Script broadcast-ms-sql-discover

Script types: prerule
Categories: broadcast, safe

Script Summary

Discovers Microsoft SQL servers in the same broadcast domain.

SQL Server credentials required: No (will not benefit from mssql.username & mssql.password).

The script attempts to discover SQL Server instances in the same broadcast domain. Any instances found are stored in the Nmap registry for use by any other ms-sql-* scripts that are run in the same scan.

In contrast to the ms-sql-discover script, the broadcast version will use a broadcast method rather than targeting individual hosts. However, the broadcast version will only use the SQL Server Browser service discovery method.

Script Arguments

max-newtargets, newtargets

See the documentation for the target library.

mssql.domain, mssql.instance-all, mssql.instance-name, mssql.instance-port, mssql.password, mssql.protocol, mssql.scanned-ports-only, mssql.timeout, mssql.username

See the documentation for the mssql library.

randomseed, smbbasic, smbport, smbsign

See the documentation for the smb library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap --script broadcast-ms-sql-discover
nmap --script broadcast-ms-sql-discover,ms-sql-info --script-args=newtargets

Script Output

| broadcast-ms-sql-discover:
|       Name: MSSQLSERVER
|       Product: Microsoft SQL Server 2000
|       TCP port: 1433
|       Named pipe: \\\pipe\sql\query
|     [\SQL2K5]
|       Name: SQL2K5
|       Product: Microsoft SQL Server 2005
|       Named pipe: \\\pipe\MSSQL$SQL2K5\sql\query
|     [\PROD]
|       Name: PROD
|       Product: Microsoft SQL Server 2008
|_      Named pipe: \\\pipe\sql\query



  • Patrik Karlsson

License: Same as Nmap--See