There is a Web Application hosted on a server (on LAN) running SQL Server at back hand. Any traffic from External Network is denied for that machine. There would be other machines on same LAN that can access that Web Application. I need to do give the tests that can be performed to ensure it's security. The target is to retrieve data from SQL Server. Web Application demands credentials for data retrieval.

Please provide tests/strategies/free tools for this purpose.