Before proceeding, please note that there are many tools and methods that have the ability to scan for weak or blank MS-SQL passwords. SQLPing comes to mind which is a great tool if you’re on a Windows host. Metasploit has the ability to scan for MS-SQL passwords as well but it isn’t ideal for targeted lists and it can take time trying to connect to hosts that don’t have SQL installed. I could probably write a few extra pages just about tools and methods so I’ll stop there and get started.

The goal here is to:

1. Perform a discovery of hosts running MS-SQL across a large network.

2. Check the discovered MS-SQL hosts for an SA account and weak or blank passwords.

3. Save all output to files for reference and evidence.

We will be using Ubuntu in our example. I will not be going into great detail about using nmap and/or medusa. If you are new to these tools I suggest you check the links in the references section below. The install commands need to be run as root so if you’re not logged in as root, add sudo to your commands or su to root first.

The only two requirements are medusa and nmap. If you don’t have them installed you can easily install them issuing the following command within a terminal:

apt-get install nmap medusa

Also note that we have our list of targets in “companyname_int_live_targets_all.txt.”

Example:

192.168.1.0/24

192.168.100.0/24

192.168.150.0/24

To get started we issue the following nmap command from the terminal:

nmap -v -n -PN -T4 -sT -sU -p T:1433,U:1434 -oA ./companyname_int_sql_portscan -iL ./companyname_int_live_targets_all.txt

The above can be broken down as follows:

-v: verbosity – this will increase the output and status of the scan.

-n: Never do DNS resolution – The reason we turn this off is to increase the speed of the scan. It doesn’t save much time but when you’re going across really large networks it helps.

-PN: Treat all hosts as online – this skips pinging the hosts. Since some systems filter ICMP requests this will keep the scanner from flagging them as offline.

-T4: Set timing template. – Setting this to 4 (5 being the highest) will increase the scan time. Since we’re only scanning for two ports this shouldn’t cause any network issues.

-sU: UDP Scan – This enables UDP port scanning which is needed for -p U:1434

-p T:1433,U:1434: This specifies the ports that we’re scanning for. We are scanning for the standard MS-SQL TCP port and UDP port. MS-SQL 2005 and later, dynamic port allocation can be utilized which makes the port a random. Medusa handles this well which we will mention later on.

-oA ./companyname_int_sql_portscan: Output in the three major formats at once (normal, XML, and Grepable format). – We will only be using Grepable for this engagement but it’s nice to have all three if needed for other information gathering down the line.

-iL ./companyname_int_live_targets_all.txt

: Input from list of hosts/networks – This is optional. It’s nice if you have several segments to scan or a specific list of targets to test. Otherwise you can leave this off and just specify the IP range directly.

The above is fine tuned to go pretty quick so once it’s complete we’ll move on to pulling the IP addresses of hosts that have the default MS-SQL port open. The goal here is to have a file with hosts running MS-SQL only. This will limit the time it takes when we move on to the brute force and/or dictionary piece.

We do this by issuing the following command:

grep open ./companyname_int_sql_portscan.gnmap |awk {‘print $2’} |tee ./companyname_int_live_mssql_targets.txt

The above can be broken down as follows:

cat: Will read and output of the grepable nmap file (for more information on cat check the “References” listed below).

grep open: This will search for lines with the word “open.” This will print out all hosts with the open ports we’re looking for (for more information on grep check the “References” listed below).

awk: This will print out field 2 which contains the IP address associated with the open port line (for more information on awk check the “References” listed below).

tee: This will write the MS-SQL hosts to ./companyname_int_live_mssql_targets.txt (for more information on awk check the “References” listed below).

If MS-SQL is running on any of the hosts you should see a list of IPs in the output similar to the following:

192.168.1.5

192.168.100.10

192.168.150.4

Now that we have the list of MS-SQL hosts we use medusa to check for the sa account and blank password. We do this by issuing the following command:

medusa -H ./companyname_int_live_mssql_targets.txt -u sa -e ns -M mssql |tee ./companyname_int_mssql_sa_scan.txt

Alternatively, you can scan for more default and common passwords by issuing the following command:

medusa -H ./companyname_int_live_mssql_targets.txt -u sa -P ./mssql_passwords.txt |tee ./companyname_int_mssql_sa_scan.txt

The above can be broken down as follows:

-H ./companyname_int_live_mssql_targets.txt: File containing target hostnames or IP addresses.

-u sa: Username to test (sql admin).

-e ns: Additional password checks. In this case we use “ns” which means “No Password” and “Same as Username.”

-P ./mssql_passwords.txt: File containing passwords to test. ./mssql_passwords.txt will contain a list of common MSSQL passwords.

‘./mssql_passwords.txt’ content:

blank

password

sa

admin

administrator

tee: This will write the output from medusa to ./companyname_int_mssql_scan.txt (for more information on awk check the “References” listed below). It will also be displayed on the screen.

Don’t be alarmed if you see a lot of messages about not being able to connect to port 1443 while medusa is running. This is normal since not all of the IP addresses returned are really running MS-SQL. Nmap flags some hosts with the port being potentially open.

Finally, getting back to how medusa handles using the UDP port, here is an excerpt from the mssql.mod:

“The MSSQL module will auto-detect the TCP ports used by the SQL server instances on the remote host. This is accomplished via a “SQL Ping” UDP request. If multiple instances are present on the host, only the first will be tested. Any additional instances will be reported and their respective TCP port will be noted. The auto-detection can be over-ridden by specifying a port via the Medusa “-n” option.”

That’s it. All of the output is displayed in the terminal and saved to files in the directory you’re running the command from for archiving, later reference, and evidence.

Oh yea, can you put it all on autopilot? Of course… here’s a really long command to start it and come back later:

nmap -v -n -PN -T4 -sT -sU -p T:1433,U:1434 -oA ./companyname_int_sql_portscan -iL ./companyname_int_live_targets_all.txt && grep open ./companyname_int_sql_portscan.gnmap|awk {‘print $2’} |tee ./companyname_int_live_mssql_targets.txt && medusa -H ./companyname_int_live_mssql_targets.txt -u sa -e ns -M mssql |tee ./companyname_int_mssql_sa_scan.txt

Final note: It seems long for just scanning default MS-SQL passwords but it’s fast, expandable, and especially great for large networks. Both tools have a lot more options than what was used above. To fully utilize these tools check out the “References” section below.

Robert Gilbert
Senior Consultant