MSSQL Enumeration - Using Open Source/Freeware Tools

In this article, we will demonstrate on how to find available M$ SQL servers within a network range and enumerate or get information about them.

Using Metasploit

msf > use auxiliary/scanner/mssql/mssql_ping

msf auxiliary(mssql_ping) > set RHOSTS <IP Address/range>

msf auxiliary(mssql_ping) > set THREADS 10

msf auxiliary(mssql_ping) > run

Website: http://www.metasploit.com/modules/auxiliary/scanner/mssql/mssql_ping

Using Nessus Cmd

#nessuscmd -i 10674 <IP range> --max-hosts 25

Website: http://pauldotcom.com/2009/11/attacking-mssql-with-metasploi.html

Using Nmap

#nmap -p 1434 --script ms-sql-info --script-args mssql.instance-port=1434 <IP range>

Using SQLRecon

Result of the Scan

SQLRecon: http://www.4shared.com/get/VmkLFFCW/SQLRecon_Setup.html

Website: http://www.specialopssecurity.com/labs/sqlrecon/

Using SQL Ping v3

SQL Ping v3 and SQL Recon has the same interface. The difference is that SQL Ping v3 has additional option for Brute Forcing Passwords with the ability to input the User and Password list.

Result of the Scan

Website: http://www.sqlsecurity.com/downloads

I will find more tools that can be used to gather information for SQL servers and will list them down here in future. If there's anything out there you readers are aware of, do share!