[unisog] scanning for ms sql systems

cam {Cam Beasley, ISO} cam at forum.utexas.edu
Tue Jan 28 17:19:32 GMT 2003


Might try to use the free ISS scanslam tool remotely:

<http://www.iss.net/support/product_utilities/sqlslammer.php>

Write a batch file for all of your subnets:

@echo off
scanslam -r4000 -s5000 123.1.2.1-123.1.254.254 > 123--results.txt
scanslam -r4000 -s5000 145.1.2.1-145.1.254.254 > 145--results.txt

Then parse out the unpatched machines and take care of the 
systems locally..

Might also compare results to eEye's free tool as well since
they supply you with interesting named pipe information
that can be useful in identifying that oddball MSDE app..

~cam.

Cam Beasley
ITS/Information Security Office    
The University of Texas at Austin        
512.475.9242
                  

%>-----Original Message-----
%>From: Russell Fulton [mailto:r.fulton at auckland.ac.nz] 
%>Sent: Tuesday, 28 January, 2003 03:44
%>To: unisog at sans.org
%>Subject: [unisog] scanning for ms sql systems
%>
%>
%>Hi All,
%>	I first scanned out network (using nmap) for udp 1434 
%>and found it very
%>unreliable, both false +ves and -ves.  I then fell back to tcp 1433.
%>
%>Does anyone know if this is sufficient to detect a potentially
%>vulnerable system -- ie one running either MS SQL of MSDE.
%>
%>After identifying some machines that responded on tcp 1433 
%>the admin ran
%>the eEye scanner against them and it said that two out of the 
%>eight did
%>not have any services on udp 1434. 
%>
%>I have seen other reports that the eEye scanner has a very aggressive
%>timeout and gives different results each time it is run.
%>
%>Any other experiences?
%>
%>BTW we lost 6 systems to the worm, these were concentrated in two
%>buildings and the switches in these buildings were disabled by the
%>traffic but with different symptoms which confused the network techies
%>who thought they were dealing with two separate problems. 
%>
%>Once they realized they were dealing with a worm the made progress and
%>we had all systems isolated in the small hours of Sunday 
%>morning (local
%>time -- about 6 hours after the worm struck). 
%>
%>Ironically, after the original announcement of the vulnerability we
%>blocked TCP 1433, but no one here realized that it could be exploited
%>via UDP as well.  Sigh...
%>
%>-- 
%>Russell Fulton, Computer and Network Security Officer
%>The University of Auckland,  New Zealand
%>
%>"It aint necessarily so"  - Gershwin
%>



More information about the unisog mailing list