Nmap Development mailing list archives
Microsoft SQL Server fingerprints for SQL 2000 and 2005
From: Tom Sellers <nmap () fadedcode net>
Date: Tue, 08 Jan 2008 18:54:02 -0600
Based on the feedback from Doug and Fyodor I have generated a probe/match set for Microsoft SQL Server 2000 and 2005. MS SQL Server's response to the probe includes the major and minor software revision in hex. Toward the end of the probe response the software version is encoded like this: (I hope this diagram actually formats correctly) \x09\x00\x0b\xe2 ^ ^ ^^ ^^ | | Build number in hex - 0be2 = 3042 | | | Spacer? (Its in every version) Major Revision = 9. Software revision is 9.00.3042 This is where the hex to decimal conversion would be handy as nmap could identify the base version, 2000 or 2005, and then toss the specific build into an info string. This information is accurate even when the data returned from the UDP probe to port 1434 is not. For some reason Microsoft quit updating the version string that SQL 2000 returned via UDP response. Per Doug's advice I have created specific fingerprints for each version that I can test. I have also created generic fingerprints for SQL 2000 and SQL 2005 as well as a fall back fingerprint for Microsoft SQL. I could not find a working probe for MS SQL Server 7. I expect that someone can shorten the match lines. Unfortunately, my PCRE-fu is not that strong. If it would be more efficient, the major version match lines can be added and I will look into creating a lua script that will query the port, extract the version and generate detailed information. ########################################################## Probe TCP mssql q|\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x01\x55\x00\x00\x00\x4d\x53\x53\x51\x4c\x53\x65\x72\x76\x65\x72\x00\x48\x0f\x00\x00| ports 1433 #Specific minor version lines match mssql m|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x01\x03\x00\x1d\x00\x00\xff\x09\x00\x05\x77| p/Microsoft SQL Server 2005 (9.00.1399)/ o/Windows/ match mssql m|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x01\x03\x00\x1d\x00\x00\xff\x09\x00\x07\xff| p/Microsoft SQL Server 2005 SP1 (9.00.2047)/ o/Windows/ match mssql m|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x01\x03\x00\x1d\x00\x00\xff\x09\x00\x0b\xee| p/Microsoft SQL Server 2005 SP2+ (9.00.3054)/ o/Windows/ match mssql m|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x01\x03\x00\x1d\x00\x00\xff\x09\x00\x0b\xe2| p/Microsoft SQL Server 2005 SP2 (9.00.3042)/ o/Windows/ match mssql m|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x01\x03\x00\x1d\x00\x00\xff\x08\x00\x07\xf7| p/Microsoft SQL Server 2000 SP4 (8.00.2039)/ o/Windows/ match mssql m|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x01\x03\x00\x1d\x00\x00\xff\x08\x00\x03\x32| p/Microsoft SQL Server 2000 SP3+ (8.00.818)/ o/Windows/ match mssql m|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x01\x03\x00\x1d\x00\x00\xff\x08\x00\x02\xfe| p/Microsoft SQL Server 2000 SP3+ (8.00.766)/ o/Windows/ #Major version match lines - in the event that minor versions do not match match mssql m|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x01\x03\x00\x1d\x00\x00\xff\x09| p/Microsoft SQL Server 2005/ o/Windows/ match mssql m|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x01\x03\x00\x1d\x00\x00\xff\x08| p/Microsoft SQL Server 2000/ o/Windows/ #Generic MSSQL 2000 and above match line match mssql m|^\x04\x01\x00\x25\x00\x00\x01| p/Microsoft SQL Server/ o/Windows/ ########################################################## Thanks much! Tom Sellers _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Microsoft SQL Server fingerprints for SQL 2000 and 2005 Tom Sellers (Jan 08)
- RE: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Thomas Buchanan (Jan 08)
- Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Tom Sellers (Jan 09)
- Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Fyodor (Jan 10)
- Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 doug (Jan 13)
- Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Fyodor (Jan 13)
- RE: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Thomas Buchanan (Feb 07)
- Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Fyodor (Feb 07)
- RE: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Thomas Buchanan (Feb 08)
- Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Fyodor (Feb 08)
- RE: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Thomas Buchanan (Jan 08)