Vulnerability Details

Nmap NSE 6.01: ms-sql-info

Published: 2013-02-28 13:31:01

CVSS Base Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Detection Type:
remote_analysis

Summary:
Attempts to determine configuration and version information for Microsoft SQL Server instances. SQL Server credentials required: No (will not benefit from 'mssql.username' & 'mssql.password'). Run criteria: * Host script: Will always run. * Port script: N/A NOTE: Unlike previous versions, this script will NOT attempt to log in to SQL Server instances. Blank passwords can be checked using the 'ms-sql-empty-password' script. E.g.:'nmap -sn --script ms-sql-empty-password --script-args mssql.instance-all ' The script uses two means of getting version information for SQL Server instances: - Querying the SQL Server Browser service, which runs by default on UDP port 1434 on servers that have SQL Server 2000 or later installed. However, this service may be disabled without affecting the functionality of the instances. Additionally, it provides imprecise version information. - Sending a probe to the instance, causing the instance to respond with information including the exact version number. This is the same method that Nmap uses for service versioning. However, this script can also do the same for instances accessiable via Windows named pipes, and can target all of the instances listed by the SQL Server Browser service. In the event that the script can connect to the SQL Server Browser service (UDP 1434) but is unable to connect directly to the instance to obtain more accurate version information (because ports are blocked or the 'mssql.scanned-ports-only' argument has been used), the script will rely only upon the version number provided by the SQL Server Browser/Monitor, which has the following limitations: - For SQL Server 2000 and SQL Server 7.0 instances, the RTM version number is always given, regardless of any service packs or patches installed. - For SQL Server 2005 and later, the version number will reflect the service pack installed, but the script will not be able to tell whether patches have been installed. SYNTAX: mssql.instance-name: The name of the instance to connect to. mssql.instance-all: Targets all SQL server instances discovered through the browser service. mssql.password: The password for 'mssql.username'. If this argument is not given but 'mssql.username', a blank password is used. mssql.username: The username to use to connect to SQL Server instances. This username is used by scripts taking actions that require authentication (e.g. 'ms-sql-query') This username (and its associated password) takes precedence over any credentials discovered by the 'ms-sql-brute' and 'ms-sql-empty-password' scripts. mssql.protocol: The protocol to use to connect to the instance. The protocol may be either 'NP', 'Named Pipes' or 'TCP'. mssql.scanned-ports-only: If set, the script will only connect to ports that were included in the Nmap scan. This may result in instances not being discovered, particularly if UDP port 1434 is not included. Additionally, instances that are found to be running on ports that were not scanned (e.g. if 1434/udp is in the scan and the SQL Server Browser service on that port reports an instance listening on 43210/tcp, which was not scanned) will be reported but will not be stored for use by other ms-sql-scripts. mssql.instance-port: The port of the instance to connect to. mssql.timeout: How long to wait for SQL responses. This is a number followed by 'ms' for milliseconds, 's' for seconds, 'm' for minutes, or 'h' for hours. Default:'30s'. mssql.domain: The domain against which to perform integrated authentication. When set, the scripts assume integrated authentication should be performed, rather than the default sql login.

Solution Type:
Mitigation

Severity
Medium
CVSS Score
5.0
Published
2013-02-28
Modified
2018-10-26
Category
Nmap NSE

Free Vulnerability Scanning, Assessment and Management

Mageni's Platform is packed with all the features you need to scan, assess and manage vulnerabilities like this - it is free, open source, lightning fast, reliable and scalable.

Router
Servers
Laptop
Database
Group
Cloud

Frequently Asked Questions

No, you can scan concurrently as many assets as you want. Please note that you must be aware of the hardware requeriments of the platform to ensure a good performance.

No, you can add as many assest as you want. It doesn't matters if you have millions of assets, we won't charge you for that.

No. The software is completely free. We have no intention to charge you to use the software, in fact - it completely goes against our beliefs and business model.

A vulnerability is defined in the ISO 27002 standard as “A weakness of an asset or group of assets that can be exploited by one or more threats” (International Organization for Standardization, 2005)

We generate revenue by providing support and other services for customers that require a subscription so they get guaranteed support and enterprise services. To use Mageni's Platform is completely free, with no limits at all.

Yes. Mageni understands that there are professionals and businesses that need commercial support so Mageni provides an active support subscription with everything needed to run Mageni's Platform reliably and securely. More than software, it's access to security experts, knowledge resources, security updates, and support tools you can't get anywhere else. The subscription includes:

  • Ongoing delivery
    • Patches
    • Bug fixes
    • Updates
    • Upgrades
  • Technical support
    • 24/7 availability
    • Unlimited Incidents
    • Specialty-based routing
    • Multi-Channel
  • Commitments
    • Software certifications
    • Software assurance
    • SLA

No, we don't store the information of your vulnerabilities in our servers.

Vulnerability management is the process in which vulnerabilities in IT are identified and the risks of these vulnerabilities are evaluated. This evaluation leads to correcting the vulnerabilities and removing the risk or a formal risk acceptance by the management of an organization. The term vulnerability management is often confused with vulnerability scanning. Despite the fact both are related, there is an important difference between the two. Vulnerability scanning consists of using a computer program to identify vulnerabilities in networks, computer infrastructure or applications. Vulnerability management is the process surrounding vulnerability scanning, also taking into account other aspects such as risk acceptance, remediation etc. Source: "Implementing a Vulnerability Management Process". SANS Institute.

I am ready to start scanning for vulnerabilities