Skip to content

Add an SMB to MSSQL NTLM Relay module #20637

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 16 commits into
base: master
Choose a base branch
from
Open

Add an SMB to MSSQL NTLM Relay module #20637

wants to merge 16 commits into from
+1,189 −435

Conversation

@zeroSteiner
Copy link
Contributor

@zeroSteiner zeroSteiner commented Oct 22, 2025

This adds a new NTLM relay module for relaying from SMB to MSSQL servers. On success, an MSSQL session will be opened to allow the user to run arbitrary queries and some modules.

The authentication code in the existing MSSQL client module was pretty dense and not readily reusable. This also refactors that to break down the different authentication mechanisms into their own methods. Some structures were migrated to BinData, which is the current way of doing binary protocols in Metasploit. Moving these structures into bindata reduces the code to create what is now the MsTdsLogin7 structure from 4 different places (3 login methods and now the relay). The USE_WINDOWS_AUTHENT option has been removed because it's redundant with the new Mssql::Auth option which is more explicit. Specs are included for the bindata structures, showing that they can be constructed and parsed.

There's still an issue which predates this work where if the target MSSQL server requires encryption, the session creation will fail after authentication. This is tracked in #18745.

Verification

  • Install MSSQL Server on a Domain Joined host. Ensure that Windows Authentication mode is enabled.
  • Start msfconsole, and use the module.
  • Set RHOSTS to target the MSSQL server.
  • On another host, use net use to trigger an authentication attempt to metasploit that can be relayed to the target.

Demo

[*] Auxiliary module running as background job 0.
[*] SMB Server is running. Listening on 0.0.0.0:445
[*] Server started.
msf auxiliary(server/relay/smb_to_mssql) > 
[*] New request from 192.168.159.10
[*] Received request for MSFLAB\smcintyre
[*] Relaying to next target mssql://192.168.159.166:1433
[+] Identity: MSFLAB\smcintyre - Successfully authenticated against relay target mssql://192.168.159.166:1433
[+] Relay succeeded
[*] MSSQL session 1 opened (192.168.159.128:35967 -> 192.168.159.166:1433) at 2025-10-21 09:33:19 -0400
[*] Received request for MSFLAB\smcintyre
[*] Identity: MSFLAB\smcintyre - All targets relayed to
[*] New request from 192.168.159.10
[*] Received request for MSFLAB\smcintyre
[*] Identity: MSFLAB\smcintyre - All targets relayed to
[*] Received request for MSFLAB\smcintyre
[*] Identity: MSFLAB\smcintyre - All targets relayed to
msf auxiliary(server/relay/smb_to_mssql) > sessions -i -1
[*] Starting interaction with 1...
mssql @ 192.168.159.166:1433 (master) > query 'SELECT @@version'
Response
========
    #  NULL
    -  ----
    0  Microsoft SQL Server 2019 (RTM-GDR) (KB5065223) - 15.0.2145.1 (X64) 
    Aug 13 2025 11:31:46 
    Copyright (C) 2019 Microsoft Corporation
    Standard Edition (64-bit) on Windows Server 2025 Standard 10.0 <X64> (Build 26100: ) (Hypervisor)
mssql @ 192.168.159.166:1433 (master) >

@smcintyre-r7 smcintyre-r7 added module docs rn-modules release notes for new or majorly enhanced modules labels Oct 22, 2025
@smcintyre-r7 smcintyre-r7 linked an issue Oct 22, 2025 that may be closed by this pull request
Add an SMB to MSSQL Relay Module #20466
Open
adfoster-r7
adfoster-r7 reviewed Oct 23, 2025
View reviewed changes
bwatters-r7
bwatters-r7 reviewed Oct 23, 2025
View reviewed changes
jvoisin
jvoisin reviewed Oct 23, 2025
View reviewed changes
documentation/modules/auxiliary/scanner/mssql/mssql_hashdump.md
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, http, socks5, socks5
Copy link
Contributor

@jvoisin jvoisin Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, http, socks5, socks5
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxy types: sapni, socks4, http, socks5, socks5

@smcintyre-r7 smcintyre-r7 mentioned this pull request Oct 23, 2025
Open
@adfoster-r7 adfoster-r7 mentioned this pull request Oct 24, 2025
Open
@jheysel-r7 jheysel-r7 self-assigned this Oct 31, 2025
@zeroSteiner
Support auto authentication for MSSQL
ebc7000
@zeroSteiner
MSSQL auto auth should look at the domain
000d310 
If the domain is set, using NTLM where the domain is used, otherwise use
plaintext / sql authentiction.
@zeroSteiner zeroSteiner force-pushed the feat/mod/smb-to-mssql branch from df77514 to 000d310 Compare November 20, 2025 18:32
zeroSteiner
zeroSteiner commented Nov 20, 2025
View reviewed changes
lib/msf/core/optional_session/mssql.rb
Comment on lines +29 to +30
Msf::OptString.new('DATABASE', [ false, 'The database to authenticate against', '']),
Msf::OptString.new('USERNAME', [ false, 'The username to authenticate as', 'sa']),
Copy link
Contributor Author

@zeroSteiner zeroSteiner Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These seemed very wrong. At least on the database server I freshly installed, there is no MSSQL database. Using this as the default value meant that authentication was failing unless I explicitly cleared it. If the credentials are correct but a database is specified and it doesn't exist, authentication will fail.

Also the default username that's created when the database is installed is sa not MSSQL.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@h00die h00die h00die left review comments

@bwatters-r7 bwatters-r7 bwatters-r7 left review comments

@smcintyre-r7 smcintyre-r7 smcintyre-r7 left review comments

@adfoster-r7 adfoster-r7 adfoster-r7 left review comments

+1 more reviewer

@jvoisin jvoisin jvoisin left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@jheysel-r7 jheysel-r7

Labels

docs module rn-modules release notes for new or majorly enhanced modules

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add an SMB to MSSQL Relay Module

7 participants

@zeroSteiner @jvoisin @h00die @bwatters-r7 @smcintyre-r7 @adfoster-r7 @jheysel-r7