File ms-sql-dump-hashes
Script types:
hostrule, portrule
Categories:
auth, discovery, safe
Download: http://nmap.org/svn/scripts/ms-sql-dump-hashes.nse
User Summary
Dumps the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so the user needs to have the appropriate DB privileges.
Credentials passed as script arguments take precedence over credentials discovered by other scripts.
Script Arguments
mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username
See the documentation for the mssql library.randomseed, smbbasic, smbport, smbsign
See the documentation for the smb library.smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.Example Usage
nmap -p 1433 <ip> --script ms-sql-dump-hashes
Script Output
PORT STATE SERVICE 1433/tcp open ms-sql-s | ms-sql-dump-hashes: | nmap_test:0x01001234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF0123 | sa:0x01001234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF0123 |_ webshop_dbo:0x01001234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF0123
Requires
Author: Patrik Karlsson
License: Same as Nmap--See http://nmap.org/book/man-legal.html