# Finding Sql Servers

## Unauthenticated

To find SQL servers from an unauthenticated user, we can use SQLCMD:

```
sqlcmd -L 
```

We can do the same with metasploit

```
msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > set RHOSTS Target_IP_or_CIDR_identifier
msf auxiliary(mssql_ping) > run
```

&#x20;PowerUpSQL

```
>> import-module .\PowerUpSQL.psd1
>> Get-SQLInstanceScanUDP
```

Other tools are&#x20;

* [OSQL](https://docs.microsoft.com/en-us/sql/tools/osql-utility?view=sql-server-2017).
* [SQLPing3](http://www.sqlsecurity.com/downloads).
* Nmap
* Nessus

## Local User

As a local user SQL Server instances can be identified by checking system services and registry settings.

```
>> Get-SQLInstanceLocal
```

## Domain User

SQL servers are automatically registered in AD with an associated service account. This is done to support Kerberos authentication. We can use SPN scanning like so:&#x20;

```
>> setspn -T domain -Q MSSQLSvc/*
```

or just use powerupsql again

```
>> Get-SQLInstanceDomain
```

Tools are:

* [setspn.exe](https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx).
* [adfind.exe](http://www.joeware.net/freetools/tools/adfind/index.htm).
* [Get-Spn.psm1](https://github.com/nullbind/Powershellery/blob/master/Stable-ish/Get-SPN/Get-SPN.psm1).