Justin CacakNMAP:MS-SQL-NTLM-INFO.NSEms-sql-ntlm-info NSE Script
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
This script enumerates information from remote Microsoft SQL services with NTLM authentication enabled.
Sending a MS-TDS NTLM authentication request with an invalid domain and null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version.
Script Arguments
mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username
See the documentation for the mssql library.
randomseed, smbbasic, smbport, smbsign
See the documentation for the smb library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
Example Usage
nmap -p 1433 --script ms-sql-ntlm-info <target>
Script Output
1433/tcp open ms-sql-s
| ms-sql-ntlm-info:
| Target_Name: ACTIVESQL
| NetBIOS_Domain_Name: ACTIVESQL
| NetBIOS_Computer_Name: DB-TEST2
| DNS_Domain_Name: somedomain.com
| DNS_Computer_Name: db-test2.somedomain.com
| DNS_Tree_Name: somedomain.com
|_ Product_Version: 6.1.7601
Requires
local os = require "os"
local datetime = require "datetime"
local mssql = require "mssql"
local stdnse = require "stdnse"
local smbauth = require "smbauth"
local string = require "string"
description = [[
This script enumerates information from remote Microsoft SQL services with NTLM
authentication enabled.
Sending a MS-TDS NTLM authentication request with an invalid domain and null
credentials will cause the remote service to respond with a NTLMSSP message
disclosing information to include NetBIOS, DNS, and OS build version.
]]
---
-- @usage
-- nmap -p 1433 --script ms-sql-ntlm-info <target>
--
-- @output
-- 1433/tcp open ms-sql-s
-- | ms-sql-ntlm-info:
-- | Target_Name: ACTIVESQL
-- | NetBIOS_Domain_Name: ACTIVESQL
-- | NetBIOS_Computer_Name: DB-TEST2
-- | DNS_Domain_Name: somedomain.com
-- | DNS_Computer_Name: db-test2.somedomain.com
-- | DNS_Tree_Name: somedomain.com
-- |_ Product_Version: 6.1.7601
--
--@xmloutput
-- <elem key="Target_Name">ACTIVESQL</elem>
-- <elem key="NetBIOS_Domain_Name">ACTIVESQL</elem>
-- <elem key="NetBIOS_Computer_Name">DB-TEST2</elem>
-- <elem key="DNS_Domain_Name">somedomain.com</elem>
-- <elem key="DNS_Computer_Name">db-test2.somedomain.com</elem>
-- <elem key="DNS_Tree_Name">somedomain.com</elem>
-- <elem key="Product_Version">6.1.7601</elem>
author = "Justin Cacak"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"default", "discovery", "safe"}
dependencies = {"broadcast-ms-sql-discover"}
local do_action = function(host, port)
local output = stdnse.output_table()
local tdsstream = mssql.TDSStream:new()
local status, result = tdsstream:Connect(host, port)
if not status then
return nil
end
local lp = mssql.LoginPacket:new()
lp:SetUsername("")
lp:SetPassword("")
lp:SetDatabase("")
lp:SetServer(stdnse.get_hostname(host))
-- Setting domain forces NTLM authentication
lp:SetDomain(".")
status, result = tdsstream:Send( lp:ToString() )
if not status then
tdsstream:Disconnect()
return nil
end
local status, response, errorDetail = tdsstream:Receive()
local recvtime = os.time()
tdsstream:Disconnect()
local ttype, pos = string.unpack("B", response)
if ttype ~= mssql.TokenType.NTLMSSP_CHALLENGE then
return nil
end
local data, pos = string.unpack("<s2", response, pos)
if not string.match(data, "^NTLMSSP") then
return nil
end
-- Leverage smbauth.get_host_info_from_security_blob() for decoding
local ntlm_decoded = smbauth.get_host_info_from_security_blob(data)
if ntlm_decoded.timestamp then
-- 64-bit number of 100ns clicks since 1/1/1601
local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600
datetime.record_skew(host, unixstamp, recvtime)
end
-- Target Name will always be returned under any implementation
output.Target_Name = ntlm_decoded.target_realm
-- Display information returned & ignore responses with null values
if ntlm_decoded.netbios_domain_name and #ntlm_decoded.netbios_domain_name > 0 then
output.NetBIOS_Domain_Name = ntlm_decoded.netbios_domain_name
end
if ntlm_decoded.netbios_computer_name and #ntlm_decoded.netbios_computer_name > 0 then
output.NetBIOS_Computer_Name = ntlm_decoded.netbios_computer_name
end
if ntlm_decoded.dns_domain_name and #ntlm_decoded.dns_domain_name > 0 then
output.DNS_Domain_Name = ntlm_decoded.dns_domain_name
end
if ntlm_decoded.fqdn and #ntlm_decoded.fqdn > 0 then
output.DNS_Computer_Name = ntlm_decoded.fqdn
end
if ntlm_decoded.dns_forest_name and #ntlm_decoded.dns_forest_name > 0 then
output.DNS_Tree_Name = ntlm_decoded.dns_forest_name
end
if ntlm_decoded.os_major_version then
output.Product_Version = string.format("%d.%d.%d",
ntlm_decoded.os_major_version, ntlm_decoded.os_minor_version, ntlm_decoded.os_build)
end
return output
end
local function process_instance(instance)
return do_action(instance.host, instance.port)
end
action, portrule = mssql.Helper.InitScript(process_instance)
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%