Home page logo

nmap-dev logo Nmap Development mailing list archives

[NSE] Improved version of ms-sql-info
From: Chris Woodbury <chris3e3 () gmail com>
Date: Mon, 24 Jan 2011 20:19:37 -0600

I have taken the ms-sql-info script and made what I hope are
considered to be some improvements. Chief among them, the version
detection is now more reliable, more accurate, and uses a method that
would let the script's categorization be changed from "intrusive" to
"safe" (a big plus for a default script).

The revised script uses the same Discover function from the mssql
library, but, instead of attempting to log in with a blank password
for the "sa" account to check the version, it sends a TDS pre-login
packet and parses the server's version number from the response (the
same method used by SQLPing and by Nmap's own service versioning
probes). This has the advantage of working every time, as long as the
TCP port for the SQL Server instance is accessible (and, if it
weren't, the logging-in method wouldn't work either), and it also
doesn't run the risk of failed login attempts (which are dangerous now
that SQL Server has account lockout policies). Plus, the lost side
functionality is now available in the ms-sql-empty-password script.

Now that we have a more reliable way of getting accurate version
information, I also expanded the display of the version information,
so that the script determines the version, the service pack level and
whether additional patches have been installed.

Additionally, as an aid to people who may not want an NSE script to
make connections to ports they did not originally scan, I added a
"browseronly" argument, which will have the script only connect to the
SQL Server Browser service (done by mssql.Helper.Discover). This
limits the accuracy of the version information, but allows tighter
control over what the script is doing.

Also, I took the liberty of removing the "require('target')," since it
wasn't being used and may mislead users into thinking that the script
will add identified instances (which would be great functionality).

Last but not least, I updated the existing NSEDoc information and
expanded the description.

As I mentioned previously, I'm fairly new to Lua and NSE scripting, so
I would love to hear any feedback.


Attachment: ms-sql-info.nse

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]