Categories: discovery, safe
Queries Microsoft SQL Server (ms-sql) for a list of tables per database.
SQL Server credentials required: Yes (use
- Host script: Will run if the
mssql.instance-portscript arguments are used (see mssql.lua).
- Port script: Will run against any services identified as SQL Servers, but only
mssql.instance-portscript arguments are NOT used.
The sysdatabase table should be accessible by more or less everyone.
Once we have a list of databases we iterate over it and attempt to extract table names. In order for this to succeed we need to have either sysadmin privileges or an account with access to the db. So, each database we successfully enumerate tables from we mark as finished, then iterate over known user accounts until either we have exhausted the users or found all tables in all the databases.
System databases are excluded.
NOTE: Communication with instances via named pipes depends on the
library. To communicate with (and possibly to discover) instances via named pipes,
the host must have at least one SMB port (e.g. TCP 445) that was scanned and
found to be open. Additionally, named pipe connections may require Windows
authentication to connect to the Windows host (via SMB) in addition to the
authentication required to connect to the SQL Server instances itself. See the
documentation and arguments for the
smb library for more information.
NOTE: By default, the ms-sql-* scripts may attempt to connect to and communicate
with ports that were not included in the port list for the Nmap scan. This can
be disabled using the
mssql.scanned-ports-only script argument.
If set shows only tables or columns matching the keywords
Limits the amount of databases that are processed and returned (default 5). If set to zero or less all databases are processed.
Limits the amount of tables returned (default 5). If set to zero or less all tables are returned.
mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.usernameSee the documentation for the mssql library.
randomseed, smbbasic, smbport, smbsignSee the documentation for the smb library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusernameSee the documentation for the smbauth library.
nmap -p 1433 --script ms-sql-tables --script-args mssql.username=sa,mssql.password=sa <host>
| ms-sql-tables: | [192.168.100.25\MSSQLSERVER] | webshop | table column type length | payments user_id int 4 | payments purchase_id int 4 | payments cardholder varchar 50 | payments cardtype varchar 50 | payments cardno varchar 50 | payments expiry varchar 50 | payments cvv varchar 4 | products id int 4 | products manu varchar 50 | products model varchar 50 | products productname varchar 100 | products price float 8 | products imagefile varchar 255 | products quantity int 4 | products keywords varchar 100 | products description text 16 | users id int 4 | users username varchar 50 | users password varchar 50 |_ users fullname varchar 100
License: Same as Nmap--See https://nmap.org/book/man-legal.html