Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ms-sql-brute in 7.92 not find existing login/password (in 7.91 found successfully) #2388

Open
rag-altx opened this issue Oct 29, 2021 · 6 comments

Comments

@rag-altx
Copy link

I am scanning from Windows 10 20h2, npcap 1.50. Remote sql server info:

Microsoft SQL Server 2016 (RTM-GDR) (KB3210111) - 13.0.1728.2 (X64)
Dec 13 2016 04:40:28
Copyright (c) Microsoft Corporation
Standard Edition (64-bit) on Windows Server 2012 R2 Standard 6.3 (Build 9600: ) (Hypervisor)

Logins file contains only one right login, passwords file contains only one right password. In nmap 7.91 login/password found successfully (sa/p@ssword12-), but in 7.92 not found.

nmap -p 1433 -T4 -d3 -v -Pn --script ms-sql-brute --script-args "mssql.instance-port=1433,userdb=C:\Users\rag\Downloads\usernames.lst,passdb=C:\Users\rag\Downloads\passwords.lst" 192.168.10.104 --disable-arp-ping -sT

7.91_interactive.txt
7.92_interactive.txt

@rag-altx rag-altx added the Nmap label Oct 29, 2021
@dmiller-nmap
Copy link

Thanks for reporting this. The fix for #2056 made the password stored in Unicode, but the Auth.TDS7CryptPassword function was assuming ASCII and doing a transcode by XORing each byte with a 16-bit integer. The fix is in and will be synced shortly. Usernames and passwords can be provided in UTF-8.

mzet- pushed a commit to mzet-/Nmap-for-Pen-Testers that referenced this issue Dec 20, 2021
@cldrn cldrn reopened this Jan 12, 2022
@cldrn
Copy link
Member

cldrn commented Jan 12, 2022

I am re-opening this as I just spotted an instance (Microsoft SQL Server 2005 9.00.3042; SP2) where login is failing when the password "P@ssw0rd" is used.

@nmap nmap deleted a comment Apr 12, 2022
@1trapbox
Copy link

我也遇到了一个问题

恭喜發財 ~ Time 2s 
❯ nmap -Pn -p 1433 --script ms-sql-brute --script-args userdb=username.lst,passdb=passwprd.lst Target IP -d
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-13 21:17 CST
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: userdb=username.lst,passdb=passwprd.lst
NSE: Arguments parsed: userdb=username.lst,passdb=passwprd.lst
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 21:17
Completed NSE at 21:17, 0.00s elapsed
mass_rdns: Using DNS server 192.168.96.2
Initiating Parallel DNS resolution of 1 host. at 21:17
mass_rdns: 0.17s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 21:17, 0.17s elapsed
DNS resolution of 1 IPs took 0.17s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 21:17
Scanning Target IP [1 port]
Discovered open port 1433/tcp on Target IP
Completed Connect Scan at 21:17, 0.06s elapsed (1 total ports)
Overall sending rates: 15.93 packets / s.
NSE: Script scanning Target IP.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 21:17
NSE: [ms-sql-brute Target IP] brandedVersion: 2005, #lookup: 5
NSE: [ms-sql-brute Target IP] brandedVersion: 2019, #lookup: 29
NSE: Starting ms-sql-brute against Target IP:1433.
NSE: ms-sql-brute against Target IP:1433 threw an error!
attempt to index a nil value
stack traceback:
        [C]: in for iterator 'for iterator'
        /usr/bin/../share/nmap/nselib/mssql.lua:3334: in function </usr/bin/../share/nmap/nselib/mssql.lua:3327>
        (...tail calls...)

Completed NSE at 21:17, 5.43s elapsed
Nmap scan report for Target IP
Host is up, received user-set (0.063s latency).
Scanned at 2022-12-13 21:17:03 CST for 5s

PORT     STATE SERVICE  REASON
1433/tcp open  ms-sql-s syn-ack
Final times for host: srtt: 62643 rttvar: 62643  to: 313215

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 21:17
Completed NSE at 21:17, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 5.79 seconds

恭喜發財 ~ Time 5s 
❯ nmap -Pn -p 1433 --script ms-sql-brute --script-args userdb=username.lst,passdb=passwprd.lst Target IP -d
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-13 21:39 CST
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: userdb=username.lst,passdb=passwprd.lst
NSE: Arguments parsed: userdb=username.lst,passdb=passwprd.lst
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 21:39
Completed NSE at 21:39, 0.00s elapsed
mass_rdns: Using DNS server 192.168.96.2
Initiating Parallel DNS resolution of 1 host. at 21:39
mass_rdns: 0.25s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 21:39, 0.25s elapsed
DNS resolution of 1 IPs took 0.25s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 21:39
Scanning Target IP [1 port]
Discovered open port 1433/tcp on Target IP
Completed Connect Scan at 21:39, 0.06s elapsed (1 total ports)
Overall sending rates: 15.39 packets / s.
NSE: Script scanning Target IP.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 21:39
NSE: [ms-sql-brute Target IP] brandedVersion: 2005, #lookup: 5
NSE: [ms-sql-brute Target IP] brandedVersion: 2019, #lookup: 29
NSE: Starting ms-sql-brute against Target IP:1433.
NSE: ms-sql-brute against Target IP:1433 threw an error!
attempt to index a nil value
stack traceback:
        [C]: in for iterator 'for iterator'
        /usr/bin/../share/nmap/nselib/mssql.lua:3334: in function </usr/bin/../share/nmap/nselib/mssql.lua:3327>
        (...tail calls...)

Completed NSE at 21:39, 5.42s elapsed
Nmap scan report for Target IP
Host is up, received user-set (0.065s latency).
Scanned at 2022-12-13 21:39:12 CST for 6s

PORT     STATE SERVICE  REASON
1433/tcp open  ms-sql-s syn-ack
Final times for host: srtt: 64854 rttvar: 64854  to: 324270

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 21:39
Completed NSE at 21:39, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 5.85 seconds

How can I solve this problem?

@o0mrs
Copy link

o0mrs commented Dec 23, 2022

same here

@TheProdigyLeague

This comment was marked as off-topic.

@iasdeoupxe
Copy link

iasdeoupxe commented Jul 9, 2023

While this issue is older it looks like #2622 could be a duplicate and a patch within it is available which could fix this as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

7 participants