Nmap Development mailing list archives

Microsoft SQL Server fingerprints for SQL 2000 and 2005

From: Tom Sellers <nmap () fadedcode net>
Date: Tue, 08 Jan 2008 18:54:02 -0600

Based on the feedback from Doug and Fyodor I have generated a
probe/match set for Microsoft SQL Server 2000 and 2005.  MS SQL
Server's response to the probe includes the major and minor
software revision in hex.

Toward the end of the probe response the software version is
encoded like this:
(I hope this diagram actually formats correctly)

\x09\x00\x0b\xe2
   ^    ^  ^^  ^^
   |    |   Build number in hex - 0be2 = 3042
   |    |
   |    Spacer? (Its in every version)
   Major Revision = 9.

Software revision is 9.00.3042

This is where the hex to decimal conversion would be handy
as nmap could identify the base version, 2000 or 2005, and
then toss the specific build into an info string.

This information is accurate even when the data returned
from the UDP probe to port 1434 is not.  For some reason
Microsoft quit updating the version string that SQL 2000
returned via UDP response.

Per Doug's advice I have created specific fingerprints for
each version that I can test.  I have also created generic
fingerprints for SQL 2000 and SQL 2005 as well as a fall back
fingerprint for Microsoft SQL.  I could not find a working
probe for MS SQL Server 7.

I expect that someone can shorten the match lines.
Unfortunately, my PCRE-fu is not that strong.

If it would be more efficient, the major version match lines
can be added and I will look into creating a lua script that
will query the port, extract the version and generate detailed
information.

##########################################################
Probe TCP mssql 
q|\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x01\x55\x00\x00\x00\x4d\x53\x53\x51\x4c\x53\x65\x72\x76\x65\x72\x00\x48\x0f\x00\x00|
ports 1433

#Specific minor version lines
match mssql 
m|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x01\x03\x00\x1d\x00\x00\xff\x09\x00\x05\x77|
 p/Microsoft SQL Server 2005 (9.00.1399)/ o/Windows/
match mssql 
m|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x01\x03\x00\x1d\x00\x00\xff\x09\x00\x07\xff|
 p/Microsoft SQL Server 2005 SP1 (9.00.2047)/ o/Windows/
match mssql 
m|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x01\x03\x00\x1d\x00\x00\xff\x09\x00\x0b\xee|
 p/Microsoft SQL Server 2005 SP2+ (9.00.3054)/ 
o/Windows/
match mssql 
m|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x01\x03\x00\x1d\x00\x00\xff\x09\x00\x0b\xe2|
 p/Microsoft SQL Server 2005 SP2 (9.00.3042)/ o/Windows/
match mssql 
m|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x01\x03\x00\x1d\x00\x00\xff\x08\x00\x07\xf7|
 p/Microsoft SQL Server 2000 SP4 (8.00.2039)/ o/Windows/
match mssql 
m|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x01\x03\x00\x1d\x00\x00\xff\x08\x00\x03\x32|
 p/Microsoft SQL Server 2000 SP3+ (8.00.818)/ o/Windows/
match mssql 
m|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x01\x03\x00\x1d\x00\x00\xff\x08\x00\x02\xfe|
 p/Microsoft SQL Server 2000 SP3+ (8.00.766)/ o/Windows/

#Major version match lines - in the event that minor versions do not match
match mssql 
m|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x01\x03\x00\x1d\x00\x00\xff\x09|
 p/Microsoft SQL Server 2005/ o/Windows/
match mssql 
m|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x01\x03\x00\x1d\x00\x00\xff\x08|
 p/Microsoft SQL Server 2000/ o/Windows/

#Generic MSSQL 2000 and above match line
match mssql m|^\x04\x01\x00\x25\x00\x00\x01| p/Microsoft SQL Server/ o/Windows/





##########################################################


Thanks much!

Tom Sellers






_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

Microsoft SQL Server fingerprints for SQL 2000 and 2005 Tom Sellers (Jan 08)
- RE: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Thomas Buchanan (Jan 08)
  - Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Tom Sellers (Jan 09)
- Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Fyodor (Jan 10)
- Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 doug (Jan 13)
  - Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Fyodor (Jan 13)
    - Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 doug (Jan 13)
  - RE: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Thomas Buchanan (Feb 07)
    - Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Fyodor (Feb 07)
    - RE: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Thomas Buchanan (Feb 08)
    - Re: Microsoft SQL Server fingerprints for SQL 2000 and 2005 Fyodor (Feb 08)

(Thread continues...)