19 MARCH 2005
SQLRecon was designed to be simple to configure and
operate. Simply execute the SQLRecon.exe file downloaded
from the website. After the application loads, the basic
operation is as follows:
Choose a scan type
Based on your scan type enter the scan criteria (IP
address range or list file) Click the “Scan” button to
begin the scan
SQLRecon has three scan types:
- Active (IP Range)
A range of IP addresses is actively scanned one by one
until all hosts have been assessed for SQL Server
instances. (The term “active” implies that packets are
directed precisely at those hosts and the scan will be
observed if any network or host-based IDS systems are
- Active (IP List)
An imported list on IP addresses is actively scanned
for SQL Server instances. This is useful in situations
where you need to be more selective about which machines
are being checked. This scan is also useful for a deeper
scan of machines that may have been identified in a
This scan sends no packets directly to the hosts being
discovered. Instead, this mode uses techniques to discovery
SQL Server instances that involve contacting third party
services that are already aggregating this information.
As the scan progresses, you will see the results appear
in the right pane. The results will appear in treeview form
in collapsed mode. You can expand each node for more information
by clicking the plus (+) symbol by each entry. By clicking the
"Expand All" button, you can also expand the entire tree.
Once expanded, the button will change to "Collapse All" and have
the opposite effect.
Once your scan is complete, you have the option of saving
the complete results or simply a list of IP addresses. In
order to access this feature, simply click on the File menu at
the top of the screen.
File -> Save -> Full Report
This option will export all of the data from the scan in
either an XML or comma-delimited text file that you designate.
File -> Save -> IP List
This option will export the discovered computers as a simple
list of IP addresses. This is commonly done when you have
performed a Stealth Scan and wish to do a more detailed, active
scan of the machines discovered.
The options tab will allow you to modify the operation of
SQLRecon for your environment and help diagnose possible issues
you may be having with discovery.
Active scanning probes
- UDP: Finds SQL Server 2000 instances by probing
UDP 1434 (no auth required). This is the classic "SQLPing"
- REG: Checks remote registry for SQL Server default
instances (requires administrative privileges). This scan
only works for default instances at the current time.
- WMI: Initiates a WMI query against the target
machine (requires administrative privileges). While this scan
can produce results from multiple instances, it will only work
with administrative privileges in most environments.
- TCP: Port scan of TCP 1433/2433 (no auth required).
1433 is the default TCP port for SQL Server and MSDE. 2433
is the default port when the "Hide server" check box is
selected in the TCP/IP properties of the Server Network Utility.
- SCM: Queries the service control manager of the
remote machine (user privileges required). This scan is
especially useful in scenarios where you may not have
administrative privileges but still have domain user
- SA: Attempts to access the SQL Server instance
with a blank password (no auth required). This qualifies as
a scan type since they may be scenarios where all the other
probes fail but an blatant attempt to access the system
returns error messages signifying a server is present.
Stealth scanning probes
- BRO: Checks the browser service for SQL Server
registrations (no auth required). This scan will return
minimal results but can return a nice list that you can
export and then re-scan as an "active" type scan. This type
of probe is also useful in cases where people may have a
personal firewall enabled. Even if you can’t get more
information, you’ll know the instances exist and you can
audit them by more manual methods.
- AD: Queries Active Directory for registered
SQL Servers (requires domain user privileges). This type
of probe can return much more information than the BRO
scan but at this time, Active Directory registration of
SQL Server is still a voluntary process. That is, only
persons who have opted to register their SQL Servers with
Active Directory (using Enterprise Manager) will appear.
- Disable SSNetlib Version Check Packet: Use this
if you are not interested in the ssnetlib version or are wary
of setting off alarms that look for that type of packet.
- Disable ICMP Check: Slows the scan but is useful
if hosts may be blocking ICMP. If you select this option, the
SQLRecon scan will slow significantly but may be the only
way to get information from a host that is blocking ICMP.
- Enable Debug Log: Creates log file so you can
monitor the reasons certain checks might be failing. If you
wish to save your logs in a custom location, just use the
input box called "Debug file" to specify the location you want.
- ICMP Timeout: Allows you to adjust the amount of
time SQLRecon will wait for an ICMP reply before considering
the remote machine to be inaccessible. You may want to increase
this on dial-up or other slow links.
- UDP Source Port: Allows you to specify a custom
source port for the UDP probe to allow it to pass through
packet-filtering firewalls. For example, if the firewall only
allows UDP 53 inbound, you could use this setting to get your
request through the firewall and probe hosts behind it.
- Alternate Credentials: Provide alternate credentials
here is you would like to perform the scans that require
authentication using a different account.