Nmap Development mailing list archives

RE: Microsoft SQL Server fingerprints for SQL 2000 and 2005

From: "Thomas Buchanan" <TBuchanan () thecompassgrp net>
Date: Thu, 7 Feb 2008 18:21:49 -0600

-----Original Message-----
From: nmap-dev-bounces () insecure org 
[mailto:nmap-dev-bounces () insecure org] On Behalf Of doug () hcsw org
Sent: Sunday, January 13, 2008 5:07 PM
To: nmap-dev () insecure org
Subject: Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005

Hi Tom!

On Tue, Jan 08, 2008 at 06:54:02PM -0600 or thereabouts, Tom 
Sellers wrote:

Based on the feedback from Doug and Fyodor I have generated a
probe/match set for Microsoft SQL Server 2000 and 2005.


Thanks a lot for this probe. It looks good and I just checked it
into SVN with the following minor changes:

* Moved version numbers into the v// field
* Commented out the "catch all" match line so that we will hopefully
 see fingerprints for new MSSQL versions as they come out and then
 can report their versions more specifically
* Added a rarity value of 8 because I don't think this service
 is common enough to be scanned against all ports (hopefully
 this isn't my unix bias showing through)

This should complement Thomas's MSSQLm.nse script nicely.

Thanks for helping!

Doug


Thanks again to Tom, et al. for getting these probes and matches built.
They've been very helpful, as this seems to be the most accurate way to
determine actual patch levels for SQL Server.  Here's a few updates and
additions.

The most significant change is to the service field, which I changed
from "mssql" to "ms-sql-s", which matches the services file, and the
style of the MS SQL UDP probes.
from nmap-services:
ms-sql-s          1433/tcp   # Microsoft-SQL-Server
ms-sql-s          1433/udp   # Microsoft-SQL-Server
ms-sql-m          1434/tcp   # Microsoft-SQL-Monitor
ms-sql-m          1434/udp   # Microsoft-SQL-Monitor

from nmap-service-probes:
Probe UDP Sqlping q|\x02|
rarity 6
ports 1434
match ms-sql-m <snip actual matches>

If there's a reason to stay with the existing "mssql" service name, just
let me know, and I'll submit a patch with the just the version
additions.

Other than that change, this patch adds specific version detection for
SQL Server 2000 RTM, RTMa, SP1, SP2, and SP3, and makes a couple of
minor changes to version numbers that were already detected.

As always, comments or questions are welcome.

Thomas

Attachment: ms-sql-services.patch
Description: ms-sql-services.patch


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Microsoft SQL Server fingerprints for SQL 2000 and 2005 Tom Sellers (Jan 08)
- RE: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Thomas Buchanan (Jan 08)
  - Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Tom Sellers (Jan 09)
- Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Fyodor (Jan 10)
- Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 doug (Jan 13)
  - Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Fyodor (Jan 13)
    - Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 doug (Jan 13)
  - RE: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Thomas Buchanan (Feb 07)
    - Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Fyodor (Feb 07)
    - RE: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Thomas Buchanan (Feb 08)
    - Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Fyodor (Feb 08)
- Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Fyodor (Feb 27)
  - Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Tom Sellers (Feb 28)
    - Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Tom Sellers (Feb 28)