Finding Sql Servers


To find SQL servers from an unauthenticated user, we can use SQLCMD:

sqlcmd -L 

We can do the same with metasploit

msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > set RHOSTS Target_IP_or_CIDR_identifier
msf auxiliary(mssql_ping) > run


>> import-module .\PowerUpSQL.psd1
>> Get-SQLInstanceScanUDP

Other tools are

Local User

As a local user SQL Server instances can be identified by checking system services and registry settings.

>> Get-SQLInstanceLocal

Domain User

SQL servers are automatically registered in AD with an associated service account. This is done to support Kerberos authentication. We can use SPN scanning like so:

>> setspn -T domain -Q MSSQLSvc/*

or just use powerupsql again

>> Get-SQLInstanceDomain

Tools are:

Last updated