Skip to content

MSSQL Honeypot Enterprise Community

The MSSQL service emulates a Microsoft SQL Server. Database servers are frequent lateral movement targets because they often store credentials and sensitive data.

Configuration

json
"mssql": [
  {
    "port": 1433,
    "hostname": "SQL01",
    "version": "2012"
  }
]

Parameters

ParameterTypeDefaultDescription
portinteger1433TCP port
hostnamestringSQL01Server name included in the error response
versionstring2012SQL Server version shown to clients - see table

Version values (version)

ValueSQL Server
20082008
20122012
20142014
20162016
20172017
20192019
20222022

Behavior notes

Match your SQL environment

Set version and hostname to match your real SQL servers. Attackers who harvest this info from connection strings or SSMS configuration will try the honeypot automatically.

What gets captured

EventFields
Connection madeSource IP and port
Data sentRaw TDS packets
Login attemptUsername and decrypted password