Chris Woodbury and I have been working on some new exciting features and enhancements to the ms-sql scripts and library in Nmap lately. We’ve been working in a separate branch which will hopefully get merged to trunk really soon. Chris work has been of high quality and very inspiring! It got me to pick up some of the stuff I meant to implement, but hadn’t got to, and has brought a number of new great ideas. For a good summary of changes consult the following nmap-dev mailing list thread.

Among the many new features and enhancements I’m really happy to see are:

Support for more precise version checking, by using the prelogin packet (same technique as SQLPing)

Support for connections using named pipes, rather than tcp-sockets

Support for integrated authentication (Ntlmv1) in addition to the existing SQL authentication

Support for connecting to named instances in addition to specific tcp ports

Support for running each of the ms-sql scripts against all instances detected by the discovery mechanisms

If you would like to give the scripts a run they’re available from here, and will hopefully be merged to trunk really soon.