Pennyw0rth
MSSQL logfile is missing information compared to stdout when using `--debug`
Describe the bug
The mssql protocol logfile is missing output when using the --debug flag. There are missing INFO and DEBUG output in the logfile that are visible to stdout.
Items missing from logfile:
- DEBUG containing NXC version
- MSSQL INFO line with system information
- MSSQL INFO line containing authentication result
- MSSQL_PRIV INFO line containing sysadmin detection
- MSSQL_PRIV INFO line containing sysadmin privesc result
To Reproduce
netexec mssql 192.168.0.100 -u useraccount -p REDACTED -d example.com --log mssql-debug.log --debug
- Stdout:
[15:55:32] DEBUG NXC VERSION: 1.2.0 - ItsAlwaysDNS - kali cli.py:27
DEBUG Added file handler: <RotatingFileHandler logger.py:192
...snip...
INFO Resolved domain: example.com with dns, kdcHost: 192.168.0.1 mssql.py:140
[15:55:32] INFO MSSQL 192.168.0.100 1433 SQLSERVER Windows 10 / Server 2019 Build mssql.py:143
17763 (name:SQLSERVER) (domain:example.com)
MSSQL 192.168.0.100 1433 SQLSERVER Windows 10 / Server 2019 Build
17763 (name:SQLSERVER) (domain:example.com)
DEBUG Trying to authenticate using plaintext with domain connection.py:476
[15:55:32] INFO MSSQL 192.168.0.100 1433 SQLSERVER mssql.py:225
example.com\useraccount:REDACTED
MSSQL 192.168.0.100 1433 SQLSERVER
example.com\useraccount:REDACTED
DEBUG Calling command arguments connection.py:229
DEBUG Closing connection to: 192.168.0.100 connection.py:170
- Logfile is missing the initial DEBUG with the netexec version, the MSSQL system information INFO output, and the final MSSQL authentication output:
2024-07-26 15:55:32,239 - DEBUG - Added file handler: <RotatingFileHandler /redacted/mssql-debug.log (NOTSET)>
...snip...
2024-07-26 15:55:32,595 - INFO - Resolved domain: example.com with dns, kdcHost: 192.168.0.1
2024-07-26 15:55:32,598 - DEBUG - Trying to authenticate using plaintext with domain
2024-07-26 15:55:32,618 - DEBUG - Calling command arguments
2024-07-26 15:55:32,619 - DEBUG - Closing connection to: 192.168.0.100
netexec mssql 192.168.0.100 -u useraccount -p REDACTED -d example.com --log mssql-mssql_priv-privesc-debug.log -M mssql_priv -o ACTION=privesc --debug
- stdout:
[15:13:26] DEBUG NXC VERSION: 1.2.0 - ItsAlwaysDNS - kali cli.py:27
DEBUG Added file handler: <RotatingFileHandler /redacted/mssql-mssql_priv-privesc-debug.log (NOTSET)>
...snip...
INFO Resolved domain: example.com with dns, kdcHost: 192.168.0.1 mssql.py:140
[15:13:27] INFO MSSQL 192.168.0.100 1433 SQLSERVER Windows 10 / Server 2019 Build 17763 (name:SQLSERVER) (domain:example.com) mssql.py:143
MSSQL 192.168.0.100 1433 SQLSERVER Windows 10 / Server 2019 Build 17763 (name:SQLSERVER) (domain:example.com)
DEBUG Trying to authenticate using plaintext with domain connection.py:476
[15:13:27] INFO MSSQL 192.168.0.100 1433 SQLSERVER example.com\useraccount:REDACTED mssql.py:225
MSSQL 192.168.0.100 1433 SQLSERVER example.com\useraccount:REDACTED
INFO Loading modules for target: 192.168.0.100
...snip...
DEBUG Response: [{'name': 'master'}, {'name': 'tempdb'}, {'name': 'model'}, {'name': 'msdb'}, {'name': 'REDACTED_DB'}, {'name': 'REDACTED_DB'}, {'name': 'REDACTED_DB'}, {'name': 'REDACTED_DB'}, {'name': mssql_priv.py:273
'REDACTED_DB'}, {'name': 'REDACTED_DB'}, {'name': 'REDACTED_DB'}, {'name': 'REDACTED_DB'}, {'name': 'REDACTED_DB'}]
DEBUG Response Type: <class 'list'> mssql_priv.py:274
[15:13:27] INFO MSSQL_PRIV 192.168.0.100 1433 SQLSERVER EXAMPLE\useraccount is sysadmin mssql_priv.py:127
MSSQL_PRIV 192.168.0.100 1433 SQLSERVER EXAMPLE\useraccount is sysadmin
[15:13:27] INFO MSSQL_PRIV 192.168.0.100 1433 SQLSERVER EXAMPLE\useraccount is now a sysadmin! (Pwn3d!) mssql_priv.py:89
MSSQL_PRIV 192.168.0.100 1433 SQLSERVER EXAMPLE\useraccount is now a sysadmin! (Pwn3d!)
DEBUG Closing connection to: 192.168.0.100
- Logfile is missing the initial DEBUG, the MSSQL system information INFO output, and the MSSQL_PRIV action INFO output
2024-07-26 14:31:20,868 - DEBUG - Added file handler: <RotatingFileHandler /redacted/mssql-mssql_priv-privesc-debug.log (NOTSET)>
...snip...
2024-07-26 14:31:21,579 - INFO - Resolved domain: example.com with dns, kdcHost: 192.168.0.1
2024-07-26 14:31:21,582 - DEBUG - Trying to authenticate using plaintext with domain
2024-07-26 14:31:21,602 - INFO - Loading modules for target: 192.168.0.100
...snip...
2024-07-26 14:31:21,619 - DEBUG - Response Type: <class 'list'>
2024-07-26 14:31:21,667 - DEBUG - Closing connection to: 192.168.0.100
Expected behavior
The logfile should contain the same output as STDOUT when using --debug.
NetExec info
- OS: Kali
- Version of nxc: 1.2.0 - ItsAlwaysDNS - kali
- Installed from: apt
Additional context
Raw log and stdout files are attached, too.
MSSQL debug: netexec mssql 192.168.0.100 -u useraccount -p REDACTED -d example.com --log mssql-debug.log --debug:
- mssql-debug.log.txt is the logfile
- mssql-debug.stdout.txt is stdout w/command
MSSQL with MSSQL_PRIV (default): netexec mssql 192.168.0.100 -u useraccount -p REDACTED -d example.com --log mssql-mssql_priv.log -M mssql_priv
- mssql-mssql_priv.log.txt is the logfile
- mssql-mssql_priv.stdout.txt is stdout w/command
MSSQL with MSSQL_PRIV privesc debug: netexec mssql 192.168.0.100 -u useraccount -p REDACTED -d example.com --log mssql-mssql_priv-privesc-debug.log -M mssql_priv -o ACTION=privesc --debug
- mssql-mssql_priv-privesc-debug.log.txt is the logfile
- mssql-mssql_priv-privesc-debug.stdout.txt is stdout w/command
The problem is, that the root logger is not set to debug logging in 0ca3c43. Therefore, debug messages are not passed to the file logger. @Marshall-Hallenbeck do you remember why this change was made?
The problem is, that the root logger is not set to debug logging in 0ca3c43. Therefore, debug messages are not passed to the file logger. @Marshall-Hallenbeck do you remember why this change was made?
I believe because 3rd parties don't know how to log so it was spamming the hell out of DEBUG messages.
