ms-sql-brute
脚本使用类型:
hostrule, portrule
脚本所属分类:
brute, intrusive
脚本下载地址: http://nmap.org/svn/scripts/ms-sql-brute.nse
Performs password guessing against Microsoft SQL Server (ms-sql). Works best in
conjunction with the broadcast-ms-sql-discover
script.
SQL Server credentials required: No (will not benefit from mssql.username
& mssql.password
).
Run criteria:
mssql.instance-all
, mssql.instance-name
or mssql.instance-port
script arguments are used (see mssql.lua).
mssql.instance-all
, mssql.instance-name
and mssql.instance-port
script arguments are NOT used.
WARNING: SQL Server 2005 and later versions include support for account lockout
policies (which are enforced on a per-user basis). If an account is locked out,
the script will stop running for that instance, unless the
ms-sql-brute.ignore-lockout
argument is used.
NOTE: Communication with instances via named pipes depends on the smb
library. To communicate with (and possibly to discover) instances via named pipes,
the host must have at least one SMB port (e.g. TCP 445) that was scanned and
found to be open. Additionally, named pipe connections may require Windows
authentication to connect to the Windows host (via SMB) in addition to the
authentication required to connect to the SQL Server instances itself. See the
documentation and arguments for the smb
library for more information.
NOTE: By default, the ms-sql-* scripts may attempt to connect to and communicate
with ports that were not included in the port list for the Nmap scan. This can
be disabled using the mssql.scanned-ports-only
script argument.
WARNING! Including this argument will cause the script to continue attempting to brute-forcing passwords for users even after a user has been locked out. This may result in many SQL Server logins being locked out!
Enable targeting Windows accounts as part of the brute force attack. This should be used in conjunction with the mssql library's mssql.domain argument.
执行格式
nmap -p 445 --script ms-sql-brute --script-args mssql.instance-all,userdb=customuser.txt,passdb=custompass.txt <host> nmap -p 1433 --script ms-sql-brute --script-args userdb=customuser.txt,passdb=custompass.txt <host>
| ms-sql-brute: | [192.168.100.128\TEST] | No credentials found | Warnings: | sa: AccountLockedOut | [192.168.100.128\PROD] | Credentials found: | webshop_reader:secret => Login Success | testuser:secret1234 => PasswordMustChange |_ lordvader:secret1234 => Login Success
Author: Patrik Karlsson
License: VER007 整理 http://www.ver007.com