sqllhf

This utility has been designed to scan an single ip address or network range for MS SQL services (SQLServers, MSDE, SQL Server Express Edition etc).  Once found it will check if the sa password one of three things:

• blank,

• sa,

• password.

Execution:

sqllhf [options] [ip_address/ network range]

Options:
-q    doesn't ping hosts to discover.
-o    [outputfile.txt] :: dumps results to a file.
-i    [inputfile.txt] :: inputs host list from file.
-v    verbose output.
-vv   very verbose output.
-p    [passlist.txt] (dictionary audit)
-db   [SQL Instance Name] target one specific database instance.

Note: - -db only allows a scan against a single host only.

Examples syntax:

sqllhf -i hosts.txt -o results.txt
sqllhf 192.168.1.1
sqllhf -q 192.168.1.1-192.168.1.254
sqllhf -v 192.168.1.1-192.168.1.254
sqllhf -p passlist.txt -i hosts.txt -v
sqllhf 192.168.1.1 -db kev -p passlist.txt

Expected Output:

C:\sqllhf> sqllhf.exe -p c:\common-passwords.txt 200.100.100.175

SQLLHF v3.1 - written by MattW 01-28-02
--------------------------------------------
Checking 200.100.100.175 for blank or easily guessable sa passwords.

200.100.100.175 responded to ICMP.. Checking for SQL Service...

Checking 200.100.100.175 ::: Password is password!! <---- WARNING!

Obviously an sa account with a password set to "password".