Detecting a Microsoft SQL Server

Microsoft SQL Server (MSSQL) is a relational database management system (RDMS) used to store, retrieve and manage information. As with many Microsoft’s products, SQL Server has many security weaknesses. Let’s start by identifying running SQL servers on the network.
 

Discover open MSSQL ports
MSSQL is running by default on port 1433. To discover SQL Server you can use either nmap or Metasploit’s auxiliary module.
 

The NMAP way
To discover open MSSQL ports we execute the following command:

nmap -sT -sV -Pn -p 1433 192.168.200.133

Usually administrators, when they need more than one instances of SQL server they run the
second instance at port 1434.

nmap -sT -sV -Pn -p 1433,1434 192.168.200.133

 

Parameters:
-sT: TCP connect scan
-sV: Determine Service version information
-Pn: Ignore Host discovery
-p 1433,1434: Scan port 1433 and 1434
 

Scanning the whole network:

nmap -sT -sV -Pn –open -p 1433,1434 192.168.200.0/24

 

Parameters:
–open: Show only open ports
 

The Metasploit way
Metasploit offers auxiliary module mssql_ping. This module discovers running MSSQL services. To use it, type:

use auxiliary/scanner/mssql/mssql_ping

 

Type:

show options

for a list of available options.
 

To discover all running MSSQL services on the net, set RHOSTS value equal to 192.168.200.0/24, assuming that your target network is in this range, increase threads value for a faster scanning and run the module.
 

Published in Hakin9 magazine on October 25, 2012

%d bloggers like this: