diff options
Diffstat (limited to 'scripts/ms-sql-config.nse')
-rw-r--r-- | scripts/ms-sql-config.nse | 132 |
1 files changed, 132 insertions, 0 deletions
diff --git a/scripts/ms-sql-config.nse b/scripts/ms-sql-config.nse new file mode 100644 index 0000000..83db030 --- /dev/null +++ b/scripts/ms-sql-config.nse @@ -0,0 +1,132 @@ +local mssql = require "mssql" +local stdnse = require "stdnse" +local string = require "string" +local table = require "table" + +-- -*- mode: lua -*- +-- vim: set filetype=lua : + +description = [[ +Queries Microsoft SQL Server (ms-sql) instances for a list of databases, linked servers, +and configuration settings. + +SQL Server credentials required: Yes (use <code>ms-sql-brute</code>, <code>ms-sql-empty-password</code> +and/or <code>mssql.username</code> & <code>mssql.password</code>) +Run criteria: +* Host script: Will run if the <code>mssql.instance-all</code>, <code>mssql.instance-name</code> +or <code>mssql.instance-port</code> script arguments are used (see mssql.lua). +* Port script: Will run against any services identified as SQL Servers, but only +if the <code>mssql.instance-all</code>, <code>mssql.instance-name</code> +and <code>mssql.instance-port</code> script arguments are NOT used. + +NOTE: Communication with instances via named pipes depends on the <code>smb</code> +library. To communicate with (and possibly to discover) instances via named pipes, +the host must have at least one SMB port (e.g. TCP 445) that was scanned and +found to be open. Additionally, named pipe connections may require Windows +authentication to connect to the Windows host (via SMB) in addition to the +authentication required to connect to the SQL Server instances itself. See the +documentation and arguments for the <code>smb</code> library for more information. + +NOTE: By default, the ms-sql-* scripts may attempt to connect to and communicate +with ports that were not included in the port list for the Nmap scan. This can +be disabled using the <code>mssql.scanned-ports-only</code> script argument. +]] + +--- +-- @usage +-- nmap -p 1433 --script ms-sql-config --script-args mssql.username=sa,mssql.password=sa <host> +-- +-- @args ms-sql-config.showall If set, shows all configuration options. +-- +-- @output +-- | ms-sql-config: +-- | [192.168.100.25\MSSQLSERVER] +-- | Databases +-- | name db_size owner +-- | ==== ======= ===== +-- | nmap 2.74 MB MAC-MINI\david +-- | Configuration +-- | name value inuse description +-- | ==== ===== ===== =========== +-- | SQL Mail XPs 0 0 Enable or disable SQL Mail XPs +-- | Database Mail XPs 0 0 Enable or disable Database Mail XPs +-- | SMO and DMO XPs 1 1 Enable or disable SMO and DMO XPs +-- | Ole Automation Procedures 0 0 Enable or disable Ole Automation Procedures +-- | xp_cmdshell 0 0 Enable or disable command shell +-- | Ad Hoc Distributed Queries 0 0 Enable or disable Ad Hoc Distributed Queries +-- | Replication XPs 0 0 Enable or disable Replication XPs +-- | Linked Servers +-- | srvname srvproduct providername +-- | ======= ========== ============ +-- |_ MAC-MINI SQL Server SQLOLEDB +-- + +-- Created 04/02/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net> +-- Revised 02/01/2011 - v0.2 - Added ability to run against all instances on a host; +-- added compatibility with changes in mssql.lua (Chris Woodbury) + +author = "Patrik Karlsson" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"discovery", "safe"} + + +dependencies = {"broadcast-ms-sql-discover", "ms-sql-brute", "ms-sql-empty-password"} + +--- Processes a set of instances +local function process_instance( instance ) + + local status, errorMessage + local result, result_part = {}, {} + local conf_filter = stdnse.get_script_args( {'mssql-config.showall', 'ms-sql-config.showall'} ) and "" + or " WHERE configuration_id > 16384" + local db_filter = stdnse.get_script_args( {'mssql-config.showall', 'ms-sql-config.showall'} ) and "" + or " WHERE name NOT IN ('master','model','tempdb','msdb')" + local helper = mssql.Helper:new() + + local queries = { + [2]={ ["Configuration"] = [[ SELECT name, + cast(value as varchar) value, + cast(value_in_use as varchar) inuse, + description + FROM sys.configurations ]] .. conf_filter }, + [3]={ ["Linked Servers"] = [[ SELECT srvname, srvproduct, providername + FROM master..sysservers + WHERE srvid > 0 ]] }, + [1]={ ["Databases"] = [[ CREATE TABLE #nmap_dbs(name varchar(255), db_size varchar(255), owner varchar(255), + dbid int, created datetime, status varchar(512), compatibility_level int ) + INSERT INTO #nmap_dbs EXEC sp_helpdb + SELECT name, db_size, owner + FROM #nmap_dbs ]] .. db_filter .. [[ + DROP TABLE #nmap_dbs ]] } + } + + status, errorMessage = helper:ConnectEx( instance ) + if ( not(status) ) then result = "ERROR: " .. errorMessage end + + if status then + status, errorMessage = helper:LoginEx( instance ) + if ( not(status) ) then result = "ERROR: " .. errorMessage end + end + + for _, v in ipairs( queries ) do + if ( not status ) then break end + for header, query in pairs(v) do + status, result_part = helper:Query( query ) + + if ( not(status) ) then + result = "ERROR: " .. result_part + break + end + result_part = mssql.Util.FormatOutputTable( result_part, true ) + result_part.name = header + table.insert( result, result_part ) + end + end + + helper:Disconnect() + + -- TODO: structured output instead of format_output + return stdnse.format_output(true, result) +end + +action, portrule, hostrule = mssql.Helper.InitScript(process_instance) |