Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ms-sql-brute in 7.92 not find existing login/password (in 7.91 found successfully) #2388

Open
rag-altx opened this issue Oct 29, 2021 · 2 comments

Comments

@rag-altx
Copy link

@rag-altx rag-altx commented Oct 29, 2021

I am scanning from Windows 10 20h2, npcap 1.50. Remote sql server info:

Microsoft SQL Server 2016 (RTM-GDR) (KB3210111) - 13.0.1728.2 (X64)
Dec 13 2016 04:40:28
Copyright (c) Microsoft Corporation
Standard Edition (64-bit) on Windows Server 2012 R2 Standard 6.3 (Build 9600: ) (Hypervisor)

Logins file contains only one right login, passwords file contains only one right password. In nmap 7.91 login/password found successfully (sa/p@ssword12-), but in 7.92 not found.

nmap -p 1433 -T4 -d3 -v -Pn --script ms-sql-brute --script-args "mssql.instance-port=1433,userdb=C:\Users\rag\Downloads\usernames.lst,passdb=C:\Users\rag\Downloads\passwords.lst" 192.168.10.104 --disable-arp-ping -sT

7.91_interactive.txt
7.92_interactive.txt

@rag-altx rag-altx added the Nmap label Oct 29, 2021
@dmiller-nmap
Copy link

@dmiller-nmap dmiller-nmap commented Dec 14, 2021

Thanks for reporting this. The fix for #2056 made the password stored in Unicode, but the Auth.TDS7CryptPassword function was assuming ASCII and doing a transcode by XORing each byte with a 16-bit integer. The fix is in and will be synced shortly. Usernames and passwords can be provided in UTF-8.

mzet- pushed a commit to mzet-/Nmap-for-Pen-Testers that referenced this issue Dec 20, 2021
@cldrn cldrn reopened this Jan 12, 2022
@cldrn
Copy link
Member

@cldrn cldrn commented Jan 12, 2022

I am re-opening this as I just spotted an instance (Microsoft SQL Server 2005 9.00.3042; SP2) where login is failing when the password "P@ssw0rd" is used.

@nmap nmap deleted a comment Apr 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants