As a final cross-reference of the host list, use the sc.exe tool (provided natively with XP and 2003 or through the Resource Kit in previous Windows versions) to query the Service Control Manager (SCM) of all machines in the domain looking for SQL Server instances. Of course, this scan is only feasible if you have at least domain user privileges in the domain to be scanned.
A typical scan can be performed in a single command as follows:
FOR /F "skip=3 delims=\ " %c in ('net view') do sc \\%c query bufsize= 6000|find "MSSQL"
The machines with SQL Server instances will show entries like 'SERVICE_NAME: MSSQLSERVER' below each sc.exe execution. You can also replace 'net view' with netdom or another command if you want to list the domain members and servers in a different way. The additional advantage of this method is that it shows SQL Server instances even when the SQL Server instance is not running at the time of the scan, although personal firewalls may still block this as well.
HOW TO PATCH SQL SERVER, PART 1
Step 1: Map your network
Step 2: Perform an active scan
Step 3: Check for SQL registrations
Step 4: Probe remote services
Step 5: Probe for SSNetlib.dll versions
Step 6: Directly request version information
Go to: How to patch SQL Servers, part 2
ABOUT THE AUTHOR:
Chip Andrews is the director of research and development for Special Ops Security Inc. and the founder of the SQLSecurity.com Web site, which focuses on Microsoft SQL Server security topics and issues. He is also the author of SQL Server Security.