Obtaining information from MS SQL servers with NTLM enabled
MS SQL servers with NTLM authentication disclose NetBIOS, DNS, and OS build version information. This is excellent information to fingerprint a system accurately without authentication.
This recipe shows how to use Nmap to extract information from MS SQL servers with NTLM authentication enabled.
How to do it...
Use the following Nmap command to obtain information from MS SQL servers with NTLM authentication:
$nmap -p1433 --script ms-sql-ntlm-info <target>
The results will include NetBIOS, DNS, and OS build version information in the script output section, as follows:
1433/tcp  open ms-sql-s | ms-sql-ntlm-info: |     Target_Name: TESTSQL |     NetBIOS_Domain_Name: TESTSQL |     NetBIOS_Computer_Name: DB-TEST |     DNS_Domain_Name: 0xdeadbeefcafe.com |     DNS_Computer_Name...