UHGwX5zk/0.jpg' alt='How To Use Nmap To Hack A Computer' title='How To Use Nmap To Hack A Computer' />Blog Archive Pen test and hack microsoft sql server mssqlAll the information Im about to go over is nothing new, Im just trying to organize all my notes on pen testing mssql. Hopefully my notes will help others. How to Hack. Primarily, hacking was used in the good old days for leaking information about systems and IT in general. Stronghold Crusader 4. In recent years, thanks to a few villain. Nmap Network Mapper is a security scanner, originally written by Gordon Lyon also known by his pseudonym Fyodor Vaskovich, used to discover hosts and services on. WiFi Password Hacker Learn How to hack or crack wifi passwords for beginners for android phone. Get into anyones wifi network. Certified Ethical Hacker CEH online training is ECCouncils official ethical hacking training and certification course. Get CEH certified with iClass. How To Use Nmap To Hack A Computer' title='How To Use Nmap To Hack A Computer' />All the commands and instructions are Linux based so keep that in mind. The first thing youll need to do is discover IP addresses that have mssql running. So youll accomplish this by running some type of scan. The scanner of choice is always nmap but there are some things youll need to consider when scanning for mssql. The default port for mssql is 1. So for starters its definitely a good idea to scan an IP range looking for port 1. Step 1 scan for port 1. This will only scan for port 1. IP range will vary. My output is below. Starting Nmap 5. 5. BETA1 http nmap. EST. Nmap scan report for 1. Host is up 0. 0. PORT     STATE  SERVICE. A1qR8lwpW2E/0.jpg' alt='How To Use Nmap To Hack A Computer' title='How To Use Nmap To Hack A Computer' />Nmap scan report for 1. Host is up 0. 0. PORT     STATE SERVICE1. How To Use Nmap To Hack A Computer' title='How To Use Nmap To Hack A Computer' />MAC Address 0. C 2. 9 4. C 3. E VMwareNmap done 1. IP addresses 2 hosts up scanned in 0. In this case the 1. So great success weve found a box running mssql. Hold your horses because this is simply the beginning. If youre scanning is focused then this type of scan is fine, meaning Im not scanning thousands of hosts Im only focused on a handful of hosts. If Im only concerned about scanning a handful of hosts then my next step would be to determine two things. Version of the database. WannaCry and NotPetya likely wont be the last attacks to use the stolen NSA exploit dubbed EternalBlue. Heres how to check if your system is safe. Are there any other additional listening ports for this database. To determine the version of the database we can once again turn to nmap. A 1. 92. 1. 68. 1. The A option will try and determine as much information as it can about the service on port 1. Fire Boy Water Girl Game Free Download For Pc there. The A option will also try and determine the underlying OS running as well. Below is the output from this scan. Starting Nmap 5. 5. BETA1 http nmap. EST. Nmap scan report for 1. Host is up 0. 0. PORT     STATE SERVICE  VERSION. Microsoft SQL Server 2. RTM. MAC Address 0. C 2. 9 4. C 3. E VMware. Warning OSScan results may be unreliable because we could not find at least 1 open and 1 closed port. Device type general purpose. Running Microsoft Windows 2. OS details Microsoft Windows Server 2. SP1 or SP2. Network Distance 1 hop. Host script results ms sql info   Windows server name WIN2. MSSQLSERVER     Instance name MSSQLSERVER     Version Microsoft SQL Server 2. RTM       Version number 9. Product Microsoft SQL Server 2. Service pack level RTM       Post SP patches applied No     TCP port 1. Named pipe 1. 92. Clustered No. So youll notice in the output nmap is reporting the version of mssql to be SQL Server 2. Knowing the version is very important because different versions of SQL Server provide different security features and also have different vulnerabilities. There are other ways of determining the version of sql server without authenticating but to me nmap is the best solution. Next lets talk about looking for other ports that mssql may be listening on. For multiple reasons, like load balancing, mssql can listen on multiple ports. When pen testing mssql we want to know what those ports are so we can bang against them. Depending on the configuration you can authenticate to every listening mssql port. One thing to keep in mind is that you can authenticate to mssql using your normal windows network active directory credentials or you can authenticate using an account that was setup on the mssql server. This is basically known as windows authentication or sql authentication. When setting up the sql server and ports the database administrator will have to configure on how this authentication takes place. The easier target is using sql credentials as those are typically configured with a weaker password policy. Now that Ive discussed some of the issues lets get cracking. So to determine additional ports that a database may be running on well once again turn to nmap. This time I told mssql to also listen on port 1. So now go ahead and run the same nmap command as before. A p 1. 43. 3 1. Starting Nmap 5. BETA1 http nmap. ESTNmap scan report for 1. Host is up 0. 0. PORT     STATE SERVICE  VERSION1. Microsoft SQL Server 2. RTMMAC Address 0. C 2. 9 4. C 3. E VMwareWarning OSScan results may be unreliable because we could not find at least 1 open and 1 closed port. Device type general purpose. Running Microsoft Windows 2. OS details Microsoft Windows Server 2. SP1 or SP2. Network Distance 1 hop. Service Info OS Windows. Host script results ms sql info   Windows server name WIN2. MSSQLSERVER     Instance name MSSQLSERVER     Version Microsoft SQL Server 2. RTM       Version number 9. Product Microsoft SQL Server 2. Service pack level RTM       Post SP patches applied No     TCP port 1. Named pipe 1. 92. Clustered No   1. Version Microsoft SQL Server 2. RTM       Version number 9. Product Microsoft SQL Server 2. Service pack level RTM       Post SP patches applied No    TCP port 1. So we see that nmap reports back ports 1. You may be wondering how nmap knew that port 1. MSSQL runs a service called the browser service which runs on port 1. UDP instead of TCP. If this browser service wasnt running nmap wouldnt be able to pull this information. Basically nmap queries port 1. Activation Internet Key Norton Security on this page. It does this using the mssql nmap script. There are a couple of other tools here and here that do the same thing but I stick with nmap since its already baked in. So the browser service and additional ports is a very important to keep in mind when pen testing mssql. Now we have more information about our target which hopefully means well find a weak spot that we can exploit. Once you know the version its always recommended to search CVE common vulnerabilities and weaknesses and it may also not be a bad idea to search inside the metasploit tool as well. There arent a whole lot of remote code execution vulnerabilities for anything SQL Server 2. So if they arent running an old unpatched version of mssql then that means youll need credentials to authenticate to the sql server. This means well need to try and brute force the credentials. The main tool I like to use to perform brute force attacks is medusa, another good alternative is hydra. I have had different degrees of luck with both tools so it may be useful to run both tools although my default is medusa. I will only cover how to use medusa, below is the typical command line options that you feed into medusa. U dictionary. txt P dictionary. O medusa. Output. M mssql. The h is the host, the U is the username list, P is the password list, O is the output file, M is the module you want to run against in this case its mssql. Below is the output of this command. Medusa v. 2. 0 http www. C Jo. Mo Kun Foofus Networks. ACCOUNT CHECK mssql Host 1. User admin 1 of 3, 0 complete Password admin 1 of 3 completeACCOUNT CHECK mssql Host 1. User admin 1 of 3, 0 complete Password password 2 of 3 completeACCOUNT CHECK mssql Host 1. User admin 1 of 3, 0 complete Password sa 3 of 3 completeACCOUNT CHECK mssql Host 1. User password 2 of 3, 1 complete Password admin 1 of 3 completeACCOUNT CHECK mssql Host 1. User password 2 of 3, 1 complete Password password 2 of 3 completeACCOUNT CHECK mssql Host 1. User password 2 of 3, 1 complete Password sa 3 of 3 completeACCOUNT CHECK mssql Host 1. User sa 3 of 3, 2 complete Password admin 1 of 3 completeACCOUNT CHECK mssql Host 1.