Microsoft SQL Server (MSSQL) is a relational database management system (RDMS) used to store, retrieve and manage information. As with many Microsoft’s products, SQL Server has many security weaknesses. Let’s start by identifying running SQL servers on the network.
Discover open MSSQL ports
MSSQL is running by default on port 1433. To discover SQL Server you can use either nmap or Metasploit’s auxiliary module.
The NMAP way
To discover open MSSQL ports we execute the following command:
nmap -sT -sV -Pn -p 1433 192.168.200.133
Usually administrators, when they need more than one instances of SQL server they run the
second instance at port 1434.
nmap -sT -sV -Pn -p 1433,1434 192.168.200.133
-sT: TCP connect scan
-sV: Determine Service version information
-Pn: Ignore Host discovery
-p 1433,1434: Scan port 1433 and 1434
Scanning the whole network:
nmap -sT -sV -Pn –open -p 1433,1434 192.168.200.0/24
–open: Show only open ports
The Metasploit way
Metasploit offers auxiliary module mssql_ping. This module discovers running MSSQL services. To use it, type:
for a list of available options.
To discover all running MSSQL services on the net, set RHOSTS value equal to 192.168.200.0/24, assuming that your target network is in this range, increase threads value for a faster scanning and run the module.