MSSQL auto auth should look at the domain

zeroSteiner · zeroSteiner · commit 000d31091431 · 2025-11-20T13:32:33.000-05:00
If the domain is set, using NTLM where the domain is used, otherwise use
plaintext / sql authentiction.
diff --git a/lib/metasploit/framework/login_scanner/mssql.rb b/lib/metasploit/framework/login_scanner/mssql.rb
@@ -16,13 +16,13 @@ class MSSQL
         include Metasploit::Framework::LoginScanner::NTLM
 
         DEFAULT_PORT         = 1433
-        DEFAULT_REALM         = 'WORKSTATION'
+        DEFAULT_REALM        = nil
         # Lifted from lib/msf/core/exploit/mssql.rb
         LIKELY_PORTS         = [ 1433, 1434, 1435, 14330, 2533, 9152, 2638 ]
         # Lifted from lib/msf/core/exploit/mssql.rb
         LIKELY_SERVICE_NAMES = [ 'ms-sql-s', 'ms-sql2000', 'sybase', 'mssql' ]
         PRIVATE_TYPES        = [ :password, :ntlm_hash ]
-        REALM_KEY           = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
+        REALM_KEY            = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
 
         # @!attribute auth
         #   @return [Array<String>] Auth The Authentication mechanism to use
diff --git a/lib/msf/core/auxiliary/auth_brute.rb b/lib/msf/core/auxiliary/auth_brute.rb
@@ -729,7 +729,7 @@ def build_brute_message(host_ip,host_port,proto,msg)
     else
       complete_message = ''
       unless ip.blank? && port.blank?
-        complete_message << "#{ip}:#{port}"
+        complete_message << Rex::Socket.to_authority(ip, port).ljust(21)
       else
         complete_message << proto || 'Bruteforce'
       end
diff --git a/lib/msf/core/exploit/remote/mssql.rb b/lib/msf/core/exploit/remote/mssql.rb
@@ -44,7 +44,7 @@ def initialize(info = {})
         OptPath.new('HEX2BINARY',   [ false, "The path to the hex2binary script on the disk",
           File.join(Msf::Config.data_directory, "exploits", "mssql", "h2b")
         ]),
-        OptString.new('DOMAIN', [ true, 'The domain to use for windows authentication', 'WORKSTATION'], aliases: ['MssqlDomain']),
+        OptString.new('DOMAIN', [ true, 'The domain to use for windows authentication', ''], aliases: ['MssqlDomain']),
         *kerberos_storage_options(protocol: 'Mssql'),
         *kerberos_auth_options(protocol: 'Mssql', auth_methods: Msf::Exploit::Remote::AuthOption::MSSQL_OPTIONS),
       ], Msf::Exploit::Remote::MSSQL)
diff --git a/lib/msf/core/optional_session/mssql.rb b/lib/msf/core/optional_session/mssql.rb
@@ -26,8 +26,8 @@ def initialize(info = {})
           register_options(
             [
               Msf::OptInt.new('SESSION', [ false, 'The session to run this module on' ]),
-              Msf::OptString.new('DATABASE', [ false, 'The database to authenticate against', 'MSSQL']),
-              Msf::OptString.new('USERNAME', [ false, 'The username to authenticate as', 'MSSQL']),
+              Msf::OptString.new('DATABASE', [ false, 'The database to authenticate against', '']),
+              Msf::OptString.new('USERNAME', [ false, 'The username to authenticate as', 'sa']),
               Msf::Opt::RHOST(nil, false),
               Msf::Opt::RPORT(1433, false)
             ]

Original file line number	Diff line number	Diff line change
`@@ -26,8 +26,8 @@ def initialize(info = {})`
`26`	`26`	`register_options(`
`27`	`27`	`[`
`28`	`28`	`Msf::OptInt.new('SESSION', [ false, 'The session to run this module on' ]),`
`29`		`- Msf::OptString.new('DATABASE', [ false, 'The database to authenticate against', 'MSSQL']),`
`30`		`- Msf::OptString.new('USERNAME', [ false, 'The username to authenticate as', 'MSSQL']),`
	`29`	`+ Msf::OptString.new('DATABASE', [ false, 'The database to authenticate against', '']),`
	`30`	`+ Msf::OptString.new('USERNAME', [ false, 'The username to authenticate as', 'sa']),`
`31`	`31`	`Msf::Opt::RHOST(nil, false),`
`32`	`32`	`Msf::Opt::RPORT(1433, false)`
`33`	`33`	`]`