Script ms-sql-hasdbaccess

Script types:
Categories: auth, discovery, safe
Download: https://svn.nmap.org/nmap/scripts/ms-sql-hasdbaccess.nse

Script Summary

Queries Microsoft SQL Server (ms-sql) instances for a list of databases a user has access to.

SQL Server credentials required: Yes (use ms-sql-brute, ms-sql-empty-password and/or mssql.username & mssql.password) Run criteria:

  • Host script: Will run if the mssql.instance-all, mssql.instance-name
or mssql.instance-port script arguments are used (see mssql.lua).
  • Port script: Will run against any services identified as SQL Servers, but only
if the mssql.instance-all, mssql.instance-name and mssql.instance-port script arguments are NOT used.

The script needs an account with the sysadmin server role to work.

When run, the script iterates over the credentials and attempts to run the command for each available set of credentials.

NOTE: The "owner" field in the results will be truncated at 20 characters. This is a limitation of the sp_MShasdbaccess stored procedure that the script uses.

NOTE: Communication with instances via named pipes depends on the smb library. To communicate with (and possibly to discover) instances via named pipes, the host must have at least one SMB port (e.g. TCP 445) that was scanned and found to be open. Additionally, named pipe connections may require Windows authentication to connect to the Windows host (via SMB) in addition to the authentication required to connect to the SQL Server instances itself. See the documentation and arguments for the smb library for more information.

NOTE: By default, the ms-sql-* scripts may attempt to connect to and communicate with ports that were not included in the port list for the Nmap scan. This can be disabled using the mssql.scanned-ports-only script argument.

Script Arguments

ms-sql-hasdbaccess.limit

limits the amount of databases per-user that are returned (default 5). If set to zero or less all databases the user has access to are returned.

mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username

See the documentation for the mssql library.

randomseed, smbbasic, smbport, smbsign

See the documentation for the smb library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -p 1433 --script ms-sql-hasdbaccess --script-args mssql.username=sa,mssql.password=sa <host>

Script Output

| ms-sql-hasdbaccess:
|   [192.168.100.25\MSSQLSERVER]
|       webshop_reader
|         dbname	owner
|         ====== =====
|         hr	sa
|         finance	sa
|         webshop	sa
|       lordvader
|         dbname	owner
|         ====== =====
|         testdb	CQURE-NET\Administr
|_        webshop	sa

Requires


Author:

  • Patrik Karlsson

License: Same as Nmap--See https://nmap.org/book/man-legal.html