Script ms-sql-ntlm-info

Script types:
Categories: default, discovery, safe
Download: https://svn.nmap.org/nmap/scripts/ms-sql-ntlm-info.nse

Script Summary

This script enumerates information from remote Microsoft SQL services with NTLM authentication enabled.

Sending a MS-TDS NTLM authentication request with an invalid domain and null credentials will cause the remote service to respond with a NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version.

Script Arguments

mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username

See the documentation for the mssql library.

randomseed, smbbasic, smbport, smbsign

See the documentation for the smb library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -p 1433 --script ms-sql-ntlm-info <target>

Script Output

1433/tcp   open     ms-sql-s
| ms-sql-ntlm-info:
|   Target_Name: ACTIVESQL
|   NetBIOS_Domain_Name: ACTIVESQL
|   NetBIOS_Computer_Name: DB-TEST2
|   DNS_Domain_Name: somedomain.com
|   DNS_Computer_Name: db-test2.somedomain.com
|   DNS_Tree_Name: somedomain.com
|_  Product_Version: 6.1.7601

Requires

• os
• datetime
• mssql
• stdnse
• smbauth
• string

---

Author:

• Justin Cacak

License: Same as Nmap--See https://nmap.org/book/man-legal.html