Script ms-sql-dump-hashes

Script types:
Categories: auth, discovery, safe

Script Summary

Dumps the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so the user needs to have the appropriate DB privileges.

Credentials passed as script arguments take precedence over credentials discovered by other scripts.

Script Arguments


Dump hashes to a file in this directory. File name is <ip>_<instance>_ms-sql_hashes.txt. Default: no file is saved.

mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username

See the documentation for the mssql library.

randomseed, smbbasic, smbport, smbsign

See the documentation for the smb library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -p 1433 <ip> --script ms-sql-dump-hashes

Script Output

1433/tcp open  ms-sql-s
| ms-sql-dump-hashes:
|   nmap_test:0x01001234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF0123
|   sa:0x01001234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF0123
|_  webshop_dbo:0x01001234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF0123



  • Patrik Karlsson

License: Same as Nmap--See