Script ms-sql-dump-hashes

Script types:
Categories: auth, discovery, safe
Download: https://svn.nmap.org/nmap/scripts/ms-sql-dump-hashes.nse

Script Summary

Dumps the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so the user needs to have the appropriate DB privileges.

Credentials passed as script arguments take precedence over credentials discovered by other scripts.

Script Arguments

ms-sql-dump-hashes.dir

Dump hashes to a file in this directory. File name is <ip>_<instance>_ms-sql_hashes.txt. Default: no file is saved.

mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username

See the documentation for the mssql library.

randomseed, smbbasic, smbport, smbsign

See the documentation for the smb library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -p 1433 <ip> --script ms-sql-dump-hashes

Script Output

PORT     STATE SERVICE
1433/tcp open  ms-sql-s
| ms-sql-dump-hashes:
|   nmap_test:0x01001234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF0123
|   sa:0x01001234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF0123
|_  webshop_dbo:0x01001234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF0123

Requires

• io
• mssql
• stdnse
• string
• stringaux
• table

---

Author:

• Patrik Karlsson

License: Same as Nmap--See https://nmap.org/book/man-legal.html