC(instance)
  stdnse.debug2("Discovering DAC port on instance: %s", instance:GetName())
  local port = mssql.Helper.DiscoverDACPort(instance)
  if not port then
    return nil
  end

  local result = stdnse.output_table()
  result.port = port
  local state, err = checkPort(instance.host, port)
  result.state = state
  result.error = err
  return result
end

local lib_portrule, lib_hostrule
action, lib_portrule, lib_hostrule = mssql.Helper.InitScript(discoverDAC)

local function rule_if_browser_open(lib_rule)
  return function (host, ...)
    if not lib_rule(host, ...) then
      return false
    end
    local bport = nmap.get_port_state(host, {number=1434, protocol="udp"})
    -- If port is nil, we don't know the state
    return bport == nil or (
      -- we know the state, so it has to be a good one
      bport.state == "open" or bport.state == "open|filtered"
      )
  end
end

portrule = rule_if_browser_open(lib_portrule)
hostrule = rule_if_browser_open(lib_hostrule)

Related

nmap 200
nmap
nmap
daytime NSE Script
2008-11-06 02:52:59
nessus-brute NSE Script
2011-10-26 21:45:33
ipv6-multicast-mld-list NSE Script
2015-12-19 15:50:08

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON
Related for NMAP:MS-SQL-DAC.NSE
nmap200