Steve Andres of Special Ops Security emailed me to report his company's release of SQLrecon, Chip Andrews' successor to SQLping. SQLrecon is another .NET application that I tested on my Windows 2000 laptop. You can use SQLrecon to discover servers offering Windows SQL Server, and learn a little bit more than a port scanner might say.

The tool is very easy to use. By default, the tool is easy to use. Specify a range of IPs in the boxes and start the scan. Results appear in the window at right:



SQLrecon provides plenty of customization via options as well.



Thank you to Special Ops Security for releasing this free and helpful tool!

Comments

Anonymous said…
SQLRecon is an excellent tool but does have some limitations. There are three that I have encountered, and these are related primarily to very large networks or substantialy network latency.

Even so, this tool is a giant step forward compared to what existed before it. It is an excellent tool for SQL Server admins.

It discovers MSDE, SQL verison 7, and 2000. I hope it will still work for 2005. Very nice that it reports blank 'sa' passwords!

Some issues: First, it chokes on large subneets.
Second, it is relatively slow.
Third, it may not catch all instances.

I have let it run for days at a time only to find that at some critical juncture it has hung and was unrecoverable so that I couldn't dump the report to a file and had to start over with a smaller chunk. Don't know if this is due to the application or running on W2K. Could be a local (app space) memory leak. In any case, the lesson learned is to chop subnets up into digestable chunks. A 192.168.1.0/24 subnet is too small, but 10.0.0.0/8 is too big. 192.168.0.0/16 is also too big. So somewhere between 16 and 24 bits in the primary address seems to be the dividing line.

Slowness I can live with, but it makes it difficult to repeatedly scan an entire network.

The list of SQL Server instances that it discovered and reported was shorter and different than the a priori list of known instances. The fact that it found additional instances is good, the fact that it missed some known ones is not so good. This may have something to do with internal routing rules, ACLs or latency (not likely the instances were down at the time of the scan).
Anonymous said…
This comment has been removed by a blog administrator.
Anonymous said…
This comment has been removed by a blog administrator.

Popular posts from this blog

Zeek in Action Videos

MITRE ATT&CK Tactics Are Not Tactics

New Book! The Best of TaoSecurity Blog, Volume 4