NetExec icon indicating copy to clipboard operation
NetExec copied to clipboard
verified publisher icon Pennyw0rth

MSSQL login fails with local admin hash (False Negative)

Open desterhuizen opened this issue 9 months ago • 2 comments

Describe the bug When logging into an MSSQL server using the local administrator's NTLM hash, we get a false negative due to how the negotiation happens. MSSQL is using Windows auth.

To Reproduce The behaviour can be reproduced using the following commands:

Test 1 - Incorrect

netexec mssql 127.0.0.1 -u 'administrator' -H f99529e42ee77dc4704c568ba9320a34 --local-auth

Output

MSSQL       127.0.0.1       1433   WEB06            [-] WEB06\administrator:f99529e42ee77dc4704c568ba9320a34 (Login failed for user 'administrator'. Please try again with or without '--local-auth')

Expected behaviour Expected to succeed as local admin has permissions to authenticate with the host, but preauth fails.

Test 2 - Correct

netexec mssql 127.0.0.1 -u 'administrator' -H f99529e42ee77dc4704c568ba9320a34

MSSQL       127.0.0.1       1433   WEB06            [-] dev.final.com\administrator:f99529e42ee77dc4704c568ba9320a34 (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')

Expected behaviour Expected to fail, as the default would be to authenticate as DOMAIN\Administrator.

Test 3 - Incorrect

netexec mssql 127.0.0.1 -u '\administrator' -H f99529e42ee77dc4704c568ba9320a34

MSSQL       127.0.0.1       1433   WEB06            [+] \administrator:f99529e42ee77dc4704c568ba9320a34 (Pwn3d!)

Expected behaviour Expected to fail, as the default would still attempt to authenticate as DOMAIN\Administrator.

Test 4 - Incorrect

netexec mssql 127.0.0.1 -u 'administrator' -H f99529e42ee77dc4704c568ba9320a34 -d ''

MSSQL       127.0.0.1       1433   WEB06            [-] dev.final.com\administrator:f99529e42ee77dc4704c568ba9320a34 (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. Please try again with or without '--local-auth')

Expected behaviour Expected to succeed, as the domain is set to '', I expected it to send `\Administrator'

Screenshots

Image

NetExec info

  • OS: Kali 2024.04
  • Version of nxc:1.3.0 - NeedForSpeed - Kali Linux
  • Installed from: Packaged and updated in 2024-4

Additional context I encountered this because my authentication works when I use impacket-mssqlclient with -windows-auth. Looking in Wireshark, I saw it was sending \administrator as the username, and tested that on nxc.

desterhuizen avatar Apr 17 '25 07:04 desterhuizen

Thanks for the bug report, I will take a look at it

NeffIsBack avatar Apr 17 '25 09:04 NeffIsBack

For clarification: NetExec uses windows-auth per default and will switch to mssql authentication with the --local-auth flag.

Test case 1

As far as i know, as long as the user is part of the users of the database, authentication should work with local auth and it does for me:

Image

Test case 2

Same for me:

Image

Test case 3:

Not 100% sure about this one, but my intuition would be that as we provide no Domain for authentication impacket will try windows local authentication against the SAM database. As the local Admin is part of it the authentication succeeds:

(Fixed Screenshot, see test case 4)

Image

Test case 4:

This is indeed a bug in NetExec, where it does not take an empty string into account when specifying the domain. This result is consistent across the protocols and should be patched. Still, i believe impacket will try local authentication as we do not specify a domain to authenticate against. With a patched version i again get a successful authentication:

Before&After: Image

NeffIsBack avatar Apr 27 '25 17:04 NeffIsBack