Metasploit, MSSQL

Detecting a Microsoft SQL Server

Microsoft SQL Server (MSSQL) is a relational database management system (RDMS) used to store, retrieve and manage information. As with many Microsoft’s products, SQL Server has many security weaknesses. Let’s start by identifying running SQL servers on the network.

Discover open MSSQL ports
MSSQL is running by default on port 1433. To discover SQL Server you can use either nmap or Metasploit’s auxiliary module.

The NMAP way
To discover open MSSQL ports we execute the following command:

nmap -sT -sV -Pn -p 1433

Usually administrators, when they need more than one instances of SQL server they run the
second instance at port 1434.

nmap -sT -sV -Pn -p 1433,1434


-sT: TCP connect scan
-sV: Determine Service version information
-Pn: Ignore Host discovery
-p 1433,1434: Scan port 1433 and 1434

Scanning the whole network:

nmap -sT -sV -Pn –open -p 1433,1434


–open: Show only open ports

The Metasploit way
Metasploit offers auxiliary module mssql_ping. This module discovers running MSSQL services. To use it, type:

use auxiliary/scanner/mssql/mssql_ping



show options

for a list of available options.

To discover all running MSSQL services on the net, set RHOSTS value equal to, assuming that your target network is in this range, increase threads value for a faster scanning and run the module.

Published in Hakin9 magazine on October 25, 2012