RE: Microsoft SQL Server fingerprints for SQL 2000 and 2005

["Thomas Buchanan" <TBuchanan () thecompassgrp net>]

> -----Original Message-----
> From: nmap-dev-bounces () insecure org 
> [mailto:nmap-dev-bounces () insecure org] On Behalf Of Tom Sellers
> Sent: Tuesday, January 08, 2008 6:54 PM
> To: nmap-dev () insecure org
> Subject: Microsoft SQL Server fingerprints for SQL 2000 and 2005
>
> Based on the feedback from Doug and Fyodor I have generated a
> probe/match set for Microsoft SQL Server 2000 and 2005.  MS SQL
> Server's response to the probe includes the major and minor
> software revision in hex.
>
> Toward the end of the probe response the software version is
> encoded like this:
> (I hope this diagram actually formats correctly)
>
> \x09\x00\x0b\xe2
>   ^    ^  ^^  ^^
>   |    |   Build number in hex - 0be2 = 3042
>   |    |
>   |    Spacer? (Its in every version)
>   Major Revision = 9.
>
> Software revision is 9.00.3042

Tom,

Thanks for the excellent information.  I've done a little testing on SQL
Server in the past, and never knew about this.  

> If it would be more efficient, the major version match lines
> can be added and I will look into creating a lua script that
> will query the port, extract the version and generate detailed
> information.

I've actually written a NSE script that targets Microsoft SQL server,
and that's included in nmap-4.50 and newer (MSSQLm.nse).  I'd be happy
to take the information you provided and try and work it into that
script.  I think it would be an excellent addition, as the current
script relies on UDP probes to extract information, which as you
indicated are not accurate for newer releases of SQL 2000.  It'll
probably be a few days before I have much time to work on it, but I
wanted to go ahead and make the offer.

Thanks again,

Thomas

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org