Contact us Customer login Book a demo
Support
Support
English
Gartner®️ Quick Answer: Key Objectives of Blue, Red and Purple Teams
Read more
Rapport d'enquête sur l'état des tests de pénétration 2023
Read more
The State of Pentesting 2024 Survey Report
Read more
Topics
Blog
Attack Surface Monitoring Cloud Security Cybersecurity Research Enterprise-Wide Security Validation Penetration Testing Pentera Labs Ransomware Resilience Red Teaming Segmentation SOC Optimization Vulnerability Prioritization
Cybersecurity Research

Finding MSSQL Database Version with TDS Protocol

29 May 2023
Book your demo now >
Amit German, Cyber Security Researcher at Pentera
Read more articles from this writer >
Explore article topics
    Back to top

    The version of an MSSQL database is a valuable piece of information for cyber attackers. With the version details in hand, they can attempt to find and exploit any of the version’s known vulnerabilities. As part of our research at Pentera Labs, we attempted to obtain the version of the widely-used MSSQL (Microsoft SQL Server) database.

    In this blog post, we show how we detected the version with the TDS protocol, without having to authenticate. To read a more in-depth explanation of the steps we took, you can read the entire research paper here

    What is the TDS Protocol?

    The Tabular Data Stream (TDS) protocol is an application layer protocol for communicating with databases – from authentication all the way to querying. By using TDS, researchers can obtain a database’s version. To do so, they can use the “Pre-Login” sequence, which includes sending data to the server and getting a reply with the version information.

    The Pre-Login Packet

    The Pre-Login packet consists of tokens. These tokens provide information about the database. The Version token contains the information we need. Its type is 0x00.

    The Version Token’s data is made of 6 bytes:

    • Major version (first byte, unsigned long)
    • Minor version (second byte, unsigned long)
    • Build (third and fourth bytes, unsigned short)
    • Minor build (fifth and sixth bytes, always zero therefore redundant, unsigned short).

    The first four bytes of the Version Token provide the database version.

    Here’s an example of the data sent back from the server. The six bytes with the version information are highlighted:

    A simple code is enough to extract the version from these four bytes:

    The result we received is the database’s version. In this case: 15.0.2000.0

    How to Mitigate

    The ability to detect the database’s version with the TDS protocol relies on the database’s port being open and accessible. Therefore, mitigation involves restricting access to the port. This can be done with firewalls, iptables and host-based firewalls. To learn more about mitigation strategies and for a detailed explanation of how we leveraged the TDS protocol, read the complete paper.

    Subscribe to our newsletter

    Find out for yourself.

    Begin your journey in security validation and see why leading companies trust us with their cybersecurity validation.

    Start with a demo
    Related articles
    Vulnerability Prioritization

    Create Stronger Passwords with These 5 Tips

    Would you believe if I told you that you 81% of data breaches worldwide are caused by hacked passwords? This statistic provided by Verizon Data Brea...
    Aviv Cohen, CMO at Pentera
    Enterprise-Wide Security Validation

    Top Ingredients for a Winning Startup

    “He shoots, he scores!” I still hear the sports announcer’s excitement coming across the loudspeaker -- in my high school basketball court days. ...
    Amitai Ratzon CEO at Pentera
    Red Teaming

    Comparing Cyber Warfare to Chess Strategies

    In cyber warfare, like in chess, the game outcome is not determined by a single exploit (or move), but rather by a patient silent-predator strategy....
    Arik Liberzon, Founder and CTO at Pentera