SQL Recon

SQL Recon is both an active and passive scanner that specifically targets and tries to identify all MS SQL Server/ MSDE installations on the network. SQL Recon has a number of excellent features:

• Multi-threaded scanning engine
• 6 Active scanning techniques
• 2 Stealth scanning techniques
• IP Range scanning
• IP List scanning
• Export results as XML or text file
• Export IP list for use in future scans (i.e. Passive to Active)
• ICMP check to increase scan speed
• Debug mode to allow for greater scan visibility
• Allows alternate credentials
• Custom source port for UDP packets for firewall evasion
• Attempted login with SA account (blank password)

 

SQL recon works on Windows 2000, XP, 2003 platforms. It is available from here and comes in two distinct versions, one with .NET incorporated and one without.

In the response above the tool has been used against a single IP address which enumerate that the host is running MS SQL Server 2005 Express Edition.  It is also reveals the hostname of the target machine and also the fact that the SA account does not have the password set to Blank.