Script ms-sql-empty-password
Script types:
Categories:
auth, intrusive
Download: https://svn.nmap.org/nmap/scripts/ms-sql-empty-password.nse
Script Summary
Attempts to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.
SQL Server credentials required: No (will not benefit from
mssql.username
& mssql.password
).
Run criteria:
- Host script: Will run if the
mssql.instance-all
,mssql.instance-name
mssql.instance-port
script arguments are used (see mssql.lua).
- Port script: Will run against any services identified as SQL Servers, but only
mssql.instance-all
, mssql.instance-name
and mssql.instance-port
script arguments are NOT used.
WARNING: SQL Server 2005 and later versions include support for account lockout policies (which are enforced on a per-user basis).
NOTE: Communication with instances via named pipes depends on the smb
library. To communicate with (and possibly to discover) instances via named pipes,
the host must have at least one SMB port (e.g. TCP 445) that was scanned and
found to be open. Additionally, named pipe connections may require Windows
authentication to connect to the Windows host (via SMB) in addition to the
authentication required to connect to the SQL Server instances itself. See the
documentation and arguments for the smb
library for more information.
NOTE: By default, the ms-sql-* scripts may attempt to connect to and communicate
with ports that were not included in the port list for the Nmap scan. This can
be disabled using the mssql.scanned-ports-only
script argument.
See also:
Script Arguments
- mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username
See the documentation for the mssql library.
- randomseed, smbbasic, smbport, smbsign
See the documentation for the smb library.
- smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
Example Usage
nmap -p 445 --script ms-sql-empty-password --script-args mssql.instance-all <host> nmap -p 1433 --script ms-sql-empty-password <host>
Script Output
| ms-sql-empty-password: | [192.168.100.128\PROD] |_ sa:<empty> => Login Success
Requires
Author:
License: Same as Nmap--See https://nmap.org/book/man-legal.html