SQL Recon

v1.0 Documentation

19 MARCH 2005


SQLRecon was designed to be simple to configure and operate. Simply execute the SQLRecon.exe file downloaded from the website. After the application loads, the basic operation is as follows:

Choose a scan type

Based on your scan type enter the scan criteria (IP address range or list file) Click the “Scan” button to begin the scan

Click to Enlarge

Scan Types

SQLRecon has three scan types:

  • Active (IP Range)
    A range of IP addresses is actively scanned one by one until all hosts have been assessed for SQL Server instances. (The term “active” implies that packets are directed precisely at those hosts and the scan will be observed if any network or host-based IDS systems are active.)
  • Active (IP List)
    An imported list on IP addresses is actively scanned for SQL Server instances. This is useful in situations where you need to be more selective about which machines are being checked. This scan is also useful for a deeper scan of machines that may have been identified in a Stealth scan.
  • Stealth
    This scan sends no packets directly to the hosts being discovered. Instead, this mode uses techniques to discovery SQL Server instances that involve contacting third party services that are already aggregating this information.

As the scan progresses, you will see the results appear in the right pane. The results will appear in treeview form in collapsed mode. You can expand each node for more information by clicking the plus (+) symbol by each entry. By clicking the "Expand All" button, you can also expand the entire tree. Once expanded, the button will change to "Collapse All" and have the opposite effect.

File Export

Once your scan is complete, you have the option of saving the complete results or simply a list of IP addresses. In order to access this feature, simply click on the File menu at the top of the screen.

File -> Save -> Full Report

This option will export all of the data from the scan in either an XML or comma-delimited text file that you designate.

File -> Save -> IP List

This option will export the discovered computers as a simple list of IP addresses. This is commonly done when you have performed a Stealth Scan and wish to do a more detailed, active scan of the machines discovered.


The options tab will allow you to modify the operation of SQLRecon for your environment and help diagnose possible issues you may be having with discovery.

Click to Enlarge

Active scanning probes

  • UDP: Finds SQL Server 2000 instances by probing UDP 1434 (no auth required). This is the classic "SQLPing" probe.
  • REG: Checks remote registry for SQL Server default instances (requires administrative privileges). This scan only works for default instances at the current time.
  • WMI: Initiates a WMI query against the target machine (requires administrative privileges). While this scan can produce results from multiple instances, it will only work with administrative privileges in most environments.
  • TCP: Port scan of TCP 1433/2433 (no auth required). 1433 is the default TCP port for SQL Server and MSDE. 2433 is the default port when the "Hide server" check box is selected in the TCP/IP properties of the Server Network Utility.
  • SCM: Queries the service control manager of the remote machine (user privileges required). This scan is especially useful in scenarios where you may not have administrative privileges but still have domain user or equivalent.
  • SA: Attempts to access the SQL Server instance with a blank password (no auth required). This qualifies as a scan type since they may be scenarios where all the other probes fail but an blatant attempt to access the system returns error messages signifying a server is present.

Stealth scanning probes

  • BRO: Checks the browser service for SQL Server registrations (no auth required). This scan will return minimal results but can return a nice list that you can export and then re-scan as an "active" type scan. This type of probe is also useful in cases where people may have a personal firewall enabled. Even if you can’t get more information, you’ll know the instances exist and you can audit them by more manual methods.
  • AD: Queries Active Directory for registered SQL Servers (requires domain user privileges). This type of probe can return much more information than the BRO scan but at this time, Active Directory registration of SQL Server is still a voluntary process. That is, only persons who have opted to register their SQL Servers with Active Directory (using Enterprise Manager) will appear.

Other Options

  • Disable SSNetlib Version Check Packet: Use this if you are not interested in the ssnetlib version or are wary of setting off alarms that look for that type of packet.
  • Disable ICMP Check: Slows the scan but is useful if hosts may be blocking ICMP. If you select this option, the SQLRecon scan will slow significantly but may be the only way to get information from a host that is blocking ICMP.
  • Enable Debug Log: Creates log file so you can monitor the reasons certain checks might be failing. If you wish to save your logs in a custom location, just use the input box called "Debug file" to specify the location you want.
  • ICMP Timeout: Allows you to adjust the amount of time SQLRecon will wait for an ICMP reply before considering the remote machine to be inaccessible. You may want to increase this on dial-up or other slow links.
  • UDP Source Port: Allows you to specify a custom source port for the UDP probe to allow it to pass through packet-filtering firewalls. For example, if the firewall only allows UDP 53 inbound, you could use this setting to get your request through the firewall and probe hosts behind it.
  • Alternate Credentials: Provide alternate credentials here is you would like to perform the scans that require authentication using a different account.
Authorized SBA 8(a) Minority-Owned Small Disadvantaged Business · Terms of Use · Privacy Policy Copyright © 2002-2021 • All Rights Reserved.