Tag Archives: mssql

I’ve ported mbenum to Nmap

Thank’s to some great effort put into the smb libraries by the folks over at nmap-dev, porting mbenum to Nmap wasn’t as hard as I’ve imagined. A first version has been committed to subversion a while ago but I forgot to publish this blog post at the time. Feel free to try it out! If you haven’t used mbenum before it’s a tool that allows you to get a good picture of a network by querying a single system.

Mbenum or the Nmap script smb-mbenum relies on being able to query the master browser for a particular domain or workgroup. You can find the master browser by sending a netbios query for the __MSBROWSE__  name. The Nmap script broadcast-netbios-master-browser can be used to identify the master browser for your broadcast domain by sending a netbios query to the broadcast address.

Nmap mssql scripts feature boost

Chris Woodbury and I have been working on some new exciting features and enhancements to the ms-sql scripts and library in Nmap lately. We’ve been working in a separate branch which will hopefully get merged to trunk really soon. Chris work has been of high quality and very inspiring! It got me to pick up some of the stuff I meant to implement, but hadn’t got to, and has brought a number of new great ideas. For a good summary of changes consult the following nmap-dev mailing list thread.

Among the many new features and enhancements I’m really happy to see are:

  • Support for more precise version checking, by using the prelogin packet (same technique as SQLPing)
  • Support for connections using named pipes, rather than tcp-sockets
  • Support for integrated authentication (Ntlmv1) in addition to the existing SQL authentication
  • Support for connecting to named instances in addition to specific tcp ports
  • Support for running each of the ms-sql scripts against all instances detected by the discovery mechanisms

If you would like to give the scripts a run they’re available from here, and will hopefully be merged to trunk really soon.