SQL Ping

SQL Ping is a nice little command line enumerator that specifically looks for SQL servers and requires no authentication whatsoever. It works on all versions of SQL server up to and including 2005 and also Express editions.

It is available from here.

Installation is just download and extract the files, it works out of the box.

Execution:

Usage: sqlping target_ip or host_name

C:\Documents and Settings\hacker\Desktop\dg>SqlPing.exe 192.168.1.11

SQLPing v1.1
Chip Andrews, Michael Choi, and Rajiv Delwadia http://www.sqlsecurity.com chip@sqlsecurity.com 1/29/2001

SQLPing is a utility for querying SQL Servers (2000+) listening on UDP 1434 to return detailed information about the instances installed. Note that broadcast addresses may return multiple results.

Listening....

ServerName:SQL-2K3
InstanceName:SQLEXPRESS
IsClustered:No
Version:9.00.1399.06
tcp:1036

As you can see from the results it pulls back that the remote MS SQL Server is running MS SQL 2005 Express Edition (cut down free SQL server) and also leaks its hostname SQL-2K3.