WIRED Security (20 October 2016) is a new one-day event, which...
NMAP and Metasploit for MS-SQL Auditing
by Jose Ruiz
NMAP is the best network scanner tool that you can find, period. Also, Metasploit is the #2 security tool today according to sectools.org so it’s a must for any security professional. Both tools can help you find flaws that are present in your systems before the bad guys do. In this article we will learn how to use NMAP and Metasploit to scan and exploit an MS-SQL Server, as a bonus we will see how easy it is to set up an automated log to record your findings, so your reporting duties are a lot easier.
Databases are a necessity in this time and age of technology. A database is a collection of information organized in a way that allows the user the use of queries to select any type of data quickly. This data includes usernames, passwords, emails, phone numbers, addresses, credit card info, purchase records, inventory, etc. Many of these databases are exposed to the public via a web app that allows the user to interact with it by using a form or a search box. If you set up a database the wrong way you can expose your company to all sorts of vulnerabilities, like XSS, or SQLi. Also, by leaving the defaults, almost anyone with a fair knowledge of tools can scan you and get info about the server, login information, tables, etc. Here we are assuming that you are testing your own servers so we will not be talking about anonymity or anything like that. This is an engagement where you are testing stuff from your place of work so the reporting should be a priority here. This article assumes that you are using Backtrack 5R3.
Figure 1. NMAP scripts to analyze MS-SQL Servers
NMAP is a security scanner written by Gordon Lyon and it’s mainly used to discover Host and services on a computer network, thus creating a “map” of the network. NMAP has lots of features that allow you to “see” networks such as host discovery, service and operating system detection, etc. One of the coolest features, and the one we will use today, is the NSE or NMAP Scripting Engine. These scripts can perform more advanced service detection, vulnerability analysis, and even brute forcing. For now we will focus on just scripts to analyze MS-SQL. To see a full list of the scripts that are related to MS-SQL go to your terminal and type this cd
/opt/metasploit/common/share/nmap/scripts (Figure 1). These are the scripts that we have available and they can be used with multiple arguments to augment their power as we will see later on. The first thing we’ll do is scan our network for MS-SQL servers (Figure 2).
Figure 2. NMAP found an example of MS-SQL running on our network
After we’ve found an example of MSSQL the next thing we should do is try to get more info from the machine so we run the ms-sql-info script (Figure 3).
Figure 3. NMAP finds that our server has not been patched
The next thing is to find if any account has an empty password (Figure 4).
Figure 4. As you can see the script gives us no results
We can conclude that the server does not have a user with empty passwords. At this point the next step will be to attempt a brute force attack on the server. Of course if password lockout policies are on effect you will end up getting everyone unable to login. Try to perform these tests on a non-working day so you can later unblock the accounts for the users. Also this test will help you monitor how good your IDS/IPS system is working as these types of attacks are extremely noisy (Figure 5).
Figure 5. NMAP brute force attack
It’s really nice to know that with NMAP you can add additional arguments in order to use the brute force script with your own user or password list. This way you don’t need to rely on the default lists. This shows you how powerful NMAP really is. So far we’ve discovered an MS-SQL instance running on a server that is not fully patched and whose login information is user
sa (default MS-SQL admin user) with
password1 as its password. If you know SQL all you have to do now is login to the server and do whatever you want. However, instead of doing that, we will continue testing our NMAP scripts. Let’s try to find some configuration information (Figure 6).
Figure 6. NMAP Configuration script results
The thing to notice here is the
xp_cmdshell. NMAP has a script to pass commands through this option but only if its open or activated. The results show that it’s closed so this won’t work with NMAP but then again, there’s Metasploit! Another script that will produce results is this (Figure 7).
Figure 7. NMAP provides us with the table info on our MS-SQL server
Let’s look at the last two scripts we will test (Figure 8). Here you can see that you are able to pull the database name and the username of the creator. This is a good way to see other usernames so you can get a better idea of how many people access this MS-SQL instance. The last script allows you to pull the hashes of the available users. Once you have this you don’t need to attack the server directly, you can move on to an offline attack with tools like John the Ripper and try to crack the hashes to get more credentials.
Figure 8. NMAP script to obtain database owner info and user hashes
We have covered essentially what your possibilities are with NMAP against any MS-SQL server. As you can see there is a lot of info that can be gathered, especially if you are able to find a valid credential to access the MS-SQL instance. If you refer back to Figure 3 you will notice that once this MS-SQL Server software was installed, it never received additional patching. This opens the door to a lot of possible vulnerabilities and it’s our cue to move on into Metasploit.
Metasploit is a framework that provides the infrastructure needed to automate multiple tasks needed in order to assess and/or exploit vulnerabilities found in a host. It provides multiple tools that allow you to scan almost any host and check for security holes that later can be exploited by using one or many of its catalogs of exploits. Still, beware, this is not a magical point and click tool. Just because you may find misconfigured things via their scanner modules doesn’t mean that there is an exploit guaranteed to work. Sometimes you need to modify the actual exploit code and sometimes they just won’t work.
Metasploit was developed by HD Moore to be able to have a flexible and maintainable framework for the creation and development of exploits that will save him time from having to validate and sanitize public exploit code. His first iteration had 11 exploits. Now you can find well over a thousand exploits as well as auxiliary modules and NOPS. Today, Metasploit is a necessary tool for penetration testing and exploitation.
To get Metasploit running you can follow the path stated on the next figure (Figure 9).
Wait for the console to load and when you get a cool banner followed by the msf> prompt you are ready to work.
Figure 10. Metasploit scanners for MS-SQL
Using metasploit to test MS-SQL
The first thing you should do when testing a host with Metasploit is to gather some information. Metasploit provides many scanners for these purposes. As we can see here, a quick search produces the following results (Figure 10). There’s another interesting folder called admin but it’s left for you to explore its options and try them. When we analyze the results we see stuff that allows us to get info very similar to what NMAP got us earlier. As an example, let’s see what the
mssql_ping scanner shows (Figure 11).
Figure 11. A login scanner module results
Check the commands in the previous figure to understand how to see available options, load required values and run the module. I included the password because we got it with NMAP but as you can see it’s not a required value. Once you run the module you get a result very similar to the NMAP ms-sql-info script.
This shows that NMAP is a really amazing tool that can get interesting info out of a host, not just open ports. Based on this we don’t need to use the other scanners because we already got that info. So the next step is to explore possible exploits (Figure 12). You can try them all but if you load the
mssql_payload and read it’s info you will find something really interesting (Figure 13).
Figure 12. Possible MS-SQL exploits
Figure 13. mssql_payload Exploit info
Remember earlier that we found the
xp_cmdshell service on our MS-SQL server with NMAP? It was off but this exploit will try to activate before passing the payload so it’s worth a try (Figure 14).
Figure 14. Setting the options for our exploit
Now what we need to do is set a payload. A payload is a piece of code that we want to execute right after our exploit runs successfully against our target. It allows us to do a task such as add a user, open a command prompt in windows, or a terminal in Linux so we can explore the machine, etc. There is a special payload called Meterpreter that is considered the mother of all payloads because it allows so much flexibility once executed. It also contains auxiliary modules that let you run tasks inside the machine like get hashes, screenshots, start a keylogger, create interactive shells, plant backdoors, upload and execute software into the target, etc. Good for us that we have the option to use Meterpreter here because not all exploits support it as a payload. (Figure 15).
Figure 15. Setting Meterpreter as our payload
We are using a bind type of payload, if there are firewall rules that block outside hosts connection attempts going into other machines than those established by the rules, this won’t work; so you may want to try using a reverse type of connection so the victim connects to you. If the firewall also filters connection attempts from internal PC’s to unknown hosts then you are out of luck. Now we are all setup so we verify our options once again and type exploit to start the exploitation attempt. (Figure 16).
Figure 16. Verifying our options and sending the exploit
Here you can see our exploit trying to start the
xp_cmshell service (Figure 17).
Figure 17. xp_cmshell service
Once the whole process is finished if it was successful then the payload will pass and we will see a Meterpreter shell opened (Figure 18).
Figure 18. The meterpreter shell
Now you can type help to explore all options. As an example we can type the command
shell and explore (Figure 19).
Figure 19. “shell” command
As you can see, once inside the command prompt you can explore anything you want and check that you are inside the right machine by checking its IP address. From here your task is to explore other
Meterpreter commands. At this point we are done with our task as we successfully scanned and exploited the MS-SQL service installed. Now let’s move on…
Bonus: Setting Up An Automated Reporting Script
When you do any type of engagement it is really important that you make sure you are logging every step of your process so later you can document it for your boss. The problem is that you don’t want to be writing down everything. Here’s where a little bash comes to the rescue. The following script will allow you to create a folder for your job and save your log inside with a name based on the date of the engagement. If you can’t finish it in one day or have to stop, no problem, the script allows you to create another log and save it in the same folder without overwriting previous logs. The nice thing is that once the log is created the script calls Metasploit, loads it, and tells it to save all input to the log you just created! Here’s the script (Please use it without changing the authors names). Copy the script and save it as
startMSFCONSOLE.sh then run
chmod 744 startMSFCONSOLE.sh to make it executable. To use it type
./startMSFCONSOLE.sh (Listing 1-3).
Listing 1. The script – option 1
# This script creates a timestamp and then sets it as a name for our metasploit activity log Then calls metasploit and invoke
# the log to start collecting info. It offers the option of creating a new project folder to save
your logs or to select an existing # project folder to continue saving information. Script was
created during a Metasploit workshop with Carlos Perez where he # suggested the Timestamp Output Spool as a better alternative to keep logs from projects…
# Pedro Ortiz / José Ruiz – May 2013
echo “ TIMESTAMP OUTPUT / SPOOL – REPORT LOG ATOMATION SCRIPT “
echo “Select Your Option”
echo “1 – New Project Report”
echo “2 – Continue Previous Project”
echo “3 – Exit Script”
read –p “>>> “ option
# OPTION 1 – Create a new folder for a new project engagement…
if [ $option = 1 ]; then
read –p “New Project Folder: “ folder
echo “Your log: “ $d
echo “Loading msfconsole… Please Wait…”
set TimestampOutput true > /root/$folder/autolog.rc
echo spool /root/$folder/$d.txt >> /root/$folder/autolog.rc
msfconsole –r autolog.rc
Listing 2. The script – option 2
# OPTION 2 – Create a new log inside an existing
folder to continue a previous engagement…
if [ $option = 2 ]; then
read –p “Existing Project Folder: “ folder
echo “Your log: “ $d
echo “Loading msfconsole… Please Wait…”
echo set TimestampOutput true > /root/$folder/autolog.rc
echo spool /root/$folder/$d.txt >> /root/$folder/autolog.rc
msfconsole –r autolog.rc
Listing 3. The script – option 3 i
# OPTION 3 – Exit
if [ $option = 3 ]; then
echo “Closing Script…”
# ERROR CORRECTION
if [ $option –gt 3 ]; then
echo “Invalid Selection… Returning to Main Menu… Please wait…”
Okay, so once you get you script operational, let’s see what it does: Fgure 20-22.
Figure 20. Calling the script to create your log
Figure 21. Creating a new project folder
Figure 22. Metasploit loaded – Notice the last lines where it tells you that your log information is being saved on the folder you just created. Once you get here you are ready to work
If we run an NMAP scan from within Metasploit, you can save it to your log. Let’s see (Figure 23).
Figure 23. Calling NMAP from within Metasploit
Now let’s check our newly created log to see if it’s doing what it is supposed to do (Figure 24, 25 and 26).
Figure 24. Our Hackin9 folder
Figure 25. Our log
As you can see here, every step of the process gets recorded for easy reference later when you are writing your report.
Figure 26. Part of our collected info
We have explored the possibilities that NMAP has to offer to scan and analyze MS-SQL servers.
The scripting engine is a powerful tool that can help you explore lots of different things. Go ahead and experiment with the additional possibilities. To do this, set up different services or apps like IIS, web sites, Oracle etc. and scan those using the scripts provided to work with them. Also we were able to see the possibilities that Metasploit has to offer and leave you with the task of comparing them to NMAP to see which works better and why. Finally, the bonus script will help you collect the info and save it for reporting so your homework now is to repeat this tutorial but creating the folder and log first. Also take notice of how NMAP behaves inside Metasploit. Enjoy!
About the Author
Jose Ruiz is an independent consultant specializing in the areas of physical and logical network security with tasks ranging from policy audit, vulnerability assessment, mitigation plan implementation, business continuity and others. He holds a Master’s Degree in Information Systems with a specialty on electronic fraud investigation. He works investigating various cases ranging from corporate misuse of resources, phishing and wireless intrusion. Jose is also an IT instructor and Microsoft Certified Trainer teaching courses for both Microsoft and CompTIA certifications and a college professor at undergraduate and graduate level teaching forensics, networking, wireless and ethical hacking courses at both EDP University and Interamerican University in Puerto Rico. Jose is also an active contributor to the ISECOM Hacker’s High School project. He holds a Master’s Degree in Information Systems with a specialty on electronic fraud investigation and multiple certifications including A+, Network+, Server+, Security+, MCSA 2000 / 2003 / 2008, MCITP, MCT, OSWP, CIW and others.