# Enumerate MSSQL servers with GetUserSPNs & NMAP
### Enumerate the MSSQL servers
#### Impacket GetUserSPNs.py
* First let’s try to figure out the users with an SPN on an MSSQL server.
* A Service Principal Name (SPN) is a name in Active Directory that a client uses to uniquely identify an instance of a service. An SPN combines a service name with a computer and user account to form a type of service ID.Nov 13, 2021
```
GetUserSPNs.py north.newyork.local/claudio.ortiz:babyboy
```
* And on Maryland.local domain
```
GetUserSPNs.py -target-domain maryland.local north.newyork.local/claudio.ortiz:babyboy
```
#### Nmap
Two servers answer :
```
nmap -p 1433 -sV -sC 192.168.56.10-23
```
* Yonkers.north.newyork.local
```
Nmap scan report for yonkers.north.newyork.local (192.168.56.22)
Host is up (0.00048s latency).
Scanned at 2023-02-27 20:16:02 EST for 12s
PORT STATE SERVICE VERSION
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2023-02-28T01:16:14+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-02-22T20:07:08
| Not valid after: 2053-02-22T20:07:08
| MD5: 15c6 3b48 4af9 3ee5 3002 fe2b c006 09cb
| SHA-1: abcc 8fff ac8c 8907 c2c4 8f2a af0b 5ff1 b6da 3e4d
| -----BEGIN CERTIFICATE-----
| MIIDADCCAeigAwIBAgIQFvILH8b8eZpGxpjwNfUPTDANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjMwMjIyMjAwNzA4WhgPMjA1MzAyMjIyMDA3MDhaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMU+2Yw4
| /xY2a+zQ6VoXrwh/razw3axC+KVwEilwsjHx9ZDaVPNal88wpgt1V2elhAExlWTa
| /2QNBMrS2r2cjECyPSloAvapnEpa/PPEjtmXEg953zrgMrZIeGiaC2CSgSssgSic
| F5CM9H/plumoCGiewp6ZlzR0g5sYKIaTtu6rXUYe+PFVGZX97oDKPPMeNgT/ipXK
| TIBObq4xCN0W4JFFfAh3GSyY1Y4xhuMXRH29UpBJk5XdzN4qnuqGP6GzD75YoXQZ
| Tl5UqrBDoteE7fWnL6kf8KftLUagadFZ2l3ImBJTpqt22HbSPJdxL+5csJLHityg
| QeOgJIVZOWFAHYUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcJ+rk3zKNnV1CcCL
| X+z+wS7E2NEjCJ9TEhDSDLERp13mudEDatswYTHtNhFCT7cmMXDFJAeFWW1ffUek
| 7X9Wh7HireKrxoBXjSMO1Zb9KLPw8SyHWU07HmrxrTeSdpKTLyJFPM82R0zeSfOU
| xuPjQYGTDfZTYz9SVRI4wt3k1kwQ2bq0DhHkdIP5MJm3JeUzEiigrC3dwqH4SMgm
| 3D7Zfe3tUPb3uMMZ8li1l3N7BjrLUHY/wGeuumwpH/VCjpYt47zl6EjNeiO6walu
| lKUMPkj1ViXB0UawyWMGpKYIZRR60JoX3YUr9rHGyT81RNhh9VJ5gZ1IFvH4Y9up
| 4pe6Vw==
|_-----END CERTIFICATE-----
| ms-sql-ntlm-info:
| Target_Name: NORTH
| NetBIOS_Domain_Name: NORTH
| NetBIOS_Computer_Name: YONKERS
| DNS_Domain_Name: north.newyork.local
| DNS_Computer_Name: Yonkers.north.newyork.local
| DNS_Tree_Name: newyork.local
|_ Product_Version: 10.0.17763
Host script results:
| ms-sql-info:
| 192.168.56.22:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
Nmap scan report for salisbury.maryland.local (192.168.56.23)
Host is up (0.00040s latency).
Scanned at 2023-02-27 20:16:02 EST for 12s
PORT STATE SERVICE VERSION
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: maryland
| NetBIOS_Domain_Name: maryland
| NetBIOS_Computer_Name: SALISBURY
| DNS_Domain_Name: maryland.local
| DNS_Computer_Name: Salisbury.maryland.local
| DNS_Tree_Name: maryland.local
|_ Product_Version: 10.0.14393
|_ssl-date: 2023-02-28T01:16:07+00:00; -7s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-02-22T20:07:10
| Not valid after: 2053-02-22T20:07:10
| MD5: d765 e745 3ddc 0c7f 4fcb b26b 744b 35a7
| SHA-1: 28a8 5b18 8adb f162 6ac2 d136 6c16 1f08 1ef2 6804
| -----BEGIN CERTIFICATE-----
| MIIDADCCAeigAwIBAgIQVHR7vo2ccIZCblioBxQemTANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjMwMjIyMjAwNzEwWhgPMjA1MzAyMjIyMDA3MTBaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL8O3rya
| nMuF/Q4if1Nb7T15Un2/AXCFy5KgNAVbn/XgEqznkqEd6y1iVF2iPwuHU3dcsU1K
| oU5yfSAkEqyrDWltE1LvkpOZzhvlXLyc13Epp+GO4xtcXyqiRhu9L8HbtkctvGI+
| NyAtbKAcdeg9gOorhWiwcIMJoZ7ofYTLaBz+K0GGfqL18y8egYkVonH78/pTq2VV
| Zmxkyrd8lGTXMhGW6fyfnbE0zHg9QNrLf3jgaFHYPPT5n1svbPyxEDXCVk+i6Z5G
| 7Kfr2gCF9DLaqSIZ/ibltdSK+CFsRLGBpl22WSlDcj5lgULOHlt8z47Jx8xqyi5K
| Dt6VxDoKZ85ew10CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAVh1hgxEPIq4dxOTa
| DYYFqLFIX/9HAONYfK6Ir0h/hGvkXOWl43m/HFm+ZcFz49XzgsEDF++bP/+LXnyC
| 5pvjbnahXeoCgu+sXKnMAvt5sU2t0rUPX0/OXs8tEhG/QgvcAke3bf3UgZSowbw2
| AutbfQ6u36ywOhhfJrvBmlxJ7Np8U3ojG5c+oyl2Vijv2jrYN6kKc4FVnuO9N5bT
| NFqYXZ1K8500BXrYsuSiaN6+RRQbx3q6Aty1DaEMBqfccJW57e1+uHZ7L0ebKodL
| Hy3AVI5ijArVRhw83aH9UPQ7fVXXhyB0N2GuTKIIIJoEuGUvaf1U2FfNjQ5t/qZG
| i0uPIQ==
|_-----END CERTIFICATE-----
Host script results:
| ms-sql-info:
| 192.168.56.23:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_clock-skew: mean: -7s, deviation: 0s, median: -7s
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://watchdogsacademy.gitbook.io/attacking-active-directory/mssql-servers-exploitation/enumerate-mssql-servers-with-getuserspns-and-nmap.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.