Attempts to determine configuration and version information for Microsoft SQL Server instances.
SQL Server credentials required: No (will not benefit from
- Host script: Will always run.
- Port script: N/A
NOTE: Unlike previous versions, this script will NOT attempt to log in to SQL
Server instances. Blank passwords can be checked using the
ms-sql-empty-password script. E.g.:
nmap -sn --script ms-sql-empty-password --script-args mssql.instance-all <host>
The script uses two means of getting version information for SQL Server instances:
- Querying the SQL Server Browser service, which runs by default on UDP port
- Sending a probe to the instance, causing the instance to respond with
In the event that the script can connect to the SQL Server Browser service
(UDP 1434) but is unable to connect directly to the instance to obtain more
accurate version information (because ports are blocked or the
argument has been used), the script will rely only upon the version number
provided by the SQL Server Browser/Monitor, which has the following limitations:
- For SQL Server 2000 and SQL Server 7.0 instances, the RTM version number is
- For SQL Server 2005 and later, the version number will reflect the service
Where possible, the script will determine major version numbers, service pack levels and whether patches have been installed. However, in cases where particular determinations can not be made, the script will report only what can be confirmed.
NOTE: Communication with instances via named pipes depends on the
library. To communicate with (and possibly to discover) instances via named pipes,
the host must have at least one SMB port (e.g. TCP 445) that was scanned and
found to be open. Additionally, named pipe connections may require Windows
authentication to connect to the Windows host (via SMB) in addition to the
authentication required to connect to the SQL Server instances itself. See the
documentation and arguments for the
smb library for more information.
NOTE: By default, the ms-sql-* scripts may attempt to connect to and communicate
with ports that were not included in the port list for the Nmap scan. This can
be disabled using the
mssql.scanned-ports-only script argument.
mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.usernameSee the documentation for the mssql library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusernameSee the documentation for the smbauth library.
randomseed, smbbasic, smbport, smbsignSee the documentation for the smb library.
unittest.runSee the documentation for the unittest library.
nmap -p 445 --script ms-sql-info <host> nmap -p 1433 --script ms-sql-info --script-args mssql.instance-port=1433 <host>
| ms-sql-info: | Windows server name: WINXP | [192.168.100.128\PROD] | Instance name: PROD | Version: Microsoft SQL Server 2000 SP3 | Version number: 8.00.760 | Product: Microsoft SQL Server 2005 | Service pack level: SP3 | Post-SP patches applied: No | TCP port: 1278 | Named pipe: \\192.168.100.128\pipe\MSSQL$PROD\sql\query | Clustered: No | [192.168.100.128\SQLFIREWALLED] | Instance name: SQLFIREWALLED | Version: Microsoft SQL Server 2008 RTM | Product: Microsoft SQL Server 2008 | Service pack level: RTM | TCP port: 4343 | Clustered: No | [\\192.168.100.128\pipe\sql\query] | Version: Microsoft SQL Server 2005 SP3+ | Version number: 9.00.4053 | Product: Microsoft SQL Server 2005 | Service pack level: SP3 | Post-SP patches applied: Yes |_ Named pipe: \\192.168.100.128\pipe\sql\query
Author: Chris Woodbury, Thomas Buchanan
License: Same as Nmap--See http://nmap.org/book/man-legal.html