How to Detect NMAP Scan Using Snort

Today we are going to discuss how to Detect NMAP scan using Snort but before moving ahead kindly read our previous articles related to Snort Installation (Manually or using apt-respiratory)and its rule configuration to enable it as IDS for your network.

Basically, in this article, we are testing Snort against NMAP various scan which will help network security analyst to setup snort rule in such a way so that they become aware of any kind of NMAP scanning.

Requirement

Attacker: Kali Linux (NMAP Scan)

Target: Ubuntu (Snort as IDS)

Optional: Wireshark (we have added it in our tutorial so that we can clearly confirm all incoming and outgoing packets of a network)

Let’s Begins!!

Identify NMAP Ping Scan

As we know any attacker will start the attack by identifying host status by sending ICMP packet using ping scan. Therefore be smart and add a rule in snort which will analyst NMAP Ping scan when someone tries to scan your network for identifying a live host of a network.

Execute given below command in ubuntu’s terminal to open snort local rule file in text editor.

Now add given below line which will capture the incoming traffic coming on 192.168.1.105(ubuntu IP) network for ICMP protocol.

Turn on IDS mode of snort by executing given below command in terminal:

 

Now using attacking machine execute given below command to identify the status of the target machine i.e. host is UP or Down.

If you will execute above command without parameter “disable arp-ping” then will work as default ping sweep scan which will send arp packets in spite of sending ICMP on targets network and maybe snort not able to capture NMAP Ping scan in that scenario, therefore we had use parameter “disable arp-ping” in the above command.

As I had declaimed above why we are involving Wireshark in this tutorial so that you can clearly see the packet sends form attacker network to targets network. Hence in given below image, you can notice ICMP request packet along with ICMP reply packets. These both are parts of network traffic.

Come back to over your target machine where snort is capturing all in-coming traffic. Here, you will observe that it is generating an alert for NMAP Ping Sweep scan.  Hence, you can block the attacker’s IP to protect your network from further scanning.

Identify NMAP TCP Scan

Now in order to connect with the target network, an attacker may go for networking enumeration either using TCP Protocol or UDP protocol. Let’s assume attacker may choose TCP scanning for network enumeration then in that situation we can apply the following rule in snort local rule file.

Above rule is only applicable for port 22 so if you want to scan any other port then replace 22 from the port you want to scan or else you can also use “any” to analysis all ports. Enable the NIDS mode of snort as done above.

 

Now again using the attacker machine execute the given below command for TCP scan on port 22.

From the image given below, you can observe Wireshark has captured TCP packets from 192.168.1.104 to 192.168.1.105

Here you can confirm that our snort is absolutely working when the attacker is scanning port 22 using nmap TCP scan and it is showing attacker’s IP from where traffic is coming on port 22. Hence you can block this IP to protect your network from further scanning.

Identify NMAP XMAS Scan

As we know that TCP communication follows three-way handshake to established TCP connection with target machine but sometimes instead of using SYN, SYN/ACK, ACK flag attacker choose XMAS scan to connect with the target by sending data packets through Fin, PSH & URG flags.

 Let assume attacker may choose XMAS scanning for network enumeration then in that situation we can apply the following rule in snort local rule file.

Again above rule is only applicable for port 22  which will listen for incoming traffic when packets come from Fin, PSH & URG flags. So if you want to scan any other port then replace 22 from the port you want to scan else you can also use “any” to analysis all ports. Enable the NIDS mode of snort as done above.

 

Now again using the attacker machine execute the given below command for XMAS scan on port 22.

From given below image you can observe that Wireshark is showing 2 packets from attacker machine to target machine has been sent using FIN, PSH, URG flags.

Come back to over your target machine where snort is capturing all incoming traffic here you will observe that it is generating an alert for NMAP XMAP scan.  Hence you can block the attacker’s IP to protect your network from further scanning.

Identify NMAP FIN Scan

Instead of using SYN, SYN/ACK and ACK flag to established TCP connection with the target machine may attacker choose FIN scan to connect with the target by sending data packets through Fin flags only.

 Let assume attacker may choose FIN scanning for network enumeration then in that situation we can apply the following rule in snort local rule file.

Again above rule is only applicable for port 22 which will listen for incoming traffic when packets come from Fin Flags. So if you want to scan any other port then replace 22 from the port you want to scan else you can also use “any” to analysis all ports. Enable NIDS mode of snort as done above.

 

Now again using the attacker machine execute the given below command for FIN scan on port 22.

From given below image you can observe that Wireshark is showing 2 packets from attacker machine to target machine has been sending using FIN flags.

Come back to over your target machine where snort is capturing all incoming traffic here you will observe that it is generating an alert for NMAP FIN scan. Hence you can block the attacker’s IP to protect your network from further scanning.

Identify NMAP NULL Scan

Instead of using SYN, SYN/ACK and ACK flag to established TCP connection with the target machine may attacker choose NULL scan to connect with the target by sending data packets through NONE flags only.

 Let assume attacker may choose NULL scanning for network enumeration then in that situation we can apply the following rule in snort local rule file.

Again above rule is only applicable for port 22 which will listen for incoming traffic when packets come from NONE Flags. So if you want to scan any other port then replace 22 from the port you want to scan else you can also use “any” to analysis all ports. Enable the NIDS mode of snort as done above.

 

Now again using the attacker machine execute the given below command for the NULL scan on port 22.

From given below image you can observe that Wireshark is showing 2 packets from attacker machine to target machine has been sending using NONE flags.

Come back to over your target machine where snort is capturing all incoming traffic here you will observe that it is generating an alert for NMAP Null scan. Hence you can block the attacker’s IP to protect your network from further scanning.

Identify NMAP UDP Scan

In order to Identify open UDP port and running services attacker may choose NMAP UDP scan to establish a connection with target machine for network enumeration then in that situation, we can apply the following rule in snort local rule file.

Again above rule is applicable for every UDP port which will listen for incoming traffic when packets are coming over any UDP port, so if you want to capture traffic for any particular UDP port then replace “any” from that specific port number as done above. Enable the NIDS mode of snort as done above.

 

Now again using the attacker machine execute the given below command for a NULL scan on port 22.

From given below image you can observe that Wireshark is showing 2 packets from attacker machine to target machine has been sending over UDP Port.

Come back to over your target machine where snort is capturing all incoming traffic here you will observe that it is generating an alert for NMAP UDP scan. Hence you can block the attacker’s IP to protect your network from further scanning.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Understanding Guide to Nmap Firewall Scan (Part 2)

In our previous article we had demonstrated “Nmap firewall scan (part 1)” by making use of Iptable rules and then try to bypass firewall filter to perform NMAP Advance scanning, today we are going to discuss second part of it.  

Requirement

Attacker: Kali Linux

Target: Ubuntu  

Spoof MAC Address Scan

Allow TCP Packet from Specific Mac Address

If network admin wants to establish TCP connect from specific MAC address and do not want to connect with other system then he could use following Iptable rules to apply firewall filter in his network.  

Now when attacker will perform basic network scanning on target’s network, he could not able to enumerate ports and running service of victim’s system.

In order to bypass above applied filter attacker may run netdiscover command or nmap Host Scan in Kali Linux terminal to identify the active host in the network. As result he will get a table which contains MAC address and IP address of active host in local network.

Now either use one by one all MAC address in nmap command or save all MAC address in a text file and give its path in nmap command but to perform this attacker first need to enable “Promiscuous mode” of his network. Well, to do so type given below commands first for Promiscuous mode and second for nmap scanning.

Hence if you are lucky to spoof correct Mac address then you can easily bypass the firewall filter and able to establish TCP connect with victim’s network for port enumeration.

Nice!!! If you will notice in given below image you will observe open ports of target’s network.

Spoof IP Address

Allow TCP Packet from Specific IP

If network admin wants to establish TCP connect from specific IP and do not want to connect with other system then he could use following Iptable rules to apply firewall filter in his network. 

Now when again attacker will perform basic network scanning on target’s network, he could not able to enumerate ports and running service of victim’s system.

In order to bypass above applied filter attacker may again run netdiscover command or nmap Host Scan in Kali Linux terminal to identify the active host in the network. As result he will get a table which contains MAC address and IP address of active host in local network.

Now either use one by one all IP address in nmap command or save all IP address in a text file and give its path in nmap command and then execute following command:

Hence if you are lucky to spoof correct IP address then you can easily bypass the firewall filter and able to establish TCP connect with victim’s network for port enumeration.

Great!! If you will notice in given below image you will observe open ports of target’s network.

Data-String Scan

Allow TCP Packet from Specific String

If network admin wants to establish TCP connect from a system which contain specific string and do not want to connect with other system does not contain that special string packets then he could use following Iptable rules to apply firewall filter in his network. 

In above rule you can see we had used “Khulja sim sim” as special string to establish TCP connection. Hence only those TCP connection could be establish which contain “Khulja sim sim”in packets.

Now when again attacker will perform basic network scanning on target’s network, he could not able to enumerate ports and running service of victim’s system because traffic generate from his network does not contain special string in packets thus firewall of target system will discard all TCP packet of attacker’s network.

If attacker somehow sniffs special string “khulja sim sim” to connect with target’s network then he could use –data-string argument in nmap command to bypass the firewall.

Hence if you are lucky to sniff correct data string then you can easily bypass the firewall filter and able to establish TCP connect with victim’s network for port enumeration.

Wonderful!! If you will notice given below image you will observe open ports of target’s network.

Hex String Scan

Allow TCP Packet from Specific Hex String

If network admin wants to establish TCP connect from a system which contain hexadecimal value of particular string and do not want to connect with other system does not contain hexadecimal value of that special string in packets then he could use following Iptable rules to apply firewall filter in his network. 

In above rule you can see we had used hex value for “RAJ” as special string to establish TCP connection. Hence only those TCP connection could be established which contain hex value of “RAJ” in packet.

Now when again attacker will perform basic network scanning on target’s network, he could not able to enumerate ports and running service of victim’s system because traffic generate from his network does not contain hex value of special string in packets thus firewall of target system will discard all TCP packet of attacker’s network.

If attacker somehow sniffs special string “RAJ” to connect with target’s network then he could used its hex values with –data argument in nmap command to bypass the firewall.

Hence if you are lucky to sniff correct hex value of particular data string then you can easily bypass the firewall filter and able to establish TCP connect with victim’s network for port enumeration.

Hence, if you will notice given below image you will observe open ports of target’s network.

IP-Options Scan

Reject TCP Packets contains tcp-option

By default nmap sends 24 bytes of TCP data in which 4 bytes of data is reserve for TCP Options if network admin reject 4 bytes tcp –option packet to discord tcp connection to prevent his network from scanning. Type following iptable rule to reject 4 bit tcp-option in his network:

Now when attacker will perform TCP scanning [sT] on target’s network, he could not able to enumerate ports and running service of victim’s system. Since tcp-option is 4 bytes hence firewall discard tcp packet of attacker’s network.

The IP protocol gives numerous options that could be placed in packet headers. Contrasting the omnipresent TCP options, IP options are seldom observed because of security reasons. The most powerful way to specify IP options is to simply pass in hexadecimal data as the argument to –ip-options.

Precede every hex byte value with \x. You may repeat certain characters by following them with an asterisk and then the number of times you wish them to repeat. For example, \x01\x07\x04\x00*4 is the same as\x01\x07\x04\x00\x00\x00\x00 this is also called NuLL bytes

Now type following command with ip-option argument as shown below:

Note that if you denote a number of bytes that is not a multiple of four; an incorrect IP header length will be set in the IP packet. The reason for this is that the IP header length field can only express multiples of four. In those cases, the length is computed by dividing the header length by 4 and rounding down. 

GOOD! If you will notice given below image you will observe open ports of target’s network.

https://nmap.org/book/nping-man-ip-options.html

Understanding Guide to Nmap Firewall Scan (Part 1)

Several times you might have used NMAP to performing Network scanning for enumerating active Port services of target machine but in some scenario, it is not possible to perform scanning with help of basic scan method especially in case of firewall filter.

Today we are going to demonstrate “Nmap firewall scan” by making use of Iptable rules and try to bypass the firewall filter to perform NMAP Advance scanning. 

Let’s Begin!!

Attacker’s IP: 192.168.0.107 [kali linux]

Target’s IP: 192.168.0.101 [Ubuntu]

Analysis TCP Scan

Open the terminal in your Kali Linux and execute the following command to perform TCP[sT] scan for open port enumeration.

From given below image you can observe we had scanned port 22 as result it has shown Port 22 is Open for SSH service.

When you will use Wireshark in order to capture the packet send in the case of TCP while the network is being scanning, here you need to notice few things such as “flag, Total length and time to live[TTL]” [in layer3].

Following table contains detail of Flag, Data length and TTL in different scanning method:

Scan Name Flag Data Length TTL
-sT (TCP) SYN →

← SYN, ACK

ACK →

RST, ACK →

60 64
-sS (Stealth) SYN →

← SYN, ACK

RST

44 <64 (Less than 64)
-sF (Finish) FIN → 40 <64 (Less than 64)
-sN (Null) NULL → 40 <64 (Less than 64)
-sX (Xmas) FIN, PSH, URG → 40 <64 (Less than 64)

Following image of Wireshark is showing network traffic generated while nmap TCP scan is running, here 1st stream indicates SYN packet which contains the following information:

Total Length: 60 [data length excluding 14 bytes of Ethernet]

Time to live: 64 [it is maximum TTL of the Linux system in TCP communication]

Reject SYN Flag with IPTables

As we know there is the strong fight between security researcher and attacker, to increase network security admin will apply firewall filter which will now prevent 3-way handshake communication in the network and resists attacker to perform TCP scan by rejecting SYN packet in the network.              

Execute given below command in Ubuntu to block SYN packet:  

Iptable work as the firewall in the Linux operating system and above iptable rule will reject SYN packet to prevent TCP scan.

Now when SYN packet has been rejected by the firewall in the target network, the attacker will be unable to enumerate open port of the target’s network even if services are activated.

Now when again we [the attacker] have executed TCP scan then it found Port 22 is closed as shown in the given image.

Bypass SYN Filter

When the attacker fails to enumerate open port using a TCP scan. Then there are some advanced scanning methods used to bypass such type of firewall filter as given below :

FIN Scan

A FIN packet is used to terminate the TCP connection between the source and destination port typically after the data transfer is complete. In the place of the SYN packet, Nmastartsrt a FIN scan by sending FIN packet.  

Fin Scan only works on Linux machine and does not work on latest version of windows

Frothe m given image you can observe the result that port 22 is open.

When you will capture network traffic for FIN packet, you can bear out “data length” is 40 and “TTL” will be less than 64 every time moreover there is no use of SYN packet to establish TCP communication with target machine.

NULL Scan

A Null Scan is a series of TCP packets which hold a sequence number of “zeros” (0000000) and since there are none flags set, the destination will not know how to reply the request. It will discard the packet and no reply will be sent, which indicate that the t port is open.

Null Scan are only workable in Linux machines and does not work on the latest version of windows

For the m given image you can observe the result that port 22 is open.

 

Similar,ly When you will capture network traffic for the NULL packet, you can bear out “data length” is 40 and “TTL” will be less than 64 every time, here also there is no use of SYN packet to establish TCP communication with target machine.

XMAS Scan

These scans are designed to manipulate the PSH, URG and FIN flags of the TCP header, Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree. When source sent FIN, PUSH, and URG packet to a specific port and if a port is open then destination will discard the packets and will not sent any reply to a source.

Xmas Scan are only workable in Linux machines and does not work on the latest version of windows

From the given image you can observe the result that port 22 is open.

Similarly, When you will capture network traffic for xmas scan you will get the combination of FIN, PSH and URG flags, here also you can bear out “data length” is 40 and “TTL” will be less than 64 every time.

Conclusion: TCP connection established by 3 way handshake and if firewall discard 3 way handshake to prevent TCP communication then FIN, NULL and XMAS scan are used for TCP connection.  

Reject  FIN Packet Using IPTABLES Rule

Again admin add a new firewall filter to Prevent Network enumeration from Fin scan which will reject FIN packet in the network.

Execute given below command in Ubuntu to block FIN packet:

Now when the attacker will try to perform advance scan through FIN scan then he will not able to enumerate open port information which you can confirm from given below image.

At present only Null and Xmas will helpful to perform port enumeration until unless admin has not block traffic coming from these scan. From given below image you can confirm that port 22 is close when Fin scan is performed while open when Null and Xmas is performed.

To prevent you network from NULL and Xmas scan too, apply given below iptables rule for Null and Xmas respectively:

Reject  Data-length with IPTables

As I had discussed above TCP communication based upon 3 factors i.e. “Flag” which I had demonstrated above, “TTL” which I will demonstrate later and “Data length” which I am going to demonstrate.     

So now when admin wants secure again his network from TCP scan, instead of applying firewall filter on TCP-flags he can also apply firewall rule to check “data length” of a specific size and then stop the incoming network traffic for TCP connection. Execute given below command to apply firewall rule on “data length”; by default 60 is data length use for TCP scan which you can confirm from the table given above.

Now when the data length of 60 bytes has been block by the firewall in target network then the attacker will be unable to enumerate open port of target even if service is activated.

Now when again we [the attacker] had executed TCP scan then it has found Port 22 is closed as shown in the given image.

Bypass Data-Length Restriction with Stealth Scan

When attacker fail to enumerate open port using TCP [sT] scan then there are some scanning method used to bypass such type of firewall filter as given below:

From given below image you can observe port 22 is open when stealth scan[sS] is executed, this is because the data length send by stealth scan is 44 by default for TCP connection.

Stealth scan is much similar to TCP scan and also known as “half open” scanning because it send SYN packet and as response receives SYN/ACK packet from listening port and dump result without sending an ACK packet to listening port. Therefore if “SYN packet” is block by firewall this scan gets failed, this scan is only applicable in case of data length = 60 is block or TTL = 64 is block by the firewall.

Fragment Scan

The -f option causes the requested scan to use tiny fragmented IP packets. The idea is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing. So a 20-byte TCP header would be split into three packets, two with eight bytes of the TCP header, and one with the final four.

When you will capture network traffic, you can bear out “data length” is 28 excluding 14 bytes of Ethernet and “TTL” will be less than 64 every time.

Similarly, you use Fin, Null and Xmas scan whose data length is 40 to enumerate open port of target network.

If admin will apply firewall filter to reject data length 40,44 and 60 then it will not allow the attacker to perform above all scan either basic scan or advance scan by executing following iptables rules.

From given below image you can observe now Fin, null, Xmas and stealth scan are some examples which were unable to enumerate open port of target network. All are showing port is close even if service is activated.

Data Length Scan

When an attacker is unable to enumerate open port by applying the above scan then he should go with nmap “data-length scan” which will bypass above firewall filter too.

By default nmap scan has fix data length as explain above, this scan let you append the random data length of your choice.

Using the following command attacker is trying to enumerate open port by defining data length 12

Awesome!! From given below image you can observe port 22 is open.

So when you will use wireshark to capture network traffic generated while this scan has been executed you will get “Total length” for TCP is 44.

Size of SSH packet is 70 bytes; now reduce 14 bytes from its of Ethernet then remains 56 byte; now reduce 12 bytes of data length which you have define at last total length will 44 bytes left.

Here, 70 bytes -14 bytes[Ethernet] = 56 bytes

Now, 56 bytes -12 bytes[data-length] = 44 bytes

Reject Length size 1 to 100

If an admin is aware from nmap data-length scan then he should block a complete range of data length to prevent network scanning from the attacker by executing following iptable rule.

Now firewall will analysis traffic coming on its network then reject the packet which contains data-length from 1 byte to 100 bytes and deny to establish TCP connections with the attacker. 

Now if the attacker sends data-length between 1 byte to 100 bytes the port scanning gets failed to enumerate its open state which you can confirm from given below image when data length 12 bytes and 10 bytes is sent in both scan, port 22 is closed. As soon as the attacker sent data-length of 101 bytes which is more than 100 bytes, port 22 gets open.

TTL Scan

Reject TTL size with IPTables

After applying firewall filter on “TCP flags” and “data length” to secure network from enumeration now add firewall filter for “Time To Live” i.e. TTL.

If you had notice the table given in the beginning of the article you will observe that only TCP Scan [sT] has TTL value equal to 64 else remaining scan has TTL value less than 64 every time, hence if admin applies firewall filter to reject TTL value 64 then it will prevent network from TCP scanning.  

Given below command will add a new firewall rule to check the TTL value of 64 and reject the packet.

Now if attacker use “TCP [sT] scan” to enumerate port information, it will always show “port is closed”, else if other scan is performed the attacker will get accurate information related to the port state. From given below image you can observe when “basic scan is execute” to enumerate port details it give “port 22 is open”.

This happen because the TTL value for “basic scan” is less than 64 and the firewall of the target machine will reject only TTL value equal to 64. When we had captured network traffic generated while this scan has been executed then we found TTL value is 56 used in the basic scan.

Now admin has added one more step of security to prevent his network from entire type scanning by rejecting TTL value of 64 and less than 64.

Now firewall will analysis the traffic coming on his network and blocks the packet contains TTL 64 or less than it.

Bravo!! Above firewall rule is more powerful than the previous rules because it has complete block NMAP “basic scan” as well as “advance scan”, if you notice given below image then you will observe that TCP [sT], Fin Scan [sF], Data-length, Stealth [sS] Scan all have been failed and showing port is closed.

Still, there is a second way to enumerate port for an accurate result, by setting TTL value greater than 64. Following command will perform a port scan with defined TTL value i.e. 65 which will bypass firewall filter as 65 is greater than 64.

So if the attacker is lucky to guess rejected TTL value or firewall rule and applied correct TTL, then only port enumeration will get successful as shown in given image port 22 is open.

Source Port Scan

Source Port Filter with IPTables

One more step to secure network from scanning is to apply firewall rule to allow traffic from a specific port only and reject traffic from remaining ports.

Now again NMAP basic and advance will fail to enumerate open port state and if the attacker made a correct guess again firewall filter then he can execute NMAP source port scan to enumerate port details.

The option g is used to define source port which will carry network packet to the destination port.

Above command will send traffic from port 80 to perform scanning hence firewall will allow traffic from source port 80 and as a result show state for open ports.

Decoy Scan

Set Firewall Log to capture Attacker IP

Admin can set a firewall rule to create Log for IP from which traffic is coming, it will only create system logs to capture the attacker IP who is performing scanning.

Now if the attacker will perform any type of network scanning on the targeted system then the firewall will generate its log which will capture his IP.

Escape from the Firewall log

Always use some kind of precaution to escape yourself while performing network scanning because in windows “honey pot” and in Linux “iptables” are firewall will make the log of attacker’s IP. In such a situation, you are suggested to use a Decoy Scan for port enumeration.

Decoy Scan

The -D option makes it look like the trick scanning the target network. It does not hide your own IP, but it makes your IP one of a torrent of others supposedly scanning the victim at the same time. This not only makes the scan look scarier, but reduces the chance of you being trace from your scan (difficult to tell which system is the “real” source).

In the above command, we had to use Google IP as a torrent which will reflect as attacker IP in firewall log.

When admin will read the system log then he will take higlighted IP as the attacker’s IP and may apply the filter on this IP to block incoming traffic from it.

MSSQL Peneration Testing using Nmap

Hello friends! Today we are going to perform Microsoft SQL penetration testing using NMAP scripts in order to retrieve basic information such as database name, usernames, tables name and etc from inside SQL server running on Windows operating system. In our previous article, we had set up Microsoft SQL server in Windows 10.

Requirement

Attacker: Kali Linux (NMAP)

Target: Windows 10 (MS SQL Server)

Let’s start!!

Scan port 1433

Open the terminal in Kali Linux and scan target IP for port 1433 using nmap command.

From given below image you can observe that port 1433 is open for MS-SQL service.

Enumerating version information

Given below command will attempt to determine configuration and version information for Microsoft SQL Server instances.

In specified below image you can observe the install version and details of MS-SQL server.

Brute Force Attacker

Given below command will attempt to determine username and password through brute force attack against MS-SQL by means of username and password dictionary.

In the specified image you can observe that we had successfully retrieve credential for two users:

  • Username: ignite and password:12345
  • Username: sa and password:admin123

Execute MS-SQL Query

Once you have retrieved the login credential use these credential in NMAP script to execute MS –SQL query. Given below will try to execute certain query “sp_database” against Microsoft SQL server.

Specified query “sp_databases” is part of record Stored Procedures and dump a list of database names from an instance of the SQL Server.

Hence as result, it has dumped two database names “ignite & master” whereas master is the default database name of MS_SQL server.

Check Microsoft SQL server configuration

 The following command will attempt to describe the Microsoft SQL server configuration setting by passing login credential as an argument through nmap script.

Hence you can check configuration setting from given below image.

Obtain a list of tables

The following command will attempt to fetch a list of tables from inside Microsoft SQL server by passing login credential as an argument through nmap script.

Hence you can checklist of tables from given below image.

Enumerate NetBIOS information

Given below NMAP script will enumerate information from remote Microsoft SQL services with NTLM authentication enabled.

Sending an MS-TDS NTLM authentication request with an invalid domain and null credentials will cause the remote service to respond with an NTLMSSP message disclosing information to include NetBIOS, DNS, and OS build version.

Hence from given below image, you can read the NetBIOS information remote Microsoft SQL server.

Dump password hashes

The following command will dump the password hashes from an MS-SQL server in a format suitable for cracking by tools such as John-the-ripper. In order to do so, the user needs to have the appropriate DB privileges.

From the given image you can observe that it has dumped the hash value of passwords of user: sa which we have enumerated above.

Identify the database owner

Following command will execute a query against Microsoft SQL Server instances for a list of databases a user has access to. In order to do so, the user needs to have the appropriate DB privileges. Therefore we have passes username and password as an argument through NMAP script.

In the specified image you can observe that it showing user sa is owner the database “ignite”.

Ms-SQL Allows XP_cmdshell option

The xp_cmdshell is a function of Microsoft SQL Server that allows system administrators to execute an operating system command. By default, the xp_cmdshell option is disabled.

From given below image you can see we had enabled the xp_cmdshell function by executing the following statement inside the master database.

EXEC sp_configure ‘xp_cmdshell’;

Now save the above configuration setting through the following statement:

 RECONFIGURE;

Exploit XP_cmdshell Function

Now following NMAP script will attempt to run a command using the command shell of Microsoft SQL Server if found xp_cmdshell is enabled in the targeted server.

From the given image you can confirm that we have executed OS command: net user as retrieving user account.

Blank password lead to unauthorized access

If the admin of Microsoft-SQL Server left the password Blank for login then the attacker can director login into the database server, from given below image you can see we are exploring the property of a user’s account “sa”.

Here kept “blank space” as the password for user “sa”. As we know by default sa is admin of MS-SQL server and now its password is blank space, therefore, chances of making unauthorized access into the server by the attacker will get increases.

Make unauthorized access into SQL server

Following  NMAP script will try to authenticate to Microsoft SQL Servers using an empty password for the sysadmin (sa) account.

From given below image you can perceive we had made successfully login with user: sa and an empty password.

Author: Sanjeet Kumar is an Information Security Analyst | Pentester | Researcher  Contact Here