1local os = require "os" 2local datetime = require "datetime" 3local mssql = require "mssql" 4local shortport = require "shortport" 5local stdnse = require "stdnse" 6local smbauth = require "smbauth" 7local string = require "string" 8 9 10description = [[ 11This script enumerates information from remote Microsoft SQL services with NTLM 12authentication enabled. 13 14Sending a MS-TDS NTLM authentication request with an invalid domain and null 15credentials will cause the remote service to respond with a NTLMSSP message 16disclosing information to include NetBIOS, DNS, and OS build version. 17]] 18 19 20--- 21-- @usage 22-- nmap -p 1433 --script ms-sql-ntlm-info <target> 23-- 24-- @output 25-- 1433/tcp open ms-sql-s 26-- | ms-sql-ntlm-info: 27-- | Target_Name: ACTIVESQL 28-- | NetBIOS_Domain_Name: ACTIVESQL 29-- | NetBIOS_Computer_Name: DB-TEST2 30-- | DNS_Domain_Name: somedomain.com 31-- | DNS_Computer_Name: db-test2.somedomain.com 32-- | DNS_Tree_Name: somedomain.com 33-- |_ Product_Version: 6.1.7601 34-- 35--@xmloutput 36-- <elem key="Target_Name">ACTIVESQL</elem> 37-- <elem key="NetBIOS_Domain_Name">ACTIVESQL</elem> 38-- <elem key="NetBIOS_Computer_Name">DB-TEST2</elem> 39-- <elem key="DNS_Domain_Name">somedomain.com</elem> 40-- <elem key="DNS_Computer_Name">db-test2.somedomain.com</elem> 41-- <elem key="DNS_Tree_Name">somedomain.com</elem> 42-- <elem key="Product_Version">6.1.7601</elem> 43 44 45author = "Justin Cacak" 46license = "Same as Nmap--See https://nmap.org/book/man-legal.html" 47categories = {"default", "discovery", "safe"} 48 49portrule = shortport.port_or_service(1433, "ms-sql-s") 50 51action = function(host, port) 52 53 local output = stdnse.output_table() 54 55 local tdsstream = mssql.TDSStream:new() 56 local status, result = tdsstream:Connect(host, port) 57 if not status then 58 return nil 59 end 60 61 local lp = mssql.LoginPacket:new() 62 lp:SetUsername("") 63 lp:SetPassword("") 64 lp:SetDatabase("") 65 lp:SetServer(stdnse.get_hostname(host)) 66 -- Setting domain forces NTLM authentication 67 lp:SetDomain(".") 68 69 status, result = tdsstream:Send( lp:ToString() ) 70 if not status then 71 tdsstream:Disconnect() 72 return nil 73 end 74 75 local status, response, errorDetail = tdsstream:Receive() 76 local recvtime = os.time() 77 tdsstream:Disconnect() 78 79 local ttype, pos = string.unpack("B", response) 80 if ttype ~= mssql.TokenType.NTLMSSP_CHALLENGE then 81 return nil 82 end 83 84 local data, pos = string.unpack("<s2", response, pos) 85 if not string.match(data, "^NTLMSSP") then 86 return nil 87 end 88 89 -- Leverage smbauth.get_host_info_from_security_blob() for decoding 90 local ntlm_decoded = smbauth.get_host_info_from_security_blob(data) 91 92 if ntlm_decoded.timestamp then 93 -- 64-bit number of 100ns clicks since 1/1/1601 94 local unixstamp = ntlm_decoded.timestamp // 10000000 - 11644473600 95 datetime.record_skew(host, unixstamp, recvtime) 96 end 97 98 -- Target Name will always be returned under any implementation 99 output.Target_Name = ntlm_decoded.target_realm 100 101 -- Display information returned & ignore responses with null values 102 if ntlm_decoded.netbios_domain_name and #ntlm_decoded.netbios_domain_name > 0 then 103 output.NetBIOS_Domain_Name = ntlm_decoded.netbios_domain_name 104 end 105 106 if ntlm_decoded.netbios_computer_name and #ntlm_decoded.netbios_computer_name > 0 then 107 output.NetBIOS_Computer_Name = ntlm_decoded.netbios_computer_name 108 end 109 110 if ntlm_decoded.dns_domain_name and #ntlm_decoded.dns_domain_name > 0 then 111 output.DNS_Domain_Name = ntlm_decoded.dns_domain_name 112 end 113 114 if ntlm_decoded.fqdn and #ntlm_decoded.fqdn > 0 then 115 output.DNS_Computer_Name = ntlm_decoded.fqdn 116 end 117 118 if ntlm_decoded.dns_forest_name and #ntlm_decoded.dns_forest_name > 0 then 119 output.DNS_Tree_Name = ntlm_decoded.dns_forest_name 120 end 121 122 if ntlm_decoded.os_major_version then 123 output.Product_Version = string.format("%d.%d.%d", 124 ntlm_decoded.os_major_version, ntlm_decoded.os_minor_version, ntlm_decoded.os_build) 125 end 126 127 return output 128 129end 130