Here is the scenario:-

access-list 101 permit tcp host 10.5.6.23 0.0.0.255 host 172.16.1.1 ## all portnumbs admitted ##

The server is exposed to packets from a single ip.

An nmap user must deploy packets with a host sender address of 10.5.6.23 (easy enough), based on prior footprinting experience where the 'from' server has been broken into and researched - or similar. I smell acrid burning toast in this company scenario way beyond primary SQLServer vulnerabilities.

The weakness you seek to exploit are readily addressed by available security devices and services - Network VPNd end to end, CISCO switch at client with MAC address filter, RADIUS remote access authentication, scan and probe detector appliances, - to mention but a few.

Anything one man can create another can take apart. The trick is to make it sufficiently hard to take apart to act as a deterrent. The discussion should embrace the effort required to commit an exploit and the motivation to do it. If my NASA server holds data on the next moon shot I am worried. If it is the local playground maintenance system I may sleep at night. Its not just low hanging fruit but the VALUE of the fruit that determines risk and impact and how much is to be spent on protection.

Kevin Mitnick's book on social engineering is enlightening. Network based hacking expoints are often elegant and informative but most commercial motivated hacks are based on what information human beings haemorrhage and on the weaknesses of human behaviour. This does worry me.