Script ms-sql-tables

Script types:
Categories: discovery, safe
Download: https://svn.nmap.org/nmap/scripts/ms-sql-tables.nse

Script Summary

Queries Microsoft SQL Server (ms-sql) for a list of tables per database.

SQL Server credentials required: Yes (use ms-sql-brute, ms-sql-empty-password and/or mssql.username & mssql.password) Run criteria:

• Host script: Will run if the mssql.instance-all, mssql.instance-name

or mssql.instance-port script arguments are used (see mssql.lua).

• Port script: Will run against any services identified as SQL Servers, but only

if the mssql.instance-all, mssql.instance-name and mssql.instance-port script arguments are NOT used.

The sysdatabase table should be accessible by more or less everyone.

Once we have a list of databases we iterate over it and attempt to extract table names. In order for this to succeed we need to have either sysadmin privileges or an account with access to the db. So, each database we successfully enumerate tables from we mark as finished, then iterate over known user accounts until either we have exhausted the users or found all tables in all the databases.

System databases are excluded.

NOTE: Communication with instances via named pipes depends on the smb library. To communicate with (and possibly to discover) instances via named pipes, the host must have at least one SMB port (e.g. TCP 445) that was scanned and found to be open. Additionally, named pipe connections may require Windows authentication to connect to the Windows host (via SMB) in addition to the authentication required to connect to the SQL Server instances itself. See the documentation and arguments for the smb library for more information.

NOTE: By default, the ms-sql-* scripts may attempt to connect to and communicate with ports that were not included in the port list for the Nmap scan. This can be disabled using the mssql.scanned-ports-only script argument.

Script Arguments

ms-sql-tables.keywords

If set shows only tables or columns matching the keywords

ms-sql-tables.maxdb

Limits the amount of databases that are processed and returned (default 5). If set to zero or less all databases are processed.

ms-sql-tables.maxtables

Limits the amount of tables returned (default 5). If set to zero or less all tables are returned.

mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username

See the documentation for the mssql library.

randomseed, smbbasic, smbport, smbsign

See the documentation for the smb library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -p 1433 --script ms-sql-tables --script-args mssql.username=sa,mssql.password=sa <host>

Script Output

| ms-sql-tables:
|   [192.168.100.25\MSSQLSERVER]
|   webshop
|     table	column	type	length
|     payments	user_id	int	4
|     payments	purchase_id	int	4
|     payments	cardholder	varchar	50
|     payments	cardtype	varchar	50
|     payments	cardno	varchar	50
|     payments	expiry	varchar	50
|     payments	cvv	varchar	4
|     products	id	int	4
|     products	manu	varchar	50
|     products	model	varchar	50
|     products	productname	varchar	100
|     products	price	float	8
|     products	imagefile	varchar	255
|     products	quantity	int	4
|     products	keywords	varchar	100
|     products	description	text	16
|     users	id	int	4
|     users	username	varchar	50
|     users	password	varchar	50
|_    users	fullname	varchar	100

Requires

• mssql
• stdnse
• string
• table
• tableaux

---

Author:

• Patrik Karlsson

License: Same as Nmap--See https://nmap.org/book/man-legal.html