MSSQL Honeypot Enterprise Community
The MSSQL service emulates a Microsoft SQL Server. Database servers are frequent lateral movement targets because they often store credentials and sensitive data.
Configuration
json
"mssql": [
{
"port": 1433,
"hostname": "SQL01",
"version": "2012"
}
]Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
port | integer | 1433 | TCP port |
hostname | string | SQL01 | Server name included in the error response |
version | string | 2012 | SQL Server version shown to clients - see table |
Version values (version)
| Value | SQL Server |
|---|---|
2008 | 2008 |
2012 | 2012 |
2014 | 2014 |
2016 | 2016 |
2017 | 2017 |
2019 | 2019 |
2022 | 2022 |
Behavior notes
Match your SQL environment
Set version and hostname to match your real SQL servers. Attackers who harvest this info from connection strings or SSMS configuration will try the honeypot automatically.
What gets captured
| Event | Fields |
|---|---|
| Connection made | Source IP and port |
| Data sent | Raw TDS packets |
| Login attempt | Username and decrypted password |
